Malware Analysis Report

2025-08-10 21:54

Sample ID 231025-f4vqzaed88
Target c238e3f656f5a2886e97f777b218fa8e.exe
SHA256 8cdf8c8f5e0cb9da6b4ec0df92d767265b194f3a5ad9f83e4ee8a99d7d0870da
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cdf8c8f5e0cb9da6b4ec0df92d767265b194f3a5ad9f83e4ee8a99d7d0870da

Threat Level: Known bad

The file c238e3f656f5a2886e97f777b218fa8e.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

Detect ZGRat V1

Raccoon Stealer payload

DcRat

RedLine

SmokeLoader

RedLine payload

Modifies Windows Defender Real-time Protection settings

Glupteba

Raccoon

Amadey

Glupteba payload

ZGRat

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 05:26

Reported

2023-10-25 05:28

Platform

win7-20231023-en

Max time kernel

62s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Stops running service(s)

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\A361.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3470.exe'\"" C:\Users\Admin\AppData\Local\Temp\3470.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3CAB.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A7F7.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1692 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\A361.exe
PID 1256 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4D8.exe
PID 1256 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4D8.exe
PID 1256 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4D8.exe
PID 1256 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4D8.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\A361.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 1256 wrote to memory of 2000 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2000 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2000 N/A N/A C:\Windows\system32\cmd.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 2668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 1256 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\A71B.exe
PID 1256 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\A71B.exe
PID 1256 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\A71B.exe
PID 1256 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\A71B.exe
PID 1256 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7F7.exe
PID 1256 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7F7.exe
PID 1256 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7F7.exe
PID 1256 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7F7.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2960 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 2672 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 1484 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 1484 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 1484 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 1484 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe

"C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A361.exe

C:\Users\Admin\AppData\Local\Temp\A361.exe

C:\Users\Admin\AppData\Local\Temp\A4D8.exe

C:\Users\Admin\AppData\Local\Temp\A4D8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\A601.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

C:\Users\Admin\AppData\Local\Temp\A71B.exe

C:\Users\Admin\AppData\Local\Temp\A71B.exe

C:\Users\Admin\AppData\Local\Temp\A7F7.exe

C:\Users\Admin\AppData\Local\Temp\A7F7.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

C:\Users\Admin\AppData\Local\Temp\AA87.exe

C:\Users\Admin\AppData\Local\Temp\AA87.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {B1B0F7E9-14CD-472B-8BC0-645C1CDEA3E0} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\30C7.exe

C:\Users\Admin\AppData\Local\Temp\30C7.exe

C:\Users\Admin\AppData\Local\Temp\3470.exe

C:\Users\Admin\AppData\Local\Temp\3470.exe

C:\Users\Admin\AppData\Local\Temp\3CAB.exe

C:\Users\Admin\AppData\Local\Temp\3CAB.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 520

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\721D.exe

C:\Users\Admin\AppData\Local\Temp\721D.exe

C:\Users\Admin\AppData\Local\Temp\7zS674B.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\8179.exe

C:\Users\Admin\AppData\Local\Temp\8179.exe

C:\Users\Admin\AppData\Local\Temp\7zS734C.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gDwEUxeEG" /SC once /ST 03:01:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gDwEUxeEG"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gDwEUxeEG"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 05:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe\" 3Y /DEsite_idGOt 385119 /S" /V1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {E6EB5E80-5C39-481F-ADA8-BACB757705D8} S-1-5-18:NT AUTHORITY\System:Service:

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
TR 185.216.70.222:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2852-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2852-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2852-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1256-5-0x0000000002230000-0x0000000002246000-memory.dmp

memory/2852-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A361.exe

MD5 cb4c180d16b4eac35e49880c7ece520c
SHA1 2e0d209b57503986faa7db32844c737f477d03ce
SHA256 e253602e48c3551b7ed69fcfdd6b6bacbbea76d7f7d8566b7903dce60a126cbd
SHA512 b2e1923eeec4974297193dac583ea2ddc3bc34812add05492fe0570a1e8bdbea228c81d8c04ba390fa585d859458997abe11cd96a2657af84edb565c6a00b225

C:\Users\Admin\AppData\Local\Temp\A361.exe

MD5 cb4c180d16b4eac35e49880c7ece520c
SHA1 2e0d209b57503986faa7db32844c737f477d03ce
SHA256 e253602e48c3551b7ed69fcfdd6b6bacbbea76d7f7d8566b7903dce60a126cbd
SHA512 b2e1923eeec4974297193dac583ea2ddc3bc34812add05492fe0570a1e8bdbea228c81d8c04ba390fa585d859458997abe11cd96a2657af84edb565c6a00b225

\Users\Admin\AppData\Local\Temp\A361.exe

MD5 cb4c180d16b4eac35e49880c7ece520c
SHA1 2e0d209b57503986faa7db32844c737f477d03ce
SHA256 e253602e48c3551b7ed69fcfdd6b6bacbbea76d7f7d8566b7903dce60a126cbd
SHA512 b2e1923eeec4974297193dac583ea2ddc3bc34812add05492fe0570a1e8bdbea228c81d8c04ba390fa585d859458997abe11cd96a2657af84edb565c6a00b225

C:\Users\Admin\AppData\Local\Temp\A4D8.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

C:\Users\Admin\AppData\Local\Temp\A601.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

C:\Users\Admin\AppData\Local\Temp\A71B.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\A71B.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\A601.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

C:\Users\Admin\AppData\Local\Temp\A7F7.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3QE9Dn98.exe

MD5 a5e1c98749ba8587c85a1763275e41d4
SHA1 7ccad28b84e926310858870340ef78a47afcce9c
SHA256 61b194694a62f387e74c4c55cc11396c67e38cff9e56db91cdc0bdb47dd58c0f
SHA512 042b5d800e683fa76041d64f47019639e59152df8efd4d229345c18ed72809659a511549279ca5e05ca643e039eb0dd46c5f89706d6a70ec2aaa039b1649158b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

C:\Users\Admin\AppData\Local\Temp\A7F7.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

C:\Users\Admin\AppData\Local\Temp\AA87.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\AA87.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\AA87.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

memory/588-113-0x00000000011B0000-0x00000000011BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1860-115-0x0000000000BC0000-0x0000000000BFE000-memory.dmp

memory/832-116-0x0000000000B50000-0x0000000000B8E000-memory.dmp

memory/588-117-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1860-118-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1860-119-0x0000000002020000-0x0000000002060000-memory.dmp

memory/588-120-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1860-121-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/588-122-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2316-129-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30C7.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/2316-130-0x0000000000BC0000-0x0000000001E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30C7.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\3470.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\3470.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

memory/3044-146-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3044-147-0x0000000000220000-0x000000000027A000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/3044-159-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\3CAB.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2316-178-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2100-183-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2100-181-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2980-184-0x0000000002850000-0x0000000002C48000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/2980-180-0x0000000002850000-0x0000000002C48000-memory.dmp

memory/1608-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-187-0x0000000002C50000-0x000000000353B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1608-189-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/3044-191-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1608-192-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3044-193-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2980-204-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS674B.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/2980-207-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2948-214-0x0000000001060000-0x00000000011DE000-memory.dmp

memory/2948-216-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1256-217-0x0000000002B50000-0x0000000002B66000-memory.dmp

memory/1608-218-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2948-241-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/2548-243-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2980-244-0x0000000002C50000-0x000000000353B000-memory.dmp

memory/2412-248-0x00000000011A0000-0x0000000001580000-memory.dmp

memory/2316-249-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2736-254-0x0000000010000000-0x000000001057B000-memory.dmp

memory/2848-260-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/2848-261-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2980-262-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2716-264-0x000000013F840000-0x0000000140350000-memory.dmp

memory/272-266-0x000000013F6E0000-0x000000013FC81000-memory.dmp

memory/2736-267-0x0000000000B80000-0x000000000126F000-memory.dmp

memory/2736-269-0x0000000001660000-0x0000000001D4F000-memory.dmp

memory/2736-270-0x0000000001660000-0x0000000001D4F000-memory.dmp

memory/2736-271-0x0000000001660000-0x0000000001D4F000-memory.dmp

memory/2412-273-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2140-274-0x0000000001EE0000-0x00000000025CF000-memory.dmp

memory/2412-275-0x0000000000290000-0x000000000029A000-memory.dmp

memory/2980-276-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2716-277-0x000000013F840000-0x0000000140350000-memory.dmp

memory/2412-278-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/2848-281-0x0000000000330000-0x00000000003B0000-memory.dmp

memory/2980-282-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2412-284-0x0000000005240000-0x00000000053D2000-memory.dmp

memory/2412-288-0x0000000000450000-0x0000000000460000-memory.dmp

memory/2980-289-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2716-290-0x000000013F840000-0x0000000140350000-memory.dmp

memory/2412-293-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-294-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-295-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-296-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-297-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-298-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2412-299-0x0000000005200000-0x0000000005240000-memory.dmp

memory/2848-300-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2412-301-0x0000000005680000-0x0000000005780000-memory.dmp

memory/612-306-0x000000001B180000-0x000000001B462000-memory.dmp

memory/612-307-0x00000000023D0000-0x0000000002450000-memory.dmp

memory/612-308-0x0000000001E30000-0x0000000001E38000-memory.dmp

memory/1500-309-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-311-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-313-0x0000000000400000-0x000000000041B000-memory.dmp

memory/612-315-0x000007FEEE450000-0x000007FEEEDED000-memory.dmp

memory/612-317-0x00000000023D0000-0x0000000002450000-memory.dmp

memory/612-319-0x00000000023D4000-0x00000000023D7000-memory.dmp

memory/612-320-0x00000000023D0000-0x0000000002450000-memory.dmp

memory/1500-318-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-322-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1500-324-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-329-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2412-326-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\32Q6O0XX9G1BWZ2BMHKX.temp

MD5 c5e6ddff58460b53a365c8edd41f96b8
SHA1 6b633e6c99ae61467583ab9f08b9b58f53851105
SHA256 37ea654bc3449dad07db94567802ee21b17223fafce7f48be9af964c1bb60fea
SHA512 20ef0af3b3a8af0cca586f9ac3dc3b0ef7b7b65c1f177e4aa522999ca2b5042cc025a073e2512b63f3c09621cee534efffad9cd673c300dfd16dd33bab5d425a

memory/2740-335-0x000000001B070000-0x000000001B352000-memory.dmp

memory/2740-336-0x0000000002330000-0x0000000002338000-memory.dmp

memory/272-341-0x000000013F6E0000-0x000000013FC81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/2980-349-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2716-351-0x000000013F840000-0x0000000140350000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 05:26

Reported

2023-10-25 05:28

Platform

win10v2004-20231020-en

Max time kernel

60s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FA53.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F929.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\79E5.exe'\"" C:\Users\Admin\AppData\Local\Temp\79E5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F56C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F929.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3936 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3104 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe
PID 3104 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe
PID 3104 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe
PID 3104 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F609.exe
PID 3104 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F609.exe
PID 3104 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F609.exe
PID 2860 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2860 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 2860 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\F56C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe
PID 3104 wrote to memory of 4752 N/A N/A C:\Windows\system32\cmd.exe
PID 3104 wrote to memory of 4752 N/A N/A C:\Windows\system32\cmd.exe
PID 3104 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\F85D.exe
PID 3104 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\F85D.exe
PID 3104 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\F85D.exe
PID 1924 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 1924 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 1924 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe
PID 3408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 3408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 3408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe
PID 3104 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\F929.exe
PID 3104 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\F929.exe
PID 3104 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\F929.exe
PID 3104 wrote to memory of 3316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe
PID 3104 wrote to memory of 3316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe
PID 3104 wrote to memory of 3316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe
PID 420 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 420 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 420 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe
PID 3880 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 3880 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 3880 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe
PID 4752 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4752 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3316 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3316 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3316 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\FA53.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1460 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1740 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4752 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe

"C:\Users\Admin\AppData\Local\Temp\c238e3f656f5a2886e97f777b218fa8e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F56C.exe

C:\Users\Admin\AppData\Local\Temp\F56C.exe

C:\Users\Admin\AppData\Local\Temp\F609.exe

C:\Users\Admin\AppData\Local\Temp\F609.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F714.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

C:\Users\Admin\AppData\Local\Temp\F85D.exe

C:\Users\Admin\AppData\Local\Temp\F85D.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

C:\Users\Admin\AppData\Local\Temp\F929.exe

C:\Users\Admin\AppData\Local\Temp\F929.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

C:\Users\Admin\AppData\Local\Temp\FA53.exe

C:\Users\Admin\AppData\Local\Temp\FA53.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf73a46f8,0x7ffdf73a4708,0x7ffdf73a4718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffdf73a46f8,0x7ffdf73a4708,0x7ffdf73a4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4140 -ip 4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,10750097774332134305,4045173332776348466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,10750097774332134305,4045173332776348466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 540

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,6451608773661469838,15611988661933488314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\787D.exe

C:\Users\Admin\AppData\Local\Temp\787D.exe

C:\Users\Admin\AppData\Local\Temp\79E5.exe

C:\Users\Admin\AppData\Local\Temp\79E5.exe

C:\Users\Admin\AppData\Local\Temp\86B7.exe

C:\Users\Admin\AppData\Local\Temp\86B7.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zS91DB.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9CA8.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\is-3V5MO.tmp\is-B8C5G.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3V5MO.tmp\is-B8C5G.tmp" /SL4 $7023C "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\BE14.exe

C:\Users\Admin\AppData\Local\Temp\BE14.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Users\Admin\AppData\Local\Temp\CE80.exe

C:\Users\Admin\AppData\Local\Temp\CE80.exe

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp

Files

memory/3492-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3492-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3104-2-0x0000000003170000-0x0000000003186000-memory.dmp

memory/3492-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F56C.exe

MD5 cb4c180d16b4eac35e49880c7ece520c
SHA1 2e0d209b57503986faa7db32844c737f477d03ce
SHA256 e253602e48c3551b7ed69fcfdd6b6bacbbea76d7f7d8566b7903dce60a126cbd
SHA512 b2e1923eeec4974297193dac583ea2ddc3bc34812add05492fe0570a1e8bdbea228c81d8c04ba390fa585d859458997abe11cd96a2657af84edb565c6a00b225

C:\Users\Admin\AppData\Local\Temp\F56C.exe

MD5 cb4c180d16b4eac35e49880c7ece520c
SHA1 2e0d209b57503986faa7db32844c737f477d03ce
SHA256 e253602e48c3551b7ed69fcfdd6b6bacbbea76d7f7d8566b7903dce60a126cbd
SHA512 b2e1923eeec4974297193dac583ea2ddc3bc34812add05492fe0570a1e8bdbea228c81d8c04ba390fa585d859458997abe11cd96a2657af84edb565c6a00b225

C:\Users\Admin\AppData\Local\Temp\F609.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\F609.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sq8bL2LO.exe

MD5 c476c9bb6923375f1a1214c358e4e90d
SHA1 b70ce864fd0b0d8f8d26245030a77836db5e906c
SHA256 041911afacc378f0e4bd60426d457484a3ff7a48f902b1a7e5d0a19262add9c0
SHA512 44bb1b79b4e188cb153b5013b2d75f02c1b7a4b9251c850579c684334a41ee07959fc4a6ee2d1c4bfcbc908704c308b89d74c20d16578dd54d65292ac1035893

C:\Users\Admin\AppData\Local\Temp\F85D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

C:\Users\Admin\AppData\Local\Temp\F85D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ts0My4KF.exe

MD5 60538700bb1f9ed159e2291c23189502
SHA1 7cce4e22ae6774ace37c841dc543e49d499aff57
SHA256 73d62caa44316fac5f0ddab6bb77ce6a7df3066f453ade042d0f1c3b94e9df74
SHA512 c186c4e8bf03b09cf9dd201ca2088e88aef5d040116c30da1db8869e21f84c4828541c02f8c4beffd6e93faba8f93abf0c6c413f52d26e4eaf4f10e9c97f6a46

C:\Users\Admin\AppData\Local\Temp\F714.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

C:\Users\Admin\AppData\Local\Temp\F929.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yt2qw4Zq.exe

MD5 0590c1890a06832014e61a01b5e0ca53
SHA1 71660a68f43e6e01d8cf0ac23bb821bd14b113e8
SHA256 efb3181227ae9f96d0f27e13475393bba5f038835b09ed2c1a81c3f4c846e263
SHA512 b1ca7f39ce9b3722fd9cb2acc9e7b24a6f6f8f59919a27469c7f8dc08c1cd5cde9044c0362a75315af3578368a4c2ef3de7b817b5729f4472f5bca180050180a

C:\Users\Admin\AppData\Local\Temp\F929.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/3500-57-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/1236-56-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA53.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1236-70-0x00000000732F0000-0x0000000073AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zb22cE5.exe

MD5 20cda7237976430c6fe9b4dd6a61bd5b
SHA1 a6e3e1f44c1c64d12072865921f6e3f1f7e36075
SHA256 ecbc884be2b0164ca8b6902ae6d51f23f6f0ebd6a2dc906dacc266bb89d187c7
SHA512 b5d68fb510456f95b40f7178805ab38c3c5a062e3ddeea5c09d7021465b6a9c7476cc300372a9d6bbcf84a38a81b23b5c8e24e2de3c450390865e751b00898cb

memory/3500-62-0x0000000000820000-0x000000000085E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wg1ZD4vo.exe

MD5 a1b436f13df84751bd5e0408ff633264
SHA1 80876dfe03fd54a6bbc36dfeef7c36c6e42fd433
SHA256 9055a054d72fe696ce2f99a151fde54277572108a97964a5575a7b30af85024f
SHA512 12f538f016f4a93cb0d35d9151e4b19c2cb2aa1d1f6b4fd10f796142be95427dc0b87cfa91776df087e316fd345c9532e594e441ec614ec7257c5cca53c90fb2

C:\Users\Admin\AppData\Local\Temp\FA53.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3500-74-0x0000000007AC0000-0x0000000008064000-memory.dmp

memory/3500-75-0x00000000075B0000-0x0000000007642000-memory.dmp

memory/3500-80-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/3500-84-0x0000000007650000-0x000000000765A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3500-86-0x0000000008690000-0x0000000008CA8000-memory.dmp

memory/3500-92-0x0000000007940000-0x0000000007A4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/3500-93-0x0000000007830000-0x0000000007842000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/3500-95-0x0000000007890000-0x00000000078CC000-memory.dmp

memory/3500-96-0x00000000078D0000-0x000000000791C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/4140-109-0x0000000000400000-0x0000000000434000-memory.dmp

\??\pipe\LOCAL\crashpad_1460_EKTFTPNSIBZLWDAM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4140-115-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4140-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oq011dz.exe

MD5 b18638a98ec5958fe320e16418bbd380
SHA1 bc461150a45b4e2999afe814b679f3a1f598fdef
SHA256 e603476a6c7caee8e5e4ce393c415d0a7cfa26fe006c374d0348918ecb401138
SHA512 15967803fab1a9fa068c861958961560e0b7eebc067a68545e8aac6c9986ce52906a02ad83964ce88adcb24088b6f5454bbd39ce911e402186cf591b4857ef32

memory/4140-113-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2976-123-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/2976-130-0x0000000000550000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

\??\pipe\LOCAL\crashpad_4020_MFDXYXVMVXAHXYJN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2976-132-0x0000000007480000-0x0000000007490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba2403bca97c85b213e358a6b6894be5
SHA1 8419aa4e291a33dba0747ce76e180d0d4196ffbf
SHA256 6855c2abf9e901b701e789518f99300625d3c640f979ae4297e3ec7b13dd02d4
SHA512 de1ae379e148962ea057e7cfa45b180cb3208eea55a61da70e3bc6d9dad638b85cca3d010d20b6d7ccfa826a666e20f954d6fb1a51c2c0394aa912b89bd8a67e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5544c1263220b67652a8f7cdbcf03a4e
SHA1 45123662f641d91b11a427b3e2caf64c88b29db9
SHA256 feacb684c011f6681541d0f248665fdb6a9e9051fae44dfc1ea2a9c0af4e12ec
SHA512 edf09c08e0763134bde53c72e8edec526eb6e705e6970b5bcb70304c6592f8fe807963b64a4738015a991b0e0cdbd9c42b83a2dfc291c12249037a53218ca765

memory/3500-171-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/1236-189-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/3500-208-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/1236-210-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/2976-229-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/2976-233-0x0000000007480000-0x0000000007490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1345b06ea187c1dc9b9cbcfb956368a
SHA1 0a90f95efeff1d18074f9d1d0073f68805bca91c
SHA256 20ff03f8e4e2427e6c755345a44c0ee14977aa522e39fcac73617312e3856380
SHA512 d89393394ffe3f412fff40d6448aa48dabca2b2062984e257cf0a3b97771ad8bdf3fd6952255cfb2d803e892ffa6960a31c86229af43dbfb2f567f80730756ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba2403bca97c85b213e358a6b6894be5
SHA1 8419aa4e291a33dba0747ce76e180d0d4196ffbf
SHA256 6855c2abf9e901b701e789518f99300625d3c640f979ae4297e3ec7b13dd02d4
SHA512 de1ae379e148962ea057e7cfa45b180cb3208eea55a61da70e3bc6d9dad638b85cca3d010d20b6d7ccfa826a666e20f954d6fb1a51c2c0394aa912b89bd8a67e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a2bcbeb9825f31af23909543bb29581a
SHA1 e6828ee4a9ae2105f11cdb6bfd741019f8776c6f
SHA256 63397807bb7c1f8522e3184bad80c5c6382a946177b568ec3e7b05be4dc235a1
SHA512 4d51264c09728b44dd8a83cd3b12b9fde11f1c602c9b939673502c9408037ce46141d4b6b07a01ca28f6dc8f594a91cbce683fb3cfbb38659c4782038571f79a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fd20981c7184673929dfcab50885629b
SHA1 14c2437aad662b119689008273844bac535f946c
SHA256 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512 b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e40b0d0f6e35802b34d7f211913e5933
SHA1 7f051857ec2fbcda5ee6b5abad032a5b4839f18c
SHA256 64907f3a717424efa3fabccb6469fd4af47abcce846f849c6d0b101839382b6d
SHA512 5f92e5b24986030450b074c41a90a67993493c374c607abbf9099a49da1d0809b73644e11451bf73356b799108ddb44524d0e6fa801e8695aaa1bf2905636325

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1415456a17c44ece53e78feea2e3bda4
SHA1 2e73ae3b507f120d3dc8812bdd8c65112c9c94fc
SHA256 c528a90fb9abc5ae5d5e388748f590593138c4c606c602e2bdbc49e4bb7172c1
SHA512 fd22635b85058eb5c45e1d746baadc78f857646c6899bb9d4a5a10cc70ed3f592add22be120d78bd069ab4793ef9110c265f18af7b34eb96b85d314c3606a2ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586a9c.TMP

MD5 6c3cb1cd43ad618db6d6baa53d696880
SHA1 c420c03c5d10575524032ff11cfc98ee9a77386d
SHA256 63aff1b12d3d47bf0a9ed89f3da63a6c196001b271c635df65ebc0737f5f3820
SHA512 58dfe5089b4781e1f16c00a4e516f00ce9b98f166608355203d5734254a0ffbb9ff25c072d0246f9203351e3c634039b5e37cd7843021c0fb674d40c9f3909b3

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\787D.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\787D.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\79E5.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\79E5.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4088-324-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/4088-325-0x0000000000180000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86B7.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\86B7.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/932-361-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/932-362-0x00000000006C0000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/932-381-0x00000000732F0000-0x0000000073AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/5108-392-0x0000000000B90000-0x0000000000D0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/5108-394-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/932-395-0x0000000007670000-0x0000000007680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 21bdea59bbde471a4ce81250d7d17e78
SHA1 db534038a7e446ad64c47898ae9450993d1921f0
SHA256 0287fd7a007aa924a6972469c3286fd26b327c73c82f66ebf5406af14f682aa3
SHA512 3a999148a0a24ea0be98373921a7e9cd47f806400194e0ce78b7ea9dca50a21d14d14527b5a7c3bc3eeaa11e972c36ce2fa869326cb2e3a46c477f932af3abd3

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\7zS91DB.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/4088-407-0x00000000732F0000-0x0000000073AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS91DB.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/748-417-0x0000000002A60000-0x0000000002E5B000-memory.dmp

memory/4748-416-0x0000000000920000-0x0000000000929000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/4552-425-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

memory/688-434-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

memory/4056-443-0x0000000000490000-0x0000000000498000-memory.dmp

memory/5108-445-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/932-444-0x0000000000400000-0x000000000047E000-memory.dmp

memory/748-438-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/748-420-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/4552-418-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4748-415-0x00000000009B0000-0x0000000000AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

memory/932-447-0x0000000008110000-0x0000000008176000-memory.dmp

memory/3924-449-0x0000000010000000-0x000000001057B000-memory.dmp

memory/4056-461-0x00007FFDF3490000-0x00007FFDF3F51000-memory.dmp

memory/3104-463-0x0000000003800000-0x0000000003816000-memory.dmp

memory/4552-464-0x0000000000400000-0x0000000000409000-memory.dmp

memory/748-462-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4056-473-0x000000001B050000-0x000000001B060000-memory.dmp

memory/228-481-0x0000000000630000-0x0000000000631000-memory.dmp

memory/3924-482-0x0000000000050000-0x000000000073F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4016-492-0x00007FF69A740000-0x00007FF69ACE1000-memory.dmp

memory/932-493-0x00000000732F0000-0x0000000073AA0000-memory.dmp

memory/688-510-0x0000000000400000-0x0000000000413000-memory.dmp

memory/932-512-0x0000000007670000-0x0000000007680000-memory.dmp

memory/5428-515-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5428-516-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5428-525-0x0000000000400000-0x0000000000627000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/748-532-0x0000000002A60000-0x0000000002E5B000-memory.dmp

memory/748-534-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/5628-535-0x0000000000400000-0x0000000000627000-memory.dmp

memory/228-537-0x0000000000400000-0x00000000004CF000-memory.dmp