Malware Analysis Report

2025-08-05 19:00

Sample ID 231019-cszn1adb8x
Target file.exe
SHA256 0f440b132f6faf655b012cac333d83638643551669bb45227f474e19296cbd8a
Tags
glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor dropper evasion infostealer loader persistence rat trojan amadey microsoft discovery phishing rootkit spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f440b132f6faf655b012cac333d83638643551669bb45227f474e19296cbd8a

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor dropper evasion infostealer loader persistence rat trojan amadey microsoft discovery phishing rootkit spyware stealer upx

Glupteba payload

SectopRAT

SectopRAT payload

RedLine payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Amadey

RedLine

Glupteba

Modifies Windows Firewall

Downloads MZ/PE file

.NET Reactor proctector

Windows security modification

Executes dropped EXE

Reads user/profile data of local email clients

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Uses the VBS compiler for execution

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Enumerates system info in registry

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 02:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 02:21

Reported

2023-10-19 02:23

Platform

win7-20230831-en

Max time kernel

42s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B51.exe N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\30F0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4234.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40DE8EA1-6E26-11EE-B299-CE1068F0F1D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3863.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2900 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2172 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2148 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2660 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 3052 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2660 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2148 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\30F0.exe
PID 1232 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\31AC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

C:\Users\Admin\AppData\Local\Temp\30F0.exe

C:\Users\Admin\AppData\Local\Temp\30F0.exe

C:\Users\Admin\AppData\Local\Temp\31AC.exe

C:\Users\Admin\AppData\Local\Temp\31AC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\33EE.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

C:\Users\Admin\AppData\Local\Temp\3546.exe

C:\Users\Admin\AppData\Local\Temp\3546.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

C:\Users\Admin\AppData\Local\Temp\3863.exe

C:\Users\Admin\AppData\Local\Temp\3863.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

C:\Users\Admin\AppData\Local\Temp\3B51.exe

C:\Users\Admin\AppData\Local\Temp\3B51.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\4234.exe

C:\Users\Admin\AppData\Local\Temp\4234.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 524

C:\Users\Admin\AppData\Local\Temp\48F9.exe

C:\Users\Admin\AppData\Local\Temp\48F9.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5098.exe

C:\Users\Admin\AppData\Local\Temp\5098.exe

C:\Users\Admin\AppData\Local\Temp\64E4.exe

C:\Users\Admin\AppData\Local\Temp\64E4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {112F59A3-51B5-4DB3-A9C2-193F9D33D286} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\87A1.exe

C:\Users\Admin\AppData\Local\Temp\87A1.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\950A.exe

C:\Users\Admin\AppData\Local\Temp\950A.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\B557.exe

C:\Users\Admin\AppData\Local\Temp\B557.exe

C:\Users\Admin\AppData\Local\Temp\C456.exe

C:\Users\Admin\AppData\Local\Temp\C456.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019022310.log C:\Windows\Logs\CBS\CbsPersist_20231019022310.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.124.55:19071 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
TR 185.216.70.222:80 185.216.70.222 tcp
NL 85.209.176.128:80 tcp
US 157.240.5.35:443 www.facebook.com tcp
US 157.240.5.35:443 www.facebook.com tcp
IT 185.196.9.65:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
TR 185.216.70.238:37515 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 api.ip.sb udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 104.26.13.31:443 api.ip.sb tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 pastebin.com udp
FI 77.91.124.55:19071 tcp
US 104.20.68.143:443 pastebin.com tcp
US 157.240.5.35:443 www.facebook.com tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 157.240.5.35:443 facebook.com tcp
US 157.240.5.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 157.240.5.35:443 fbcdn.net tcp
US 157.240.5.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 h2o.activebuy.top udp
FI 95.217.243.178:8443 h2o.activebuy.top tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2744-50-0x0000000000B80000-0x0000000000B8A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/2660-58-0x0000000000130000-0x0000000000139000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2644-67-0x0000000000020000-0x0000000000029000-memory.dmp

memory/1232-68-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2644-69-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/828-78-0x00000000008F0000-0x000000000092E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30F0.exe

MD5 1cce5276dc4acff2f06920f034e6e51c
SHA1 a848df9b574050d1583f830183b64e6c72256072
SHA256 d51a5c7ca8ff0d19f000ce3a342071bafa69d13fe1e0bc989c51aa94048620d9
SHA512 7e3117c439cee7a5c71f9af25f84a878dbcc9efe2e0752f23f6e42e750f8aa6fcbbbf9491097d5a961090fb808238c11b4e0cb73666252b190d81594e40ab010

\Users\Admin\AppData\Local\Temp\30F0.exe

MD5 1cce5276dc4acff2f06920f034e6e51c
SHA1 a848df9b574050d1583f830183b64e6c72256072
SHA256 d51a5c7ca8ff0d19f000ce3a342071bafa69d13fe1e0bc989c51aa94048620d9
SHA512 7e3117c439cee7a5c71f9af25f84a878dbcc9efe2e0752f23f6e42e750f8aa6fcbbbf9491097d5a961090fb808238c11b4e0cb73666252b190d81594e40ab010

C:\Users\Admin\AppData\Local\Temp\30F0.exe

MD5 1cce5276dc4acff2f06920f034e6e51c
SHA1 a848df9b574050d1583f830183b64e6c72256072
SHA256 d51a5c7ca8ff0d19f000ce3a342071bafa69d13fe1e0bc989c51aa94048620d9
SHA512 7e3117c439cee7a5c71f9af25f84a878dbcc9efe2e0752f23f6e42e750f8aa6fcbbbf9491097d5a961090fb808238c11b4e0cb73666252b190d81594e40ab010

C:\Users\Admin\AppData\Local\Temp\31AC.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\31AC.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

C:\Users\Admin\AppData\Local\Temp\33EE.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4Ho268Ye.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

C:\Users\Admin\AppData\Local\Temp\3546.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\33EE.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\3546.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

memory/2704-139-0x00000000003C0000-0x00000000003FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\3863.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/1448-179-0x0000000001D00000-0x0000000001D20000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

MD5 09e0db67a9a5d32db31907039b2f0d14
SHA1 5509f348cbe19ddf804098935efcb85f91c3734b
SHA256 261856b7bed3908d608fe7104e9fafc75f2ae13f78e1033c3d7143656fcbc294
SHA512 188d5a9ae55f245e28185be8f35ad98eca9a568264e3ac49e7a8edc438554e2ecdf059a1ebc4d3c21fdbc6a29fdfef3bc8b03dcc82324f68311fdd8a595628c4

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

MD5 09e0db67a9a5d32db31907039b2f0d14
SHA1 5509f348cbe19ddf804098935efcb85f91c3734b
SHA256 261856b7bed3908d608fe7104e9fafc75f2ae13f78e1033c3d7143656fcbc294
SHA512 188d5a9ae55f245e28185be8f35ad98eca9a568264e3ac49e7a8edc438554e2ecdf059a1ebc4d3c21fdbc6a29fdfef3bc8b03dcc82324f68311fdd8a595628c4

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

MD5 09e0db67a9a5d32db31907039b2f0d14
SHA1 5509f348cbe19ddf804098935efcb85f91c3734b
SHA256 261856b7bed3908d608fe7104e9fafc75f2ae13f78e1033c3d7143656fcbc294
SHA512 188d5a9ae55f245e28185be8f35ad98eca9a568264e3ac49e7a8edc438554e2ecdf059a1ebc4d3c21fdbc6a29fdfef3bc8b03dcc82324f68311fdd8a595628c4

memory/2352-185-0x0000000000E00000-0x0000000000E3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B51.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2704-191-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1448-192-0x00000000020F0000-0x000000000210E000-memory.dmp

memory/1448-193-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1448-194-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/1448-195-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2704-196-0x0000000007060000-0x00000000070A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4234.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/1448-205-0x00000000020F0000-0x0000000002108000-memory.dmp

memory/1056-206-0x00000000002F0000-0x000000000034A000-memory.dmp

memory/1056-208-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1448-207-0x00000000020F0000-0x0000000002108000-memory.dmp

memory/1056-213-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2976-217-0x0000000000DF0000-0x0000000000E0E000-memory.dmp

memory/2976-218-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2976-219-0x0000000004320000-0x0000000004360000-memory.dmp

memory/2844-223-0x0000000000870000-0x00000000008CA000-memory.dmp

memory/2844-224-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab55D0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2704-239-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2844-240-0x00000000073C0000-0x0000000007400000-memory.dmp

memory/1448-241-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1448-244-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/1448-243-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/1448-242-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2704-245-0x0000000007060000-0x00000000070A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar6482.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203390c0e39d8b8e4ea4a20fda4895d7
SHA1 6ea0adc328ef4b6e78d730715d10564b0a7f3284
SHA256 c5a8e378845f01e87f927710fdd9595f477c3ce2d767ca81a06d2fc5ec5bbec0
SHA512 b3dac762eb3ce479c6d9d6d25f588f02024044dc12b41b816bf85e95b56607f430480ab20e38521a1164eb3c0fa7ab25cd3dd2747f95b58770661574c422b337

memory/2664-284-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1592-283-0x0000000000010000-0x000000000012B000-memory.dmp

memory/2664-285-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2664-290-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1056-289-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1592-292-0x0000000000010000-0x000000000012B000-memory.dmp

memory/2664-294-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2664-293-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2976-295-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2976-296-0x0000000004320000-0x0000000004360000-memory.dmp

memory/2664-298-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2664-300-0x0000000007440000-0x0000000007480000-memory.dmp

memory/2844-319-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2844-320-0x00000000073C0000-0x0000000007400000-memory.dmp

memory/1624-324-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1624-325-0x0000000000FC0000-0x0000000001418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/2028-338-0x00000000048D0000-0x0000000004CC8000-memory.dmp

memory/1624-343-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2008-347-0x00000000008F0000-0x00000000008F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2664-356-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\950A.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2028-364-0x00000000048D0000-0x0000000004CC8000-memory.dmp

memory/2664-365-0x0000000007440000-0x0000000007480000-memory.dmp

memory/2028-367-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/844-366-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2028-371-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/844-372-0x0000000004600000-0x0000000004640000-memory.dmp

memory/844-373-0x0000000000400000-0x0000000000430000-memory.dmp

memory/844-374-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B557.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2028-393-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C456.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/2008-451-0x00000000008F0000-0x00000000008F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BEC6224B02D155A396218A2504F3EE0B

MD5 d252560c666d3a5cd8486952cc6ba362
SHA1 bd8c06efc82c27606ff1d0f7c6fca3fae64ad053
SHA256 d193d25354c38f085a425983f8c0177515e6e0ef6469af20f916b2318170b783
SHA512 fe6dd8cd55da2de59dfcf1fa3ecadfa51a3dd5f95f947b4f14b3e201699ac9e09676790d4e0d8b40824f35cfe31d9dbf4c316092f6de5f6759c882f34d55fbee

memory/2028-508-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2028-677-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab43eae306cc4b87a61c400df478edd5
SHA1 ff21bbb13025e63a07cdba8c6c31f8b3cf1f18ca
SHA256 18095f58e7b46f0f196f4c636de5a3f07561e53804d15d87c4b851cf837c19b4
SHA512 e1396a22939d819c190fedc26fcbb221ff821d6c0e359434817b78b0c5a512c43deb87dc3fa42ec701b6bcc92829cb224e99bfe32ecf0b9dc982cb9e43748914

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b28f41b63c9b25db83fd6f4ccf16b899
SHA1 7ddca5d64e48963e57da32afc354fa60ba352424
SHA256 9dd188b05ffe43a3084c95250146da52968a92e5576c67fea4004f5585180ebf
SHA512 4052f54bd8da12523451e0fc7319697d1b57a9e28abbd9d3beda1d05a271b37c71c77b79dad39ceba8ecf7c5faeee0ce67b0b569b1bffc599554b515600d8757

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bb8c79ed5465b14ae82cf3cc31627a4
SHA1 dbf231c57de2b5abfb4ee2599063a5beac1ff084
SHA256 3a06063e6f09478b4f529151f482b99442be10cc0c6c9331333df7c8efa89408
SHA512 29f18e34877f3bd3b78565ea967de8aa13f34ba72a96f09b10aaf02d0bc622d3440b37ab95ec5053d1a1b89798967da718734230262a2107bd36a9f98f7b5621

memory/2664-804-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb0fd276515f9c80a483d3561aff99ee
SHA1 bfcde17d947904f359c140c26df8975ed173d4fa
SHA256 eb8ed0c3dce58610f44d40686b170d2a397fd36552ecb1386649fc90d0c4437f
SHA512 bc91619a540fd68cc5a37fb2bcc12ae6ecf0d264f2b7ef165b7c5bbbd16669a554c9bca1c167b786375435af04ebac101d98ab193edb97ffc80e5783d4129a8a

memory/844-854-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d4e7231b717714262ecebf87c5108ff
SHA1 9253f4d38d8d8358faad8b6e96756d509af29d1c
SHA256 68b674ab5c2f56a285ad1d21761d39fe2cb09c6f0722487859cfd8f51a66b97c
SHA512 8e4cb4f6c40ec2f40fa623ac41198c6b2035e2c7abdd29628edb9f1819f4bcfeab5a46c0cff957d05df8005db2f3b2abf1dfe69c90e4fcd6aea14dc70f6d21c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0d191a26fe0de997675eef2510297a6
SHA1 91e3c5dcd97e308c3e91cc3ba03f5ae54287b399
SHA256 0da553413a31dfdacac90528b369de999f2f93d4e94d274b6aed320a5f0617fe
SHA512 49358eef91e93e728d457cf29b4113373f6b63c6b0838fe34e494916cf2a8a20239473fbb9c0efbd389d9117dddcdb3b3a4f63c00e1bd70027d7fb23cd7250c4

memory/2844-966-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8de2667f651aeb41bbbfab7f7a33a599
SHA1 6d3f293dffe6ceffb9b9fccd8b41de1678d879e5
SHA256 db3a84a7304b5f79b2b10b8fe5bb445ec7df8538624385351a9f00f0318fa9b1
SHA512 cdf3923451286ee5064bfa6044a8f069a1d8acafc0e442f59428aa0dd7c71e4cd668724df65671a2253488db61a04c23281b547f2d217b42cca649f85708ad19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e17b35b24c909ec026cf031b8b4d574
SHA1 8469fa45f410e8a14cfda5319fc684e5936972de
SHA256 b289f98e6bada80ba6613169437ee044ec5762bd79cc99808089dbc991d56121
SHA512 30c14c290872b516fb9408d422d069a3ceed954e3503cfb20b41a98a442ca7a8bee491f82d7aaa730fc140bea3c8f71983df535f5818ab2d7c93f64ab4d9d8ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 c7271ae2d5df8c11d6d67582fd9fdccb
SHA1 9c3bb63ee5ece08bc38f67a9540d5aacef5ecaaa
SHA256 3b8992e64a31a2ba9409229a8eae302fe51b99f23eb7f253cc1fb66377372efb
SHA512 2714e48a618864d3f76974f9caa1c58b11d82e00b56ca1322bcad0068072573d7bf808525380326e881b00805d11193c897de1db20cae4d4c03cf814a542a629

memory/2028-1068-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1616-1082-0x0000000004A00000-0x0000000004DF8000-memory.dmp

memory/2028-1083-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b54c0afbaf468763d3db52f1ac420be6
SHA1 7fd1c05f7445d842b7733fbe812459f779af9c2f
SHA256 101cd0fdab6495fe73a24ce1f73184e822a3f9427bee531d9f316d164b4b7a54
SHA512 6430ebe7ed52a980354863c867193759d7773a6cc2806f8865217bf93768c5413d1462ac7842beaeb51660544695beb5b60d6fbc24e00c075582fb8932095212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d0cc0179599914be2b4c117cb5080c5
SHA1 16aca5f796e9dea8b26c79b0cbdbec10d51d8258
SHA256 4ba970ad6d600b33c16561b17d5c6f4f1cfb1ad7e199917a87294a3fc4ec23a6
SHA512 ef12a095063be4b4ef1ab4661d656ac45ede1761f10f7087a71f90d716314d1808a3002824bc01d09b31e734730735a7cefedc3eb6b547fdb978c8c766473904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38d66f3b9528ba3e756458f18b9a57df
SHA1 69de0003607e7f6af9dc5d00da651fad654e0512
SHA256 9e3a5d61666eeb770b7ef942f41db89ea799f483d4c6922be832a2c5b70bd904
SHA512 168058e4bd1324cf3ae6810e49023f1fed5e9cbaf02f7e95409abde1606944d33943387d554fa2a24deb4170989bea6b905b847a66c1ee627865376911a9358b

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-19 02:21

Reported

2023-10-19 02:23

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2417.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1688.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17B2.exe N/A
N/A N/A C:\Windows\SysWOW64\cacls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28AE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\A5B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\2717.exe'\"" C:\Users\Admin\AppData\Local\Temp\2717.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 4100 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\System32\Conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\151F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DF9.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1688.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17B2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 1436 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 1436 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe
PID 1760 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 1760 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 1760 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe
PID 2444 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2444 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2444 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe
PID 2948 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2948 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 2948 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe
PID 408 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 408 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 408 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe
PID 408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe
PID 2948 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2948 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2948 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe
PID 2444 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2444 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 2444 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe
PID 3160 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe
PID 3160 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe
PID 3160 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe
PID 3160 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\B08.exe
PID 3160 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\B08.exe
PID 3160 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\B08.exe
PID 3404 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe
PID 3404 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe
PID 3404 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\A5B.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe
PID 4660 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe
PID 4660 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe
PID 4660 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe
PID 3160 wrote to memory of 4732 N/A N/A C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4732 N/A N/A C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe
PID 4364 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe
PID 4364 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe
PID 3160 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D.exe
PID 3160 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D.exe
PID 3160 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D.exe
PID 436 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe
PID 436 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe
PID 436 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe
PID 4492 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe
PID 4492 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe
PID 4492 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe
PID 3160 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF9.exe
PID 3160 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF9.exe
PID 3160 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF9.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\F23.exe
PID 3160 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe
PID 3160 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe
PID 3160 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\151F.exe
PID 4492 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe
PID 4492 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe
PID 4492 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe
PID 4496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\F23.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\F23.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

C:\Users\Admin\AppData\Local\Temp\A5B.exe

C:\Users\Admin\AppData\Local\Temp\A5B.exe

C:\Users\Admin\AppData\Local\Temp\B08.exe

C:\Users\Admin\AppData\Local\Temp\B08.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C42.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

C:\Users\Admin\AppData\Local\Temp\D2D.exe

C:\Users\Admin\AppData\Local\Temp\D2D.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

C:\Users\Admin\AppData\Local\Temp\DF9.exe

C:\Users\Admin\AppData\Local\Temp\DF9.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

C:\Users\Admin\AppData\Local\Temp\F23.exe

C:\Users\Admin\AppData\Local\Temp\F23.exe

C:\Users\Admin\AppData\Local\Temp\151F.exe

C:\Users\Admin\AppData\Local\Temp\151F.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\17B2.exe

C:\Users\Admin\AppData\Local\Temp\17B2.exe

C:\Users\Admin\AppData\Local\Temp\1688.exe

C:\Users\Admin\AppData\Local\Temp\1688.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe809c46f8,0x7ffe809c4708,0x7ffe809c4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3140 -ip 3140

C:\Users\Admin\AppData\Local\Temp\1B6C.exe

C:\Users\Admin\AppData\Local\Temp\1B6C.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\2417.exe

C:\Users\Admin\AppData\Local\Temp\2417.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 792

C:\Users\Admin\AppData\Local\Temp\260C.exe

C:\Users\Admin\AppData\Local\Temp\260C.exe

C:\Users\Admin\AppData\Local\Temp\2717.exe

C:\Users\Admin\AppData\Local\Temp\2717.exe

C:\Users\Admin\AppData\Local\Temp\28AE.exe

C:\Users\Admin\AppData\Local\Temp\28AE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe809c46f8,0x7ffe809c4708,0x7ffe809c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14849067423595277426,17203114923460997964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=260C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8f3246f8,0x7ffe8f324708,0x7ffe8f324718

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=260C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe8f3246f8,0x7ffe8f324708,0x7ffe8f324718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,5738333503641440218,4193983910359037504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
IT 185.196.9.65:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.5.240.157.in-addr.arpa udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 facebook.com udp
US 157.240.5.35:443 facebook.com tcp
US 8.8.8.8:53 35.5.240.157.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 learn.microsoft.com udp
US 188.114.96.0:80 hellouts.fun tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.255.45.168:443 mscom.demdex.net tcp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 168.45.255.34.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 52.168.117.170:443 browser.events.data.microsoft.com tcp
US 52.168.117.170:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 08ed2467-80c6-45f5-af11-d7fda8ad560c.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server11.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.204.127:19302 stun3.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server11.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server11.statsexplorer.org tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qw9tZ84.exe

MD5 d842022bca5cc7b1b434b383fff1cd4e
SHA1 9f30b81f2a618cc1376065656bc5d4e5d0764426
SHA256 ae7382a54074faef9053265e748b0d0ee66beafb08afb264eca8ef10669e4970
SHA512 38aa621539ad97d271fe1bcd83ddd0f676410c94bd6673ed3aad8d83c196c39da2994f3411721ec3897f305c7e404543e1b2d958970addaad6615ef66fb51434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF7js85.exe

MD5 430730b38a958ff52fc14b952d8a9f6e
SHA1 2133fef64cd9693fe815143acb2730c0e8f8cabe
SHA256 ddd97aece6f94ef2ac11f97aab218e4abea7f982c3df18414bdaff24902195f0
SHA512 b3b929827f367d6d1c0e7917dee349a4c2b8f05246f5af050ecce8b640eefd97dd557f839ddfdd7c0015849eceec3dc58a9812016ae1c34237a346231d275ae5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sm6vl22.exe

MD5 1ccebce57566d5dbcdfcb9edd4496e81
SHA1 ac66dc53a6d4acd7a7ad119fcab1f713dbd26f38
SHA256 1310c3d393918cbf91c48fc22a8ea9cb416431f081db0a861fa6e84d4f6ac5d3
SHA512 2cc0ca7ddfd71ec7ea74df3a2b46b345a674e8354be88f330ae849993c3f4c1bfecc710c5a24c85c57a69fedebec486158872f1ffa71251c25a58c7b267f9556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WV8Wf13.exe

MD5 064f8c4cd5d4f849f6b25a63034dba1a
SHA1 1a08e517b5534dea6f578b0f854b9efbf7059c12
SHA256 2406a49b8ebdf6d5c7e87934865833a9ae95469f8ab60e254a16beddba211560
SHA512 c40ea0266237ff3a9a09ecebe20a709e1202042c4a1b92c75e673d7930e4db712d0cfc4af63d2b12517ee8d3d9274260ddafcd88fb3635c000897123bfbe7826

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nZ57Yu2.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/3396-35-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

memory/3396-36-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/3396-37-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/3396-39-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UC1462.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Zf34bV.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2264-45-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2264-48-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3160-47-0x00000000031E0000-0x00000000031F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ce649CZ.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/1776-54-0x0000000000210000-0x000000000024E000-memory.dmp

memory/1776-55-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/1776-56-0x0000000007450000-0x00000000079F4000-memory.dmp

memory/1776-57-0x0000000006F90000-0x0000000007022000-memory.dmp

memory/1776-58-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/1776-59-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/1776-60-0x0000000008020000-0x0000000008638000-memory.dmp

memory/1776-61-0x0000000007340000-0x000000000744A000-memory.dmp

memory/1776-62-0x0000000007270000-0x0000000007282000-memory.dmp

memory/1776-63-0x00000000072D0000-0x000000000730C000-memory.dmp

memory/1776-64-0x0000000007A00000-0x0000000007A4C000-memory.dmp

memory/1776-65-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/1776-66-0x0000000006F30000-0x0000000006F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5B.exe

MD5 1cce5276dc4acff2f06920f034e6e51c
SHA1 a848df9b574050d1583f830183b64e6c72256072
SHA256 d51a5c7ca8ff0d19f000ce3a342071bafa69d13fe1e0bc989c51aa94048620d9
SHA512 7e3117c439cee7a5c71f9af25f84a878dbcc9efe2e0752f23f6e42e750f8aa6fcbbbf9491097d5a961090fb808238c11b4e0cb73666252b190d81594e40ab010

C:\Users\Admin\AppData\Local\Temp\A5B.exe

MD5 1cce5276dc4acff2f06920f034e6e51c
SHA1 a848df9b574050d1583f830183b64e6c72256072
SHA256 d51a5c7ca8ff0d19f000ce3a342071bafa69d13fe1e0bc989c51aa94048620d9
SHA512 7e3117c439cee7a5c71f9af25f84a878dbcc9efe2e0752f23f6e42e750f8aa6fcbbbf9491097d5a961090fb808238c11b4e0cb73666252b190d81594e40ab010

C:\Users\Admin\AppData\Local\Temp\B08.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\B08.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\B08.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qp5Ru8ZP.exe

MD5 1a2d1b6cce8f2a48fbd962414466c720
SHA1 cfa710c0521fe2f99cb52458f34d1a93b76ffd62
SHA256 08044694e9161a9e52ceef304131dc8441b1dfbc371ff1cb6a9d2fc8512c2022
SHA512 71f71418033ae5a2d08ee0d965acb83ac040c7a220dfb6afbbfebae22cfb45d4dc214527502213150703cf546bd363d6f1125e579f5fffa9a488176c58600bab

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4Ho268Ye.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sp4Cg5CG.exe

MD5 4f2aebaffa7117e2bb662e77ef052f53
SHA1 a84493111b23d0b1682a4929b4bdc7b405707295
SHA256 2bfbd7086760e655208f0dbc45edc6859596462040c2e34bab3b2c63e3fb9d63
SHA512 21a0ce86d94babf299fa8bb9ee80b9ac4854e978257ec07560c26d4a920ae58a4725b23aae9c65cc4271cd581b7ef20209afb2a337f06213f7e7d2bc0bf56a69

C:\Users\Admin\AppData\Local\Temp\C42.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lr0TL1BM.exe

MD5 34228d280227f43ab11abfd338594de6
SHA1 be48d3fbc106f64ade56ca32fa7d970b901d7c0c
SHA256 9961289c8b6b39fc91ea3209b0cb6d5224e782f26833ee08034348685a063616
SHA512 1d2aff47b260b3cfa7614875b06a40ce3489f0d0d3f9f809f5afc426f9108a4f1fd3dde75d1812c9a647d2a8d76338ad3768194a85817e4278222d6cdc5ef8ba

C:\Users\Admin\AppData\Local\Temp\D2D.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\D2D.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hT7wN7UB.exe

MD5 3010ab03a30ddc5fc82448c80037175e
SHA1 e3d1b8abacb9ee2d13c317e480a6eacdd35c9e11
SHA256 e614e696b09aabf1b8b6c600797ba39a9b4eb1463af2907ffd7ecdf2ceffcc10
SHA512 786b8b37a8b46b2b55705ec61418708faf17735b349786e0e04dea725fbccb24724270f825dcfa32ece6909d6f5f0a49c636771cc1c1bf172c09772bf18809e6

memory/4876-111-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF9.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1oO39FY8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/4876-123-0x0000000007910000-0x0000000007920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF9.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/2700-124-0x0000000000680000-0x00000000006A0000-memory.dmp

memory/2700-126-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F23.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2700-132-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F23.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2700-135-0x00000000022C0000-0x00000000022DE000-memory.dmp

memory/2700-134-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2700-133-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2700-136-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-137-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-139-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-141-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-143-0x00000000022C0000-0x00000000022D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\151F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/2700-152-0x00000000022C0000-0x00000000022D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

MD5 09e0db67a9a5d32db31907039b2f0d14
SHA1 5509f348cbe19ddf804098935efcb85f91c3734b
SHA256 261856b7bed3908d608fe7104e9fafc75f2ae13f78e1033c3d7143656fcbc294
SHA512 188d5a9ae55f245e28185be8f35ad98eca9a568264e3ac49e7a8edc438554e2ecdf059a1ebc4d3c21fdbc6a29fdfef3bc8b03dcc82324f68311fdd8a595628c4

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fC636sR.exe

MD5 09e0db67a9a5d32db31907039b2f0d14
SHA1 5509f348cbe19ddf804098935efcb85f91c3734b
SHA256 261856b7bed3908d608fe7104e9fafc75f2ae13f78e1033c3d7143656fcbc294
SHA512 188d5a9ae55f245e28185be8f35ad98eca9a568264e3ac49e7a8edc438554e2ecdf059a1ebc4d3c21fdbc6a29fdfef3bc8b03dcc82324f68311fdd8a595628c4

memory/2700-155-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/4284-165-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4284-164-0x0000000000760000-0x000000000079E000-memory.dmp

memory/2700-171-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-173-0x00000000022C0000-0x00000000022D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\151F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\1688.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\17B2.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\17B2.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3700-181-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/2700-177-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-161-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/4284-184-0x00000000074A0000-0x00000000074B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1688.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/3140-192-0x0000000002100000-0x000000000215A000-memory.dmp

memory/3700-201-0x0000000007880000-0x0000000007890000-memory.dmp

memory/2700-199-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-204-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/3140-198-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B6C.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

C:\Users\Admin\AppData\Local\Temp\151F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\151F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/3140-207-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/2700-206-0x00000000022C0000-0x00000000022D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B6C.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/4532-194-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4532-189-0x0000000000760000-0x000000000077E000-memory.dmp

memory/2700-190-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/2700-187-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/3700-183-0x0000000000AC0000-0x0000000000B1A000-memory.dmp

memory/2700-182-0x00000000022C0000-0x00000000022D8000-memory.dmp

memory/4876-213-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2417.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/4876-218-0x0000000007910000-0x0000000007920000-memory.dmp

memory/1472-219-0x00000000005E0000-0x0000000000A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2417.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/3700-212-0x0000000008470000-0x00000000084D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260C.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2700-231-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2717.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/648-237-0x0000000000C60000-0x0000000000D7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2717.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4100-238-0x0000000000A00000-0x0000000000A3E000-memory.dmp

memory/2700-232-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1472-226-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/2700-247-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260C.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/648-249-0x0000000000C60000-0x0000000000D7B000-memory.dmp

memory/4100-250-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28AE.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\28AE.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/4284-255-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/3700-257-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/3052-264-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

memory/2700-220-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1472-283-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 14cbb9a036b52e1a14abef3132cc7a48
SHA1 adbf6fe38fd5fadd07046df26be7cf6ac93a99a8
SHA256 cd7494dfd1302d7410f5bf91faf22fb99de8c8d07e107463889fdd0f115b8bee
SHA512 e5cfaa8310c492f6716896f23fb798bebb2f958b027868ef9e477702bfd245caccb3d468e81ca28bcaccbe165b80139717256de06bf73a319779199447a98b77

memory/4284-301-0x00000000074A0000-0x00000000074B0000-memory.dmp

\??\pipe\LOCAL\crashpad_1656_NMYUZVVMKAWVJXIQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3052-281-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/4532-305-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/3700-306-0x0000000007880000-0x0000000007890000-memory.dmp

memory/4532-307-0x0000000005050000-0x0000000005060000-memory.dmp

memory/64-310-0x0000000004C40000-0x0000000005044000-memory.dmp

memory/64-317-0x0000000005050000-0x000000000593B000-memory.dmp

memory/3140-320-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/64-321-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3700-329-0x0000000009B30000-0x0000000009BA6000-memory.dmp

memory/2700-339-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/3700-337-0x0000000009BB0000-0x0000000009BCE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 98a77d12d1263e552ae3a8d18d71d1fc
SHA1 23681fd27b8b48aee705da546a09147138268f54
SHA256 842fd3090ef4e28c32aacb45de0b75c34a3fa8185b58775c0788e94858530283
SHA512 6ca5117c41d42b652b0da5b95dde8dcfb54bc01d6108583a152856047fcefe2db6d71ff31a27cc196bbce137a35582bdc64f3440d6808043ea3b4f7410ef9165

memory/64-360-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 23507aecc061d869bbcdfdb95b36c1b3
SHA1 6a032e30aace3f4b4863127400f05219e1fe5473
SHA256 a5ff011d467f9e926947ab9cb15d2bb2dd892a06efe50e7bb3defab59bf0dd35
SHA512 34408dfc0128e42d21b7d94faf3d4645ff0e8afb2dc102c4ee2362575f604839b00c803c850a37eb9da98b478a4e8444cc533c6108767b4e8fd03d20504cc56a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4adi4zl.mpa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/64-439-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a5a286db1263a395c567e4da561f6b67
SHA1 f300a4c65b5d86d5c322bd76a0394095fe366ca5
SHA256 b0dcdc47f3fb086ad46ef5a58d331ba75183265827dd7751f42889baec549b8c
SHA512 63c65cca80a5629574077b0f6101eabc346ecbd8c1c55be767b6132a5ebd32d7f3fbeeaed4c8c232e2b835c5527acf86a230348fa8e1733d40030ea490e2525f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b0d06c9ea2faa618707128df047ceca8
SHA1 257394019e211ec489312b519200dd827d77d85b
SHA256 49c1893b45bdd8db83f99d2ee0523037d7484d336b6fb0fffdbdf9bc08afe79f
SHA512 8b33feb9df00fef6883920429f07abde931b1d1edb91e4f633edb67e4e5cf5193222a3ff1adbc8d770a1719f337f8fca0b9d203f7988b6dd605d9be1d8dd3261

memory/64-519-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fb9e4ee32b2fd8b8a291976994cc2e8d
SHA1 e42acb6c54beaa3aedfe038dd2905261483e9cd4
SHA256 1f30ca1e5511ef600fb518008e43d95a8ac68da898bd1bbeab1acb2dbe1e6b9c
SHA512 5a26d1913d7f75ad9f5d2f3d721048ab7d77fc4eaced5913addca701604b417951aa7ed80ab0b21e9a591df16cf02515b4d1dcd7b26c4042b7e51b61bd0cc1c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 30b3ad1cd6e402e5b39e3ace4b75daa1
SHA1 365d993fd1407e31c41281c0ba82635eacddd00b
SHA256 470596899c98bb826f1af12abf474140a48b275c7ec64b5fdca1305af606edc4
SHA512 516581d572ecb80e1b4c432807284c165a0d573660a9ddef35135d10898555ee1f1d2ff458536064657bcba28c29d95e70401fde807aa1da55bf4ddf96a40aec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5848-613-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f1dcbcf5ebb0a6a45abd01f28356850d
SHA1 d06273f630a3fd51cad4b5c5ae747509521bd917
SHA256 4b8def2c3e379dc3b2235c057313e91d803798201a4ae5e7d800a2c5017abb04
SHA512 13ef4c03cbc5b63c50b833366530cd4733baa795a3a53a1da34303bf9575a866135a4afda2dcc4e1aa75e0cc1ebe3d82c8de478d5fe5e09dcd75878fbeed4af9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58eaf7.TMP

MD5 17f138266c9f87af5de95d8f8b85e662
SHA1 2f3b68c7fc1e7b2be13da1ed2cdd1fabf7bb7d7c
SHA256 0f4aa57858f9a1d28ee76b10d04e862dc9032bd9329a55d7cd1370aa7f917743
SHA512 d7bb5e6bd934fa21ee2ecab1f4c39f2acc54968a736e55ab6271f25ad17805ea88a586c80c753dd4efddb15c44793af8dbd8797b2cf178d14926c9cbeb8d3f70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b30e1aff7ca6a6d3346f7b0f2c8104a
SHA1 c0611cfbf3399fbb6f8dc146f59e7a4ab4e3cb2d
SHA256 4577b9a1cf3e46f3d15a3196a85b660388fcc4c4b5a403db6fa5724580368207
SHA512 55546027fc31450eb2288f00616fcac34c57d64147078ce95e814e8f2d4667c0406968aaffcf9b1c840e026b8cef751efe42d2a3db9604c3f7572b817ea43c99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0ca29724eabbdd0fd1ea2e0aef525e33
SHA1 5d6432ae69cdfc1176104fce197e22b6a2dcd326
SHA256 24ec7c8dd4c4dd61a272904cb989eff10571d94cff791ccc3846512887220f33
SHA512 cd3668c4acf055cb6055503c0edf9296b8ce5fc0f92c27495685e29e3f32d1f2f7f4069cb6f13437f94856f7f775617f4acb8e42de02ff3f27971914c28d208f

memory/5276-722-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1c45774229d5248d43ad93feac6d3b71
SHA1 383236160b0a68b4a15a363183ae83f4d078a784
SHA256 77f8042b13433c14ae16617a3217a78bbb47a0c3509e107a07dd1705d7100c52
SHA512 e5848a3aeafed670462e948af8409d4461e20c02395d6e917653326d767897558d2357c649bc1d56880919574130cd829eec6a5059b018934d8d8cdfaadf5c12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5912c3.TMP

MD5 ab97c381cd3c3050db68eabc635debfe
SHA1 bd332829943cb53e05426f74f5c9a9d6498e3a14
SHA256 44ffb2c2a61c39408f16b4ce3aebeb70945393b8c9da21837ce39508c065f6a9
SHA512 f972697de1425265e799816635eeb2370b5247a073bc375e2abd64c9589822ac3110eed7d7da829dc99c21bebe264e0395476e90a398253961dc3298d71098c8

memory/5276-763-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4572-768-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f4af52decccdd800b84a1abc0cd2a5fc
SHA1 6140e73e5c0f18a22d931bde9d9827756c81815d
SHA256 8bfee717f828657da10013b5c7e2c459f0021ea899ddfaef58f209b0708396d4
SHA512 009efa9bb8d0bf6748ce40134e93b99b170eee14fb74ba5c099312689d9df3a783b2b3c60478bd2c55c98711e6fbb9e260dd5c3e4a9afe2d63050282b4a1baae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4eb5aa0abcec73c80790aea5522420e3
SHA1 77ba784a52757c65106fb45c14185609e2219c6d
SHA256 8e83c944f1ae94796c1ff66cd08d4b397903ce51c12ad8b6e602e23d917b300e
SHA512 b6fb712e4e6a917058c59e0653a3015d8f4b427abc33393da791580947b3d7ce089c8d013194eeac83c8894f2b2bfff2f2497b42146d994ef3080cbeb23e8c06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 02406269e3b9cfa71059e530ee645e69
SHA1 5a0fc2356a09b8a88ebfb7c91e6480440a49cbd7
SHA256 48e6e6d2dbb973f7ec6999b597a02c9ae8c69e88393a6b41d58b87c107413049
SHA512 5d1dfef22439b0d22736084eeb28f9b9eadf83a59adde21c3dcd7d351d78ea7bc2b189ebfd98def03203ab047989d03ae9e3475b56cbb7b1bc3367212b034ca3