Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-hhgy4aef9v
Target 7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740
SHA256 7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740
Tags
amadey glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740

Threat Level: Known bad

The file 7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740 was found to be: Known bad.

Malicious Activity Summary

amadey glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper infostealer loader persistence rat stealer trojan

Glupteba payload

Raccoon

Glupteba

Detect ZGRat V1

RedLine

SmokeLoader

Amadey

Raccoon Stealer payload

ZGRat

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 06:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 06:44

Reported

2023-10-26 06:46

Platform

win10v2004-20231023-en

Max time kernel

25s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\392C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4312 set thread context of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3140 wrote to memory of 3752 N/A N/A C:\Users\Admin\AppData\Local\Temp\392C.exe
PID 3140 wrote to memory of 3752 N/A N/A C:\Users\Admin\AppData\Local\Temp\392C.exe
PID 3140 wrote to memory of 3752 N/A N/A C:\Users\Admin\AppData\Local\Temp\392C.exe
PID 3140 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A65.exe
PID 3140 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A65.exe
PID 3140 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A65.exe
PID 3752 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\392C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe
PID 3752 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\392C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe
PID 3752 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\392C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe
PID 3140 wrote to memory of 4924 N/A N/A C:\Windows\system32\cmd.exe
PID 3140 wrote to memory of 4924 N/A N/A C:\Windows\system32\cmd.exe
PID 4816 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe
PID 4816 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe
PID 4816 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe
PID 3140 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D36.exe
PID 3140 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D36.exe
PID 3140 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D36.exe
PID 3140 wrote to memory of 3384 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3140 wrote to memory of 3384 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3140 wrote to memory of 3384 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 396 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe
PID 396 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe
PID 396 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe
PID 1664 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe
PID 1664 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe
PID 1664 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe
PID 3140 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\4036.exe
PID 3140 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\4036.exe
PID 3140 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\4036.exe
PID 3836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe
PID 3836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe
PID 3836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe

"C:\Users\Admin\AppData\Local\Temp\7420519f03289753010d4519dc6b532d66d1a2ffb67be547166b0220b97b0740.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\392C.exe

C:\Users\Admin\AppData\Local\Temp\392C.exe

C:\Users\Admin\AppData\Local\Temp\3A65.exe

C:\Users\Admin\AppData\Local\Temp\3A65.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3C2B.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe

C:\Users\Admin\AppData\Local\Temp\3D36.exe

C:\Users\Admin\AppData\Local\Temp\3D36.exe

C:\Users\Admin\AppData\Local\Temp\3E41.exe

C:\Users\Admin\AppData\Local\Temp\3E41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe

C:\Users\Admin\AppData\Local\Temp\4036.exe

C:\Users\Admin\AppData\Local\Temp\4036.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe

C:\Users\Admin\AppData\Local\Temp\43D0.exe

C:\Users\Admin\AppData\Local\Temp\43D0.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8589646f8,0x7ff858964708,0x7ff858964718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8589646f8,0x7ff858964708,0x7ff858964718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,5372156613423507624,1404334850117047772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf772Ql.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf772Ql.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\A308.exe

C:\Users\Admin\AppData\Local\Temp\A308.exe

C:\Users\Admin\AppData\Local\Temp\A5D8.exe

C:\Users\Admin\AppData\Local\Temp\A5D8.exe

C:\Users\Admin\AppData\Local\Temp\A760.exe

C:\Users\Admin\AppData\Local\Temp\A760.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\B6C2.exe

C:\Users\Admin\AppData\Local\Temp\B6C2.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\7zSC0EA.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-31HEJ.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-31HEJ.tmp\LzmwAqmV.tmp" /SL5="$1501F4,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,10290167011904632601,3193869860417481135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5340 -ip 5340

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 572

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "grwhtXRMW" /SC once /ST 00:51:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "grwhtXRMW"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\27DC.exe

C:\Users\Admin\AppData\Local\Temp\27DC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
BG 171.22.28.239:42359 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 239.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
RU 85.209.11.85:41140 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp

Files

memory/416-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/416-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3140-2-0x0000000002350000-0x0000000002366000-memory.dmp

memory/416-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\392C.exe

MD5 2e1dcd2cbf1f34de9fa2e493352552cb
SHA1 5adcda94cf4e04664cd4c74df6077d16f7a26ee8
SHA256 64da6b84f2b0efe6bd14e9ed41e91994aa2fc25ebf3a567f9771e1ff04004ae5
SHA512 40c856366fbed6f9f518e05c17a65cf13a53b62c70e25e78b0cd26601f9b9a0baf4afcfbdadaa789317cfb93fdfeae40fa320cadb5e9e6060d8472c1d486bc7b

C:\Users\Admin\AppData\Local\Temp\392C.exe

MD5 2e1dcd2cbf1f34de9fa2e493352552cb
SHA1 5adcda94cf4e04664cd4c74df6077d16f7a26ee8
SHA256 64da6b84f2b0efe6bd14e9ed41e91994aa2fc25ebf3a567f9771e1ff04004ae5
SHA512 40c856366fbed6f9f518e05c17a65cf13a53b62c70e25e78b0cd26601f9b9a0baf4afcfbdadaa789317cfb93fdfeae40fa320cadb5e9e6060d8472c1d486bc7b

C:\Users\Admin\AppData\Local\Temp\3A65.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\3A65.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe

MD5 92d9b65805fb7aeb64e3f657193159ea
SHA1 6f88f0c99166fdd593aa1a634866afd551817f11
SHA256 1f5c02d5480c0ecf95765dc3bad78b4e54d063826ea5bba1360a913dbea2d6ab
SHA512 99b8b6cb29a66c744b50798e7e602b7afe2b0e63cb423eab59a616db6c2cd1211d38d9586fac093c20817d941385891277a926e07e5f2738b8b9a98bf933a4f6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt1pL6UD.exe

MD5 92d9b65805fb7aeb64e3f657193159ea
SHA1 6f88f0c99166fdd593aa1a634866afd551817f11
SHA256 1f5c02d5480c0ecf95765dc3bad78b4e54d063826ea5bba1360a913dbea2d6ab
SHA512 99b8b6cb29a66c744b50798e7e602b7afe2b0e63cb423eab59a616db6c2cd1211d38d9586fac093c20817d941385891277a926e07e5f2738b8b9a98bf933a4f6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe

MD5 94441c2eafbc3e8c643723fb34274701
SHA1 202fe136c4f8f456803ad6a5b56d635a09b55f2c
SHA256 331f1cd5316a99be7f693662a6339f505310911dc50b3f93d061f5a1ebdcd54a
SHA512 f81c921b099c2827400807f3545540ae1be680ecd28b9898a6864ab550daee52d18f213f46ab8cf1de9ff0128fe0bc3109dc045328ab332126367e0f2408cbac

C:\Users\Admin\AppData\Local\Temp\3D36.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\3D36.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR5ot0LB.exe

MD5 94441c2eafbc3e8c643723fb34274701
SHA1 202fe136c4f8f456803ad6a5b56d635a09b55f2c
SHA256 331f1cd5316a99be7f693662a6339f505310911dc50b3f93d061f5a1ebdcd54a
SHA512 f81c921b099c2827400807f3545540ae1be680ecd28b9898a6864ab550daee52d18f213f46ab8cf1de9ff0128fe0bc3109dc045328ab332126367e0f2408cbac

C:\Users\Admin\AppData\Local\Temp\3E41.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\3E41.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe

MD5 5e6b6c544c3762d92861950212913aa2
SHA1 db4f2ad8af60e34d247eda45eb689535b8613de9
SHA256 e3eb3a48fd1ba8a9dbcaebd67c205dc7fdaa7844683ddc9fbf96baba85d87fc3
SHA512 cf5f8d6ff37b5c6f82e03a6a23a41a858d46904b6977ad05ead606475abce6400dbb9ef9d18cd32bbbff59c74c821ee271bddec937dca8546fc860d11aa4d3dd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EL3Gf8Ht.exe

MD5 5e6b6c544c3762d92861950212913aa2
SHA1 db4f2ad8af60e34d247eda45eb689535b8613de9
SHA256 e3eb3a48fd1ba8a9dbcaebd67c205dc7fdaa7844683ddc9fbf96baba85d87fc3
SHA512 cf5f8d6ff37b5c6f82e03a6a23a41a858d46904b6977ad05ead606475abce6400dbb9ef9d18cd32bbbff59c74c821ee271bddec937dca8546fc860d11aa4d3dd

C:\Users\Admin\AppData\Local\Temp\3C2B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe

MD5 0645d3126b01a90667a08b50a1bd9ce0
SHA1 7f074d2d1e216d7cae10671a35668d3054f933f0
SHA256 5a163dea4b53144fb76581bcae31430e8b23d65da34334525541bf9226e76450
SHA512 420804aa1a0ab570e6194db46ccaeba85b8af0bd132b5b0487408712476500e990eb3758a70e0c0dde44fb4c55897789f14e1d677f97aa893115acf4ce86fc08

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pL8hL7vd.exe

MD5 0645d3126b01a90667a08b50a1bd9ce0
SHA1 7f074d2d1e216d7cae10671a35668d3054f933f0
SHA256 5a163dea4b53144fb76581bcae31430e8b23d65da34334525541bf9226e76450
SHA512 420804aa1a0ab570e6194db46ccaeba85b8af0bd132b5b0487408712476500e990eb3758a70e0c0dde44fb4c55897789f14e1d677f97aa893115acf4ce86fc08

C:\Users\Admin\AppData\Local\Temp\4036.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\4036.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe

MD5 d570018dce2226f2c40ad2b77c67658b
SHA1 635bcc01d7da55e182b382910ac7d98abec4de77
SHA256 34e0b8d5423178509c6dd472f8bfe63ada8eb31468fb9d2bc56a690ee6dafcf1
SHA512 984071f075617f7caabaf92d47a4cc9c305c8801e2ecee189841ca28ab7bbcea8b18ce63cdde19d88f5c0e1ac2f63c10996acb63494acec0537464ef1dd4efc0

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3384-71-0x0000000073EA0000-0x0000000074650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bo89kW9.exe

MD5 d570018dce2226f2c40ad2b77c67658b
SHA1 635bcc01d7da55e182b382910ac7d98abec4de77
SHA256 34e0b8d5423178509c6dd472f8bfe63ada8eb31468fb9d2bc56a690ee6dafcf1
SHA512 984071f075617f7caabaf92d47a4cc9c305c8801e2ecee189841ca28ab7bbcea8b18ce63cdde19d88f5c0e1ac2f63c10996acb63494acec0537464ef1dd4efc0

memory/4512-72-0x0000000000C50000-0x0000000000C8E000-memory.dmp

memory/3384-69-0x00000000001D0000-0x00000000001DA000-memory.dmp

memory/4512-73-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/4512-76-0x0000000008170000-0x0000000008714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43D0.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4512-79-0x0000000007BC0000-0x0000000007C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4512-89-0x0000000005810000-0x0000000005820000-memory.dmp

memory/4512-90-0x0000000005790000-0x000000000579A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\43D0.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4512-92-0x0000000008D40000-0x0000000009358000-memory.dmp

memory/2908-93-0x0000000000480000-0x00000000004DA000-memory.dmp

memory/4512-95-0x0000000007F40000-0x000000000804A000-memory.dmp

memory/4512-98-0x0000000007CA0000-0x0000000007CB2000-memory.dmp

memory/4512-99-0x0000000007E30000-0x0000000007E6C000-memory.dmp

memory/2908-91-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2908-100-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/4512-101-0x0000000007CD0000-0x0000000007D1C000-memory.dmp

memory/2908-102-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/2908-109-0x0000000008110000-0x0000000008176000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

memory/3384-110-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/4512-111-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3384-113-0x0000000073EA0000-0x0000000074650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

memory/4512-131-0x0000000005810000-0x0000000005820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

\??\pipe\LOCAL\crashpad_2676_TIIUHNUKETIXLZGQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 679d3371c59fca268f5811587d2e92a5
SHA1 cfb2c43c86712faca816272a59ef24ea2b89b4fe
SHA256 c508cbc5dcfbe0528e2948240e30aea92a524d0c8e144ce55a665d794db667a9
SHA512 d82f0ff984cbc9e12524ca3884e6739e390a039cf52979f9e6311570cb809cff67758d8bca430e2b8084b7db186a8a1fd25a227beb3236eaab9147944c9451de

memory/2908-149-0x00000000088B0000-0x0000000008900000-memory.dmp

memory/2908-150-0x0000000008920000-0x0000000008996000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 66330941b8ee5481747b6f85220848db
SHA1 c5e59b580d370c807dd491c0f85cc792d330d923
SHA256 0006860ae7c3f1832ee7466288340346eccef67bea323af5d64e8a47a6c75cb7
SHA512 dfb7047899ca18bb2da052f5780b4de5f2921bc3adcb2543a7627a835b074f2a570cc0db7a461824eda32a299ffcaa6414e9461e687e9099fdb1754f67d45409

memory/2908-174-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2908-187-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/2908-196-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/2908-197-0x0000000008B10000-0x0000000008CD2000-memory.dmp

\??\pipe\LOCAL\crashpad_2432_VVXDXYIJHCVFIWDY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2908-202-0x0000000008CF0000-0x000000000921C000-memory.dmp

memory/4584-203-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4584-204-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4584-205-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2908-207-0x0000000009330000-0x000000000934E000-memory.dmp

memory/4584-208-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf772Ql.exe

MD5 803e5b1ef915e60eafb6d54251a72d9b
SHA1 c74a22688dd1d4d14c977b1d9111ebb72cf41b65
SHA256 131566dfdf34894b53f23a7105ff3581c9ebb53d899ec2efeb99845087411886
SHA512 26d415dd96db414437dce600b4e8e678e21603d670f63507f07033ee7e3e440b560e73cd6192c668fa62ab89628b3d5d01a72d5359012bbbac55138b5cbeeafc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tf772Ql.exe

MD5 803e5b1ef915e60eafb6d54251a72d9b
SHA1 c74a22688dd1d4d14c977b1d9111ebb72cf41b65
SHA256 131566dfdf34894b53f23a7105ff3581c9ebb53d899ec2efeb99845087411886
SHA512 26d415dd96db414437dce600b4e8e678e21603d670f63507f07033ee7e3e440b560e73cd6192c668fa62ab89628b3d5d01a72d5359012bbbac55138b5cbeeafc

memory/3604-212-0x0000000000980000-0x00000000009BE000-memory.dmp

memory/3604-213-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3604-214-0x00000000076C0000-0x00000000076D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91e462cb8f3b1c004725157594f02d2a
SHA1 1899a4a1447597c9d567a2f213fb870402f2acff
SHA256 e44cbd73f3d2b69cf7ac6c03e8c43833f478411669e4b89c07e5502a6be4969c
SHA512 cad94563606c8e3bbddd04a4560d4de3a64d4eb5a958f3ed4ab53a59466b5e93cc533e1233150c4839af363f15631e67a707c2f3304d5b2344148fece3ab144a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 66330941b8ee5481747b6f85220848db
SHA1 c5e59b580d370c807dd491c0f85cc792d330d923
SHA256 0006860ae7c3f1832ee7466288340346eccef67bea323af5d64e8a47a6c75cb7
SHA512 dfb7047899ca18bb2da052f5780b4de5f2921bc3adcb2543a7627a835b074f2a570cc0db7a461824eda32a299ffcaa6414e9461e687e9099fdb1754f67d45409

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3ba7d2b4c8950d779614032218496fd9
SHA1 11ad22881e2ac54acc2b4260aadd7441c3d0ca60
SHA256 179d9f8938b5501ffad332c4403bc97f55387f7fa89dd95741d355cfadcb563f
SHA512 e2d237ca5548368a0939d3b31e83a5df4d9453177ee9aa0f4ac8ab8aad33b667dfa92c9be286c5c2c5b65ef14a7c052fe4c0275822a1cd076722ffee7fbf8f8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91e462cb8f3b1c004725157594f02d2a
SHA1 1899a4a1447597c9d567a2f213fb870402f2acff
SHA256 e44cbd73f3d2b69cf7ac6c03e8c43833f478411669e4b89c07e5502a6be4969c
SHA512 cad94563606c8e3bbddd04a4560d4de3a64d4eb5a958f3ed4ab53a59466b5e93cc533e1233150c4839af363f15631e67a707c2f3304d5b2344148fece3ab144a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f1881400134252667af6731236741098
SHA1 6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458
SHA256 d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75
SHA512 18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A308.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\A308.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\A5D8.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\A5D8.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\A760.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/3644-254-0x0000000073EA0000-0x0000000074650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A760.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/3644-263-0x0000000000170000-0x00000000012A8000-memory.dmp

memory/3468-264-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3468-265-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/3468-270-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3468-271-0x0000000004A60000-0x0000000004A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/3604-288-0x0000000073EA0000-0x0000000074650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\B6C2.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/228-306-0x0000000000A30000-0x0000000000E10000-memory.dmp

memory/4780-308-0x0000000000400000-0x0000000000409000-memory.dmp

memory/228-305-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/228-309-0x0000000005690000-0x000000000572C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/5332-334-0x0000000000C10000-0x0000000000C18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a3e55e5ddffc814e611925cf291f528
SHA1 1e42d1dd94b7da98f47b17dc6be6d326af9ca8fe
SHA256 3f89c763987c2b1b6be42ad5581a14dd7822702a6712509229dbe5cf1c6770db
SHA512 12abe87c4646798b4fd64e7c89351b8f46e5d7f9820ee8adce2716da6ffad00802d12867431bbfb5836962b454d61abe1952e4be34dde6a9c51ec7929569fc27

memory/4780-304-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/5332-339-0x00007FF8553C0000-0x00007FF855E81000-memory.dmp

memory/5332-342-0x000000001B870000-0x000000001B880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3604-295-0x00000000076C0000-0x00000000076D0000-memory.dmp

memory/3644-348-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3924-292-0x00000000006A0000-0x00000000007A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6C2.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/3924-290-0x0000000000660000-0x0000000000669000-memory.dmp

memory/3468-350-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1508-361-0x0000000002B00000-0x0000000002F07000-memory.dmp

memory/1508-364-0x0000000002F10000-0x00000000037FB000-memory.dmp

memory/3468-365-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/1508-378-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3468-381-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/4780-377-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5600-395-0x0000000000430000-0x0000000000B1F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d66387d40a10b30cf9e324a2b6acab52
SHA1 55755d41dd37e411757fd994d4e6c67573c5b3b0
SHA256 549ec0f3e70257b3fdb13212591666312d90f42ca039dfc5e229823594975ad4
SHA512 bde6d80b94c8afb6cad15e6ee17825e44b0b3f326c27dc73970240126341a9977f239d75abda6bf125d3163c63068a0791788b2088634d3a420acf75356178bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d00d.TMP

MD5 4863837054379cc49bc51f4f6c3ff904
SHA1 38d848e3554d46ff27fecbf9bc17d088ac84df9b
SHA256 8a60e8222e7f9df0d2e248ef5db3768648f3442a7ece6bbf737b66a44bcfbdb9
SHA512 9fb14d502c02372eb3a71095d1271bd58ca76994457cc0b47f6a292f8d2068026e3b60d096d91abd1bad834e5f7b91a974e2b2d5d39ab40fb65e583e4b5fec36

memory/3140-366-0x0000000002D00000-0x0000000002D16000-memory.dmp

memory/2908-396-0x0000000073EA0000-0x0000000074650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 9f7dfb92ef279114a1cb932017759242
SHA1 218ac21b877601321e4f5465ae5d3cda9fb97953
SHA256 6df35dde535b3b64d04ee248ce64ee77c00ad0412c4b7e59267c7f913960a6b4
SHA512 1631d8363e79b6284d743b8467367f0969a04bd6c136c25985f6098fc7a74d3dbedc8199ffb0b8c461d00d791dea31fa7d503c0cba1361444d3058f482156f32

memory/5888-406-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5888-411-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5332-410-0x00007FF8553C0000-0x00007FF855E81000-memory.dmp

memory/228-408-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/5600-426-0x0000000010000000-0x000000001057B000-memory.dmp

memory/1508-416-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5936-434-0x0000000002200000-0x0000000002201000-memory.dmp

memory/228-433-0x0000000003050000-0x000000000305A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5472-452-0x00007FF7232F0000-0x00007FF723891000-memory.dmp

memory/5340-478-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5340-510-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2780-513-0x0000000000400000-0x0000000000636000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 46e6bb577ceb65806ef24e900abf04a0
SHA1 947f8ac53bbc779a51a48f5e7d9634720105b689
SHA256 b9763b0e13159d7ddedcd2ae757e9557a6f1d8081b2646ae4d9bebe845f9c451
SHA512 be03e8f7f4e2759022e0bbbf02c93fe4343f2f603c83b8e46e8387371de6a0d38221ea37b480f3e2135af3077e96f8c515b04d99aa4cd215e8db32c467513e4b

memory/5340-496-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5888-521-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5936-523-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fbdaf22eda6ae420abe9248cfd415c59
SHA1 c79ca6c1487362ed7cdcab35615b7451f287d15c
SHA256 1470fcb49672d43d58bff480ad0f5edcfb505882205a1d32ae5de431b6a78f28
SHA512 41b6f28a9fd673d46b270fc550d8096cc085a81f887d2070de30534a20b7ca77548d96c4c61ae829c7edcb019df042a8e21b374ecb3155c2621306b88e303238

memory/1508-524-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 510f3bb3ed2f5def33e38deb0b134aa5
SHA1 5afd0bb795d390d07e8ecea4534095f4051e5c2f
SHA256 c57d3a6d52d706697844f158450661b2808de584c3a26b5920974b5a32dbff65
SHA512 c49917a53bbae8d5c217cd796977b234f8bbff879d6fcd8bfee89b070327dbc5e12bab354d598f7fc0985604a31aca1c1d63c00133c56e4fa9a377ca7f0a7aa1

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aekn23rj.naq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4140-585-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1508-623-0x0000000000400000-0x0000000000D1B000-memory.dmp