Malware Analysis Report

2025-08-05 16:13

Sample ID 231026-jczsdsed55
Target c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb
SHA256 c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb

Threat Level: Known bad

The file c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

ZGRat

SmokeLoader

RedLine

Detect ZGRat V1

Amadey

Raccoon Stealer payload

Modifies Windows Defender Real-time Protection settings

DcRat

Glupteba payload

Raccoon

RedLine payload

Glupteba

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 07:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 07:32

Reported

2023-10-26 07:35

Platform

win10v2004-20231020-en

Max time kernel

53s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2D88.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F9D.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\27D6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\2F9D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2C6E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4668 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3368 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe
PID 3368 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe
PID 3368 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe
PID 3368 wrote to memory of 3584 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 3368 wrote to memory of 3584 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 3368 wrote to memory of 3584 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 1924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe
PID 1924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe
PID 1924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\27D6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe
PID 3368 wrote to memory of 3384 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 3384 N/A N/A C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe
PID 1616 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe
PID 1616 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe
PID 1228 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe
PID 1228 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe
PID 1228 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe
PID 2340 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe
PID 2340 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe
PID 2340 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe
PID 3368 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B73.exe
PID 3368 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B73.exe
PID 3368 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B73.exe
PID 4936 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe
PID 4936 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe
PID 4936 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe
PID 3368 wrote to memory of 4408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C6E.exe
PID 3368 wrote to memory of 4408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C6E.exe
PID 3368 wrote to memory of 4408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C6E.exe
PID 3368 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe
PID 3368 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe
PID 3368 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe
PID 3368 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F9D.exe
PID 3368 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F9D.exe
PID 3368 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F9D.exe
PID 3384 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1908 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1908 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1908 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2D88.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1608 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1608 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1608 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1608 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1608 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe

"C:\Users\Admin\AppData\Local\Temp\c19a3e1c0b9ed1a58076744631ceb5749d92534c07622cc5ccfb27dcbef789cb.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\27D6.exe

C:\Users\Admin\AppData\Local\Temp\27D6.exe

C:\Users\Admin\AppData\Local\Temp\28A2.exe

C:\Users\Admin\AppData\Local\Temp\28A2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29EB.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe

C:\Users\Admin\AppData\Local\Temp\2B73.exe

C:\Users\Admin\AppData\Local\Temp\2B73.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe

C:\Users\Admin\AppData\Local\Temp\2C6E.exe

C:\Users\Admin\AppData\Local\Temp\2C6E.exe

C:\Users\Admin\AppData\Local\Temp\2D88.exe

C:\Users\Admin\AppData\Local\Temp\2D88.exe

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdff0646f8,0x7ffdff064708,0x7ffdff064718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdff0646f8,0x7ffdff064708,0x7ffdff064718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mC554pi.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mC554pi.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1492248211933193761,1969952402393657360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7D31.exe

C:\Users\Admin\AppData\Local\Temp\7D31.exe

C:\Users\Admin\AppData\Local\Temp\7F16.exe

C:\Users\Admin\AppData\Local\Temp\7F16.exe

C:\Users\Admin\AppData\Local\Temp\8215.exe

C:\Users\Admin\AppData\Local\Temp\8215.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8C4D.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 748 -ip 748

C:\Users\Admin\AppData\Local\Temp\A667.exe

C:\Users\Admin\AppData\Local\Temp\A667.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 784

C:\Users\Admin\AppData\Local\Temp\7zS8D85.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-VFVA5.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VFVA5.tmp\LzmwAqmV.tmp" /SL5="$9020C,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gemOYjJUN" /SC once /ST 06:46:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 572

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gemOYjJUN"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1560-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1560-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1560-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3368-2-0x0000000001320000-0x0000000001336000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27D6.exe

MD5 243c194b95d6a478d5b2fb82b4629905
SHA1 671234b506065d632e7b0157b7e2b277862db327
SHA256 2c8961065cc35efdf1210c5d124e42278c8ffe1be7a659837bbb3cbd7abcddf6
SHA512 9a0ff35e521477ccaa3f053caff2164033bbbb2a45452250531281a423104b3a3da979e7110f6e3bd7de3dbdf20cd4d2ccda56b95c8ac305a7c221e1394a0546

C:\Users\Admin\AppData\Local\Temp\27D6.exe

MD5 243c194b95d6a478d5b2fb82b4629905
SHA1 671234b506065d632e7b0157b7e2b277862db327
SHA256 2c8961065cc35efdf1210c5d124e42278c8ffe1be7a659837bbb3cbd7abcddf6
SHA512 9a0ff35e521477ccaa3f053caff2164033bbbb2a45452250531281a423104b3a3da979e7110f6e3bd7de3dbdf20cd4d2ccda56b95c8ac305a7c221e1394a0546

C:\Users\Admin\AppData\Local\Temp\28A2.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\28A2.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe

MD5 760c752a5ef580d8fc62dd24e4f6aa74
SHA1 0c827682ab6ebd55fc066258d24cad3b7e71b1a2
SHA256 b8e643a439076f33106f79c1c21206a245b58121ad51a05b6390a632c8295387
SHA512 2af47691b691df307a1408232ad0d3ea12a4135ec670cceacb09ca6d3fa99b0cc8d543f31b096749401d2c3bc9c2d64c2c167f138b3b526f7fe0efa7faab99db

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xB9lM8LC.exe

MD5 760c752a5ef580d8fc62dd24e4f6aa74
SHA1 0c827682ab6ebd55fc066258d24cad3b7e71b1a2
SHA256 b8e643a439076f33106f79c1c21206a245b58121ad51a05b6390a632c8295387
SHA512 2af47691b691df307a1408232ad0d3ea12a4135ec670cceacb09ca6d3fa99b0cc8d543f31b096749401d2c3bc9c2d64c2c167f138b3b526f7fe0efa7faab99db

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe

MD5 f5537ed441b9bf5cee2a9d565b8ee496
SHA1 e02a5129f8c9164797c592a0865293664d57b304
SHA256 892762346bf10f262c9c0f2599d240705df2534fcc5a22dd569ee95c10eeb53c
SHA512 f5dd6ab9bb00ccbbc74d47deab752927592c6a59d95d9e415da5da44bbbedf17e730e55de03530ee2bcc0a631cef5d71ce8e5ee3d9237f19445d5c565f96e28a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gw2OP2Pr.exe

MD5 f5537ed441b9bf5cee2a9d565b8ee496
SHA1 e02a5129f8c9164797c592a0865293664d57b304
SHA256 892762346bf10f262c9c0f2599d240705df2534fcc5a22dd569ee95c10eeb53c
SHA512 f5dd6ab9bb00ccbbc74d47deab752927592c6a59d95d9e415da5da44bbbedf17e730e55de03530ee2bcc0a631cef5d71ce8e5ee3d9237f19445d5c565f96e28a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe

MD5 3349e97c0c1709f6e27e441301ae6900
SHA1 84fd62023063013a149edfabbc62d6f04bd8b60b
SHA256 5ea7c6418cd052c8f43f271e7b1de5e3532ad9a7a41f406cc41f4cf29131ac53
SHA512 3790916a32208930711adb06d22f29dd54d844ca6fb295fc1337bb4703fd8ee6bb889ec440d4e90dd8c8e3f1de77bb75d78182792eb68fa8f6580d5fa58f042c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV2bb5MF.exe

MD5 3349e97c0c1709f6e27e441301ae6900
SHA1 84fd62023063013a149edfabbc62d6f04bd8b60b
SHA256 5ea7c6418cd052c8f43f271e7b1de5e3532ad9a7a41f406cc41f4cf29131ac53
SHA512 3790916a32208930711adb06d22f29dd54d844ca6fb295fc1337bb4703fd8ee6bb889ec440d4e90dd8c8e3f1de77bb75d78182792eb68fa8f6580d5fa58f042c

C:\Users\Admin\AppData\Local\Temp\29EB.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe

MD5 bba21633dcd2c169508f29c4e8bbe868
SHA1 2c1c21b24fe1579009d0db40cb8fe008a381044b
SHA256 d08221f8a77c6ed3649c3bcdc4f3ca7221d8435be432176d579d09b1016352ac
SHA512 e6ca6bbb3827fbf90097fd0adaf34de2b587266560cd7a87a0fdfb42a2248e7739ed88f9b1f4746fc665e2a39273c327ac020f9b4e4e253e72e7cbf7550ff56e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cX4nB8VH.exe

MD5 bba21633dcd2c169508f29c4e8bbe868
SHA1 2c1c21b24fe1579009d0db40cb8fe008a381044b
SHA256 d08221f8a77c6ed3649c3bcdc4f3ca7221d8435be432176d579d09b1016352ac
SHA512 e6ca6bbb3827fbf90097fd0adaf34de2b587266560cd7a87a0fdfb42a2248e7739ed88f9b1f4746fc665e2a39273c327ac020f9b4e4e253e72e7cbf7550ff56e

C:\Users\Admin\AppData\Local\Temp\2B73.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe

MD5 5c7d917190475d2c727a6741e13fabd4
SHA1 60f8dfb033c57f7f9ea88cb4999bdd3d6d97a1f8
SHA256 f62d072a41e17798a89de5eff7d4b299f274f5ea1cb73880e927e477ef7fdefd
SHA512 2ef055ab8bd0021e8e311646562ae0f2800c7e44ff71af78cfb86bb48a34245a5e5d9f362b4c4cfcdf4fa9fc845179dc6d3e82587f206aa1886bc962f6a143e1

C:\Users\Admin\AppData\Local\Temp\2C6E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\2C6E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sa21TC5.exe

MD5 5c7d917190475d2c727a6741e13fabd4
SHA1 60f8dfb033c57f7f9ea88cb4999bdd3d6d97a1f8
SHA256 f62d072a41e17798a89de5eff7d4b299f274f5ea1cb73880e927e477ef7fdefd
SHA512 2ef055ab8bd0021e8e311646562ae0f2800c7e44ff71af78cfb86bb48a34245a5e5d9f362b4c4cfcdf4fa9fc845179dc6d3e82587f206aa1886bc962f6a143e1

C:\Users\Admin\AppData\Local\Temp\2B73.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

memory/4288-64-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/4408-65-0x0000000000D80000-0x0000000000D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4288-71-0x0000000000BA0000-0x0000000000BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D88.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\2D88.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4408-68-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/4288-74-0x0000000007E40000-0x00000000083E4000-memory.dmp

memory/4288-78-0x0000000007930000-0x00000000079C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4288-86-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/4288-88-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4288-93-0x00000000083F0000-0x00000000084FA000-memory.dmp

memory/412-95-0x0000000000580000-0x00000000005DA000-memory.dmp

memory/4288-94-0x0000000007B90000-0x0000000007BA2000-memory.dmp

memory/4288-96-0x0000000007C10000-0x0000000007C4C000-memory.dmp

memory/412-92-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4288-101-0x0000000007C50000-0x0000000007C9C000-memory.dmp

memory/4288-91-0x0000000008A10000-0x0000000009028000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/412-107-0x00000000739C0000-0x0000000074170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\2F9D.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

\??\pipe\LOCAL\crashpad_1608_BUOHTORAIWNBPKUD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3bd25e5f2cbb72792d7a9be33dd4cb79
SHA1 3d0f1baa39129a20165845870f69913a8e012500
SHA256 7af71a3fdef87fee4ba8434e4819ada3d369190c2bd45f725cebf85da85eb8c1
SHA512 76ad087e4c4b02c8a699fd25bf425a1136136d0047bc837646ecd144294fd7f086cead5e8496f74549712b9039df601113e3b39f60fca6bce9ea7b5884cd46a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/412-142-0x0000000000400000-0x000000000047E000-memory.dmp

memory/412-143-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/1852-165-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1852-164-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1852-163-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1852-167-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mC554pi.exe

MD5 99e8ae33d04a77da9b9a253c345b93a2
SHA1 b453e5de6a832ce7d021281e2c1991a59559a822
SHA256 23a84928ea7841036bede9e468bddcfb3ff64403731bde9f33500e44d5209736
SHA512 ea608cfc086c39a9ccc2bef56dd02cdbc39664a224b827aa4ca913bc0131479a633c8268038ac56e1aa2851ee5a7d269ace66d97c995e9a8ab3077c2aff58074

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mC554pi.exe

MD5 99e8ae33d04a77da9b9a253c345b93a2
SHA1 b453e5de6a832ce7d021281e2c1991a59559a822
SHA256 23a84928ea7841036bede9e468bddcfb3ff64403731bde9f33500e44d5209736
SHA512 ea608cfc086c39a9ccc2bef56dd02cdbc39664a224b827aa4ca913bc0131479a633c8268038ac56e1aa2851ee5a7d269ace66d97c995e9a8ab3077c2aff58074

memory/4288-173-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/4408-175-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/2512-174-0x0000000000470000-0x00000000004AE000-memory.dmp

memory/2512-176-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/2512-177-0x00000000073D0000-0x00000000073E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4288-181-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/4408-188-0x00000000739C0000-0x0000000074170000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 30902b9793e4951582eae422576e5767
SHA1 c663e1ebb2b9df247cb4458f2f6d9eef776d3913
SHA256 4872ac186feb973fe7b9256a8524382006143422d88b23e0a8108e344f551888
SHA512 06533c8435b3a04e1e3b64dbba49a95382fe48459cbd06e57e3f5bbc6f5b2097457aaa26030a42a3208f9048f6e98b66badabbf6422fa1d32a9305af0f1a82b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3d54773d94989880aedad1845ee943dc
SHA1 3ce5ba9e117e1791c86df8d9f3b687798e82d757
SHA256 970fdcc22a5fad117ef767c51f84616d3ae0225377bda3685558c2828b1c06c0
SHA512 75da818eb106a56e3937deb7f6de0473a5baeeface543ae6a56a608be99da5c2673bbc0d3d292c162e247b4093d016cad370ee9835619c256dc22e8164d14c94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8f8ef6a-b55b-45b6-bf36-e49cea6c980a.tmp

MD5 e05436aebb117e9919978ca32bbcefd9
SHA1 97b2af055317952ce42308ea69b82301320eb962
SHA256 cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA512 11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

memory/2512-267-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/2512-268-0x00000000073D0000-0x00000000073E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\7D31.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\7D31.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

memory/3672-278-0x00000000739C0000-0x0000000074170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F16.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\7F16.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\8215.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/3672-286-0x0000000000220000-0x0000000001358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8215.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/748-289-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/748-294-0x0000000000550000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/748-306-0x00000000739C0000-0x0000000074170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2552-321-0x0000000000620000-0x0000000000629000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/5172-328-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/5172-339-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4D.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5260-346-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4D.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5260-350-0x00007FFDFAB60000-0x00007FFDFB621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/2552-320-0x0000000000840000-0x0000000000940000-memory.dmp

memory/3672-353-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/5260-354-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3368-358-0x0000000003340000-0x0000000003356000-memory.dmp

memory/5172-362-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8215.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\8215.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/1852-357-0x00000000029B0000-0x0000000002DAD000-memory.dmp

memory/3672-378-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/1852-381-0x0000000002DB0000-0x000000000369B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A667.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\A667.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/1852-383-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5512-384-0x0000000000E90000-0x0000000001270000-memory.dmp

memory/5512-386-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/5512-385-0x0000000005B00000-0x0000000005B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ad1317ac5132e14f2a464bd29eadb28c
SHA1 4deb1aa9ef0b8660f43acc34b50e08b32fba2397
SHA256 85022d83aa983a96333190fd38618d1f682643e07dd657b86e57b8714c919dc0
SHA512 a4141a0b9cfba246e5fb34376e43011993e92a98fe358e7fff7fa8217d73c969dee5e561cf143753e6651d689878f8eb22868b160cfd3f3a2807a80b460cc8eb

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

memory/748-417-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/1852-416-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/748-407-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5756-419-0x0000000000E80000-0x000000000156F000-memory.dmp

memory/5852-421-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5260-425-0x00007FFDFAB60000-0x00007FFDFB621000-memory.dmp

memory/5372-441-0x00007FF790F30000-0x00007FF7914D1000-memory.dmp

memory/5756-427-0x0000000010000000-0x000000001057B000-memory.dmp

memory/5900-443-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/1852-486-0x00000000029B0000-0x0000000002DAD000-memory.dmp

memory/3016-490-0x0000000000400000-0x0000000000636000-memory.dmp

memory/3016-492-0x0000000000400000-0x0000000000636000-memory.dmp

memory/1852-493-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5512-494-0x00000000739C0000-0x0000000074170000-memory.dmp

memory/5512-495-0x0000000003490000-0x000000000349A000-memory.dmp

memory/5512-497-0x00000000034B0000-0x00000000034B8000-memory.dmp

memory/5480-499-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5756-500-0x0000000000E80000-0x000000000156F000-memory.dmp

memory/5480-501-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5512-502-0x0000000005D10000-0x0000000005EA2000-memory.dmp

memory/5512-508-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/5852-507-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4408-515-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4408-521-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4408-525-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1852-526-0x0000000000400000-0x0000000000D1B000-memory.dmp