Malware Analysis Report

2025-06-16 05:06

Sample ID 230529-arf46agh84
Target d30e54f53559860093096109d25ecabb.exe
SHA256 361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
Tags
gcleaner netsupport discovery loader rat redline smokeloader vidar 0019 backdoor collection evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327

Threat Level: Known bad

The file d30e54f53559860093096109d25ecabb.exe was found to be: Known bad.

Malicious Activity Summary

gcleaner netsupport discovery loader rat redline smokeloader vidar 0019 backdoor collection evasion infostealer persistence spyware stealer trojan

RedLine payload

GCleaner

NetSupport

SmokeLoader

RedLine

Vidar

Blocklisted process makes network request

Modifies Windows Firewall

Drops file in Drivers directory

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of UnmapMainImage

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

outlook_office_path

Uses Task Scheduler COM API

Modifies registry key

outlook_win_path

Delays execution with timeout.exe

Gathers system information

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Runs net.exe

Kills process with taskkill

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Gathers network information

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates processes with tasklist

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-29 00:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-29 00:26

Reported

2023-05-29 00:29

Platform

win7-20230220-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe"

Signatures

GCleaner

loader gcleaner

NetSupport

rat netsupport

Downloads MZ/PE file

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-H2JTD.tmp C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-R5J4N.tmp C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\ODISSDK.dll C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-S342O.tmp C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-O0TIQ.tmp C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\cudart64_30_14.dll C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\Newtonsoft.Json.dll C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\expand.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50EB2661-FDC8-11ED-9DD1-6E0AA2656971} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392092206" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e09529d591d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f8ae9e55af78419b355851bb97a0b90000000002000000000010660000000100002000000034ea347b42fb42e983562d473288860e13e866613b293b7c38bd160277e53f08000000000e80000000020000200000002beae38cb7d65a7c4e3e217659dbf01b8cb2359b245b261a98597840da750b632000000062eaf8e894d1449aff1e31793b4c100d33d7258dc4baa7b835edd9a21d61096e40000000ffc7b8473cd51286a5c13b77f3d5577dbce60ecdb8b319f4fa9526977752478dfedfb8990d506b8f6ee4c3eeaa692ca25a02312089577cc6eabf5df73400caa3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f8ae9e55af78419b355851bb97a0b900000000020000000000106600000001000020000000d7c376fba92221b2ca74d4b86e652c0d2a6e8070cbe0e46d91fe2985a1f199e8000000000e800000000200002000000099936d85b0d502d2cc45220010569598652a9375f1ed7069d07f9ae6bf6ae0ff90000000b727753e2177d3a3ad42a97f00bbbf523a875ba35f57b21458b856c72fc015725dd79317f9490527561ffb264cba467e75796ff6826805d1fe7f29c3dd53ac73df80730a699fa0c3be46363d54a3cf50a2e857fa862eb90a22485bac734e292365c3125295d2eb9780d4cb617e120b6765a64be03c6c52f3d8a0add7ec17f2c8d48d95ea692796d508536f772e98e7a840000000ae3d08d1f86d0410ad5ee681e819c1ae7a066c10d1288685104f747e705c6c10489543d905593039eba7e4ea8a8ccc594b32b0fb782617f6af599242b6390ec1 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp N/A
N/A N/A C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1312 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 1056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp
PID 920 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 1104 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 1104 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 1104 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 920 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 452 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 452 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 452 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 920 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 920 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 920 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 920 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1820 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1820 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1820 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1040 wrote to memory of 1344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1040 wrote to memory of 1344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1040 wrote to memory of 1344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1040 wrote to memory of 1344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1312 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe
PID 1312 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe
PID 1312 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe
PID 1312 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe
PID 292 wrote to memory of 1080 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1080 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1080 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1080 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1080 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1080 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe

"C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe"

C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp" /SL5="$70122,922170,832512,C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe

"C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 2525

C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp" /SL5="$101B0,9618522,832512,C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 2525

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-D0B5J.tmp\{app}\xcvoucyvp.cab -F:* %ProgramData%

C:\Windows\SysWOW64\expand.exe

expand C:\Users\Admin\AppData\Local\Temp\is-D0B5J.tmp\{app}\xcvoucyvp.cab -F:* C:\ProgramData

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

"C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x00^&pb=1^&px=2525

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x00&pb=1&px=2525

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

"C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe" /usten SUB=2525

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "s1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "s1.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.trestarshop.com udp
US 45.86.230.85:443 www.trestarshop.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 str.skymiddle.host udp
US 188.114.97.0:80 str.skymiddle.host tcp
US 8.8.8.8:53 log.angersummer.xyz udp
US 104.21.1.243:80 log.angersummer.xyz tcp
US 8.8.8.8:53 yuffestyle.top udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
RU 185.159.129.2:1203 yuffestyle.top tcp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 axsboe-campaign.com udp
US 104.21.37.216:443 axsboe-campaign.com tcp
US 104.21.37.216:443 axsboe-campaign.com tcp
NL 95.101.74.148:443 www.bing.com tcp
NL 95.101.74.148:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 45.12.253.74:80 45.12.253.74 tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.64:443 login.microsoftonline.com tcp
IE 20.190.159.64:443 login.microsoftonline.com tcp
US 204.79.197.200:443 www2.bing.com tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 downloads.joinmassive.com udp
US 18.65.39.50:443 downloads.joinmassive.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/528-54-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp

MD5 db1470008f6805943f9c9087979d3ce0
SHA1 ddefc5021c74feee9d41a54a0aa384fcbd8633bd
SHA256 79a87b06d4b7abd27372d1f390d1c9fc8c32b7e67b3a3cbff6787e4d8ff1e5ff
SHA512 4d90e4abd912f419cb083283d7627f545eedd9a6f9073ccd2c09e119a166ea40f70420dc00ff7ab2d116cf1e332df1abea15fefaf1d3a823e4e4717d517ced80

C:\Users\Admin\AppData\Local\Temp\is-NH33N.tmp\d30e54f53559860093096109d25ecabb.tmp

MD5 db1470008f6805943f9c9087979d3ce0
SHA1 ddefc5021c74feee9d41a54a0aa384fcbd8633bd
SHA256 79a87b06d4b7abd27372d1f390d1c9fc8c32b7e67b3a3cbff6787e4d8ff1e5ff
SHA512 4d90e4abd912f419cb083283d7627f545eedd9a6f9073ccd2c09e119a166ea40f70420dc00ff7ab2d116cf1e332df1abea15fefaf1d3a823e4e4717d517ced80

\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/1312-66-0x0000000000240000-0x0000000000241000-memory.dmp

memory/528-67-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1312-68-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1312-69-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3DBF.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe

MD5 384237f84c017bd91c3f84b87e95dfb0
SHA1 25aa01b98f19cec71a730f0dbb64bdb1614b8272
SHA256 3f24847849c627fe7f70da3d001e9e8596094a55b5a8018ed40d81c2ab75e693
SHA512 04e178283eec89c568fb4d01dee2372b1b4ecf726fd02d4306355e883b0e99f7599487604e99b93fcc1cac285f9adc184e1d92566456e891c76d4e491ab5eb23

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe

MD5 384237f84c017bd91c3f84b87e95dfb0
SHA1 25aa01b98f19cec71a730f0dbb64bdb1614b8272
SHA256 3f24847849c627fe7f70da3d001e9e8596094a55b5a8018ed40d81c2ab75e693
SHA512 04e178283eec89c568fb4d01dee2372b1b4ecf726fd02d4306355e883b0e99f7599487604e99b93fcc1cac285f9adc184e1d92566456e891c76d4e491ab5eb23

memory/1056-130-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s0.exe

MD5 384237f84c017bd91c3f84b87e95dfb0
SHA1 25aa01b98f19cec71a730f0dbb64bdb1614b8272
SHA256 3f24847849c627fe7f70da3d001e9e8596094a55b5a8018ed40d81c2ab75e693
SHA512 04e178283eec89c568fb4d01dee2372b1b4ecf726fd02d4306355e883b0e99f7599487604e99b93fcc1cac285f9adc184e1d92566456e891c76d4e491ab5eb23

\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp

MD5 d0bc960f033fd18142abfa509fa69efd
SHA1 fa335075a415fe7612b5b509ce70e854e80da903
SHA256 550485e2335f1343151d742eb7c6fd56c0f994f2379228a4d8eb26e3bd1502e6
SHA512 36fc3971578e0544e4cde41eb72ce38215595c38fe5055784da690f214fb738605c41aba2f64034f2174ed3ce7a44ed5faaef13c45d64b3d85fbf3aa73941c2f

C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp

MD5 d0bc960f033fd18142abfa509fa69efd
SHA1 fa335075a415fe7612b5b509ce70e854e80da903
SHA256 550485e2335f1343151d742eb7c6fd56c0f994f2379228a4d8eb26e3bd1502e6
SHA512 36fc3971578e0544e4cde41eb72ce38215595c38fe5055784da690f214fb738605c41aba2f64034f2174ed3ce7a44ed5faaef13c45d64b3d85fbf3aa73941c2f

\Users\Admin\AppData\Local\Temp\is-D0B5J.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/920-142-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SDOPO.tmp\s0.tmp

MD5 d0bc960f033fd18142abfa509fa69efd
SHA1 fa335075a415fe7612b5b509ce70e854e80da903
SHA256 550485e2335f1343151d742eb7c6fd56c0f994f2379228a4d8eb26e3bd1502e6
SHA512 36fc3971578e0544e4cde41eb72ce38215595c38fe5055784da690f214fb738605c41aba2f64034f2174ed3ce7a44ed5faaef13c45d64b3d85fbf3aa73941c2f

\??\c:\users\admin\appdata\local\temp\is-d0b5j.tmp\{app}\xcvoucyvp.cab

MD5 29e3b7261665a22f4ac2c7a7697b67e8
SHA1 99955fe33e3acfb1e041746e66e6b9e02aab0f31
SHA256 47fd871d32d22390c89d0a8a4f43348371646f4908656b3a5584ffaf69f363eb
SHA512 db81a3efd5af60feb677268ad55b139f89f97f88ef6abdc0ea18568b38a1a030f59ffc0169bd46cb434e10363782450efbcce57e1e44ecf2409220ffe9336858

\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

memory/920-208-0x0000000000400000-0x000000000071B000-memory.dmp

C:\ProgramData\regid.1993-06.com.microsoft\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\regid.1993-06.com.microsoft\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

\ProgramData\regid.1993-06.com.microsoft\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\ProgramData\regid.1993-06.com.microsoft\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

\ProgramData\regid.1993-06.com.microsoft\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\regid.1993-06.com.microsoft\client32.ini

MD5 880ca89c2435f007bdf15f59dd7e42e3
SHA1 cbb047c174b10e7313afe5ee214620d9d4f21c35
SHA256 712889d4ec4fca7ba320a823f73621d5cccaa746e8ecc80df16866d021acc3f8
SHA512 9f9fc3767f726732a9254830e1efb6d2fdcaa3402c6bd9e88e2aaf99394b0612573a917f97723ef1d28d9d3d86285f4d13e6045fec1b9201609171fee24896dd

C:\ProgramData\regid.1993-06.com.microsoft\NSM.LIC

MD5 e9609072de9c29dc1963be208948ba44
SHA1 03bbe27d0d1ba651ff43363587d3d6d2e170060f
SHA256 dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
SHA512 f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

C:\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

memory/1056-224-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1312-244-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 693f9393ee2d5788fef0797c5e82a6e8
SHA1 cb4e66aaf1bfeb001bb627e2f4aa77fe970f2604
SHA256 c3be4455ccb057a4d06ff79ed20910743f997d3ff172befd9f7a8591f65286c7
SHA512 da75a43978a4da7bfec1fcc54682ac1f463b5ec483f940a7d9e218f891b30b84d27d285d26bc1e81475f6cb1a2bf56a21cf90139561de968b15574c611f8ba5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\is-CLTD1.tmp

MD5 444bcb3a3fcf8389296c49467f27e1d6
SHA1 7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA256 2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA512 9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\favicon-trans-bg-blue-mg[1].ico

MD5 30967b1b52cb6df18a8af8fcc04f83c9
SHA1 aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588
SHA256 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e
SHA512 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p734dsx\imagestore.dat

MD5 b24def94300c027bccc0ffaeb20bf545
SHA1 3f7f7207af23f425ee33f10c2da01cfb51fc9dca
SHA256 8a2a903cb9bc35b4d90a29d39ed0ae75b9584bcb79094d23d5f051b543b0884d
SHA512 39c055190d8101f36e4b3e2c6e3f26b4eb583aa1f3f48d9f18ded25ef2583e302eee32311e7dbce21b4364f9fea25e5d6d5fb26719cea1c7a46f416619cd37ef

\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\y3Y6ARztq-4CGDJq5CwKbhYwHqI.gz[1].js

MD5 a2b03ed8ab966d3f160d0cba85759324
SHA1 a64f8c814516b20080ef96f3ba810eadd8e7baf6
SHA256 b7e6d72ab99579e420be90f95f820c3c14a3f9c97ecbeb288df0b7010001d1e8
SHA512 ebe8aadd39f1abde5b31607543d9cf7c20adc5b823f7a968602785788ac614d409ec56f684a37fcfcf1cd06a4ab2559f7c17247f172fb2e6ac1f411ca0265d88

memory/292-366-0x0000000000320000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DE9Y0H7M\9d7Y_dQ7czmccmL9SZdfdL0DJVI.gz[1].js

MD5 e43b082c32e26fb9a9ff202f84957c14
SHA1 c377755741785caea48dca2e1a5f6e1234847be8
SHA256 b635eec4d5ff13255778a7fea072137814375f2d0407da3103293839a39a24a7
SHA512 d3d918e37b52e936929367fe55b2cc4a701a97660c91f6392620ef68d1c18720bd0731c1b9530872fc0300150dbac79f885b04c5b5ac2f18a2448cc16bff7ad0

memory/1312-532-0x0000000000400000-0x000000000071C000-memory.dmp

memory/292-534-0x0000000000400000-0x000000000069C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q4GI7.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf1f4cb2dc73c3e426cfd6af573c56c4
SHA1 c9578b4ef48f69cd08f705a3df81c6c1fd395864
SHA256 72cadf6c7c81b0e502ff5393810b8c8bb5dfc30d474f1898fc028ebe8c7fd455
SHA512 d4d7cacc4967c8abb867661a864ebad018fe058a8b37b2eff408a8933c3de41af5b6470f29fb7fd732aa73dcccfa324aeb181cea7e079f2cb2da50fddbd13503

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad8e0544e6aeba3ebb1c811b6873cf5f
SHA1 c66629918aa9fdbd4488bc72966e59cc654c7cbc
SHA256 3bde993f8655334fde71f068af74981fded82628cf746b8c4e0caeac3f23a491
SHA512 6542f3a6a0c359009d3e562045912c986ed979e0c6d282f0c8be773f0dffb4c47817f7d197474080c88093c7c2fdd3480f978c772584f5167fe9937a14f94386

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 439db75471e6d9b5577e6ee43be83e52
SHA1 090987ec9d0fa486e724d908d399d2ef0106b3ce
SHA256 0ea1d98b9a16f6a9ddfddb5d4272159689512b39d0fa7b52d4a8687d23b5fdb1
SHA512 7c2b88326c0c033cc93b4990ac4f8a017140387843439cf0a0b5b6f53c56f195019a381e6f29ec6d79f18cd95e6e403607a6e035d5861f0b687bc4435f6c39ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1d25fb1b1ef8a4696c71900b19b2846
SHA1 c4cdcb1735e89a3ab9e9226596351feaf127744d
SHA256 ca074484d1fb88518d5a6a9f54e5ee23660d066a30619de19a68a3695987d551
SHA512 2fa346f1dc3efeee06724865d096315cddd11bd3284c2acd6c6ee26787daceef58f54122322f876f2ef60e9872674feb22fcc045d677a7db3dda266b57c0a693

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f65f868eec2eecd6a8ce1a97fd195436
SHA1 8556b1382fd681fdf2bd9b45e42a076b38135ed7
SHA256 67f4813f8e9c60895dec4336a326319fe4c5ea6116bb1446ff2937cc4e936368
SHA512 46521da69ce4e971e929afd5361e6e504ba7dad714dad76bc89ea158822ed4a125f5242ee453e08b48225afef3e3f5f4dd44409adc9feec0fddbca4fa35733fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf302bedf36fb16871b65a79ddd3198b
SHA1 4b65c8e6c583251339a5686d386515259c3f9d00
SHA256 575426cdbb7a966a8514428424860e228db4e51051151a34cb40e4b49c7da9b4
SHA512 0f0b0bae9d1230f9fb9ebe14e1a7d7a4f171d54d914604c3c32b6a412e20a337572c0f7c3030e8a5098269684f9eecb179adacd1b93116ef0dcfb18f7da3da82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54adf02d80c1fd16b0bd1d2543ddc25e
SHA1 37a03af0c51426f1e9bc9e30d3b684434db8809e
SHA256 4ca3a5ea5b9307a546f922b381fbcd2f084c4d06e90b66c84b87679008ddd946
SHA512 3b14e131bade1e32228061133e99cc6b1ba39671cc8422ea6bb6d6df11e4b483ec5bf795ba813402b7828d59cec66c265803bd4753784a42708290dfcdc609a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50d95e464b3b9c2c872bb7ac272f3242
SHA1 3cf7a2ddf7077407ab55059cca227624446155f2
SHA256 f8e88e403c1d8f871069798da9066ef4c016b1956285fab7776d20d3ddb0037e
SHA512 b041a76763b225b4f860758e3aa516728380b17b64b0ce307ea016f15858c602293791d24ae889b3a64c1265cf2dfea6a64fff8f9f06e5f9d74b02ae88272c79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1873d68b39ac8bb0a41e0f62ddd7eacd
SHA1 9b16ba083d30666550772c4d2e50ec393037862f
SHA256 c8532fe7b334dfd6e3b55b1dca29a03b09267e83ae6a6cfda72a6617573a9318
SHA512 2c1650f1018d90c15d5da104273f545b467eefbaef52260a3c41a2247b71ab0789cccea69ebb4f3699347771417e005760860acb1316c5e28d9d6b64652687f7

memory/1312-832-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1a4367fbd0b5a78b05d67cc84a0901c
SHA1 000d140e50f91bb264b691987460fd38046f4055
SHA256 3b591859d07c7ad6c9b00280096dc6e63706037e7a4bd328105fc26505d32b55
SHA512 ef9bb344c56b5532681c2b5aaabff0d0cc254a170c52c928461c01d28068579418160e4a921e8f0800c78750a97d7dc29dd45cca3f7da6e4dcc19b29f1180ab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5 43f7751f726cfafe9844ac2c2b1141e5
SHA1 4a016ad50c89a0ebdc36a954da56b7c5b08ef97b
SHA256 5b8f2c7c063199318ca06c7eb9f21fb11b46cd2b53a14ed180d67473c1ebb79e
SHA512 4d69d5153d34f8a41c7d39568c1117df0f444bc8c1248af3722afb6f3759976f172770bedf649b51280b55e5c8f5b3ebde97c56a963e4f6d7f1ed1966a18be36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5 48974d0952cee405179ad1a3a5f71a10
SHA1 0824521347022efe6ad0f7e8ac25613ab73f009e
SHA256 ca7dcf6486a4383206937e855e820255c35b8dd602ad148f5c6b6b7714ab41f8
SHA512 d18eb01171c54c748c5a24f016a92587eb45709993566527f5ee2ba367bc586a4ae54da758bd222d532d67d64df1d65e45fce5419d789d64ad0906d25e76d329

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 430642475d2b9df1f1bafbcb394b8813
SHA1 82797c47f38e619b0d443e9a71f3adac1363e81c
SHA256 3e6cfcbccc6f02cd7b90e5c50eefbc2c9ff26591844221f40e953aa34b4f8011
SHA512 ca0fe5b547c4ec3580bb325ba9bb724ea98e336e3526929abefb70668d729810e4a76e3bff6a653d46984f449ed7e200c9a95647f3591816b5a2a324e9a57d48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\51Q0MBRI.txt

MD5 4b696e84e02a8c749cff7d00d06aac4c
SHA1 a651f7069b808ce6e326411d917cdefae9679118
SHA256 8de2ab1135a88ccccc4cd9e2259ec2bc58d265b4f58addb7721287d416c99fbc
SHA512 95323888912355d5a217be160e8f71d2b9ac5a700a1847d3f1f7f1e78b9ce08840327ead35a84b903c1948a37e1f54a48e088daa6a9b65e2766a4b2ad88e1fdf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-29 00:26

Reported

2023-05-29 00:31

Platform

win10v2004-20230221-en

Max time kernel

270s

Max time network

263s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

GCleaner

loader gcleaner

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Programs\Adblock\DnsService.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-4DV2D.tmp\AdblockInstaller.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\crashpad_handler.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\DnsService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update-50775ef7-a0eb-4929-8c31-b9cca5ebdeac\AdblockInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4DV2D.tmp\AdblockInstaller.tmp N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hseguec N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\DnsService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4DV2D.tmp\AdblockInstaller.tmp N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pmls.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
File opened for modification C:\Windows\SysWOW64\pmls.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
File created C:\Windows\system32\pmls64.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-NO1IK.tmp C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn.exe C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn.exe C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c9c19cf4-101a-4458-b403-93b951d0d0a0.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\cudart64_30_14.dll C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\Setup\is-SI3DO.tmp C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\ODISSDK.dll C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-J6KUK.tmp C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\Setup\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
File opened for modification C:\Program Files (x86)\Setup\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmls.dll C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn32.exe C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230529022948.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\FTfDPnbCt Inc\Newtonsoft.Json.dll C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-RS069.tmp C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\FTfDPnbCt Inc\is-FDOTJ.tmp C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
File created C:\Program Files (x86)\PremierOpinion\pmls64.dll C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn64.exe C:\Windows\system32\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hseguec N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hseguec N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hseguec N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31035861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1810451974" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000886db1e1b076494bb36841047fad289c0000000002000000000010660000000100002000000085502949ebd99110e883e9d3baf2ba3a08ea4b72efd53240017bafc0f3a163d2000000000e800000000200002000000041abfcecd825cd5341ae2ba17dc8d0db367652072ca9675988ef375eb4489e352000000085b9cfe8118b86a6ccea7c0d1d47aeefd3a89e14f8f9dad620088841ba580e8d40000000fbeae20e11009ae368ae6f3a53c66321f7541a2d5cdf2db530847f45dc79df96cca2164db336c480f42746623f35944785b80aae2ec2250569114962aeac6af1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409bf66dd591d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806c036ed591d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000886db1e1b076494bb36841047fad289c00000000020000000000106600000001000020000000c0bf2d8a762ba92118d8053a8866967ce44f64194be06e3fb1ca7f07a79e539d000000000e80000000020000200000007bf05d39e6548cdd1cfce4c6cf18b479af30266a7b3a304f1d375db564d3b79e20000000041b97e05a0af35a6b6ddca06c3e238de57fa0df13cd8a5f319b1b81fb645fa740000000f07979d63fabc4857e8baa6e3fffb61223b9483541752a0c2ef8dea22f8e9d4d1ef65218ecd42245b0717eb1f7337a8fbdc3f62ee4c0613d79b8a82659d48367 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{971EF515-FDC8-11ED-8227-F2B344309C31} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1810451974" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392092323" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hseguec N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A
N/A N/A C:\Users\Admin\Programs\Adblock\Adblock.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 1216 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 1216 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp
PID 944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe
PID 944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe
PID 944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp
PID 944 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe
PID 944 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe
PID 944 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe
PID 928 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe
PID 928 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe
PID 928 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe
PID 740 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe
PID 4296 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe
PID 4296 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe
PID 928 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe
PID 928 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe
PID 928 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe
PID 1884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe
PID 4088 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe
PID 4088 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe
PID 4088 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe
PID 4088 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe
PID 4088 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe
PID 2196 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 928 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe
PID 928 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe
PID 928 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe
PID 3928 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3928 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3928 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3928 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3928 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 928 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe
PID 928 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe
PID 928 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe
PID 928 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe
PID 4092 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe
PID 2436 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2436 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2436 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 944 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe

"C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe"

C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp" /SL5="$7011C,922170,832512,C:\Users\Admin\AppData\Local\Temp\d30e54f53559860093096109d25ecabb.exe"

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe

"C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 2525

C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp" /SL5="$101E8,9618522,832512,C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 2525

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe

"C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe" /usten SUB=2525

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1032

C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe

"C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /d /c btgngym.bat 2784547240

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe

fkfowhrvytj.exe lvjbdyfw.dat 2784547240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1292

C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe

"C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b "*.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe

"epo2fxguyfxq.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe

"mcz0xwxdy3l.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 240

C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe

"C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe

"C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3928 -ip 3928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1448

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "s1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1500

C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe

"C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "s1.exe" /f

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe

"C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /sid=2525

C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp" /SL5="$501FE,16467185,792064,C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /sid=2525

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im MassiveEngine.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im MassiveExtension.exe

C:\Users\Admin\Programs\Adblock\Adblock.exe

"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=7669410e1685327262 --downloadDate=2023-05-29T02:27:39 --distId=marketator2 --sid=2525

C:\Windows\system32\cmd.exe

"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.5.0&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\log.txt" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\f5d30596-57ea-4a04-6283-5b0410c1fa5f.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\f5d30596-57ea-4a04-6283-5b0410c1fa5f.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\f5d30596-57ea-4a04-6283-5b0410c1fa5f.run\__sentry-breadcrumb2" --initial-client-data=0x41c,0x420,0x424,0x3f4,0x428,0x7ff63f7cbe00,0x7ff63f7cbe18,0x7ff63f7cbe30

C:\Windows\system32\netsh.exe

C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE

C:\Users\Admin\Programs\Adblock\DnsService.exe

C:\Users\Admin\Programs\Adblock\DnsService.exe /abfpid=5488

C:\Windows\system32\reg.exe

reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f

C:\Windows\system32\reg.exe

reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f

C:\Windows\system32\cmd.exe

"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe

"C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s3.exe"

C:\Users\Admin\AppData\Local\Temp\Update-50775ef7-a0eb-4929-8c31-b9cca5ebdeac\AdblockInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\Update-50775ef7-a0eb-4929-8c31-b9cca5ebdeac\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE

C:\Users\Admin\AppData\Local\Temp\is-4DV2D.tmp\AdblockInstaller.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4DV2D.tmp\AdblockInstaller.tmp" /SL5="$202DE,16745351,792064,C:\Users\Admin\AppData\Local\Temp\Update-50775ef7-a0eb-4929-8c31-b9cca5ebdeac\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE

C:\Users\Admin\Programs\Adblock\DnsService.exe

"C:\Users\Admin\Programs\Adblock\DnsService.exe" /restoredns

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "Adblock.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "MassiveEngine.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "MassiveExtension.exe"

C:\Windows\system32\cmd.exe

cmd

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\poinstaller.exe

"C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\poinstaller.exe" -c:1517 -t:2525 /s

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\PremierOpinion\pmropn.exe

C:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:2525 /s -bid:7apTLpmckC5rwFB4G7LLGG -o:0

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram program = "c:\program files (x86)\premieropinion\pmropn.exe" name = pmropn.exe mode = ENABLE scope = ALL

C:\Program Files (x86)\PremierOpinion\pmservice.exe

"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\pmls64.dll,UpdateProcess 788

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\tasklist.exe

tasklist /v

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2060

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\system32\net.exe

net accounts /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 accounts /domain

C:\Windows\system32\net.exe

net share

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 share

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\net.exe

net user /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /domain

C:\Windows\system32\net.exe

net use

C:\Windows\system32\net.exe

net group

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\NETSTAT.EXE

netstat -r

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print

C:\Windows\system32\ROUTE.EXE

C:\Windows\system32\route.exe print

C:\Windows\system32\NETSTAT.EXE

netstat -nao

C:\Windows\system32\schtasks.exe

schtasks /query

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9708 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://g-cleanit.hk/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1bc246f8,0x7ffd1bc24708,0x7ffd1bc24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff78c8d5460,0x7ff78c8d5470,0x7ff78c8d5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Users\Admin\AppData\Roaming\hseguec

C:\Users\Admin\AppData\Roaming\hseguec

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1117780728997243297,15256111760292320940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1

Network

Country Destination Domain Proto
US 40.77.2.164:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.trestarshop.com udp
US 45.86.230.85:443 www.trestarshop.com tcp
US 8.8.8.8:53 85.230.86.45.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 6.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 str.skymiddle.host udp
US 188.114.97.0:80 str.skymiddle.host tcp
US 8.8.8.8:53 log.angersummer.xyz udp
US 104.21.1.243:80 log.angersummer.xyz tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
NL 45.12.253.74:80 45.12.253.74 tcp
US 8.8.8.8:53 243.1.21.104.in-addr.arpa udp
US 8.8.8.8:53 74.253.12.45.in-addr.arpa udp
NL 45.12.253.56:80 45.12.253.56 tcp
NL 45.12.253.72:80 45.12.253.72 tcp
NL 45.12.253.75:80 45.12.253.75 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 72.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 75.253.12.45.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 188.34.154.187:30303 188.34.154.187 tcp
FI 95.217.63.153:21969 tcp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 187.154.34.188.in-addr.arpa udp
US 8.8.8.8:53 153.63.217.95.in-addr.arpa udp
US 8.8.8.8:53 lodar2ben.top udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 45.12.253.98:80 45.12.253.98 tcp
US 8.8.8.8:53 98.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 downloads.joinmassive.com udp
US 18.65.39.50:443 downloads.joinmassive.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 50.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 76.61.156.108.in-addr.arpa udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
NL 54.192.87.164:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 230.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 193.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 164.87.192.54.in-addr.arpa udp
US 8.8.8.8:53 api.joinmassive.com udp
US 18.65.39.62:443 api.joinmassive.com tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 62.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 cdn.computewall.com udp
US 104.26.2.25:443 cdn.computewall.com tcp
US 104.26.2.25:443 cdn.computewall.com tcp
US 8.8.8.8:53 api.joinmassive.com udp
US 8.8.8.8:53 cdn.computewall.com udp
US 104.26.3.25:443 cdn.computewall.com tcp
US 8.8.8.8:53 api.joinmassive.com udp
US 8.8.8.8:53 25.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.joinmassive.com udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 104.26.3.25:443 cdn.computewall.com tcp
US 8.8.8.8:53 api.joinmassive.com udp
US 18.65.39.26:443 api.joinmassive.com tcp
US 18.65.39.26:443 api.joinmassive.com tcp
US 18.65.39.26:443 api.joinmassive.com tcp
US 8.8.8.8:53 25.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 26.39.65.18.in-addr.arpa udp
US 104.26.3.25:443 cdn.computewall.com tcp
US 8.8.8.8:53 d1ql3z8u1oo390.cloudfront.net udp
NL 52.222.137.115:80 d1ql3z8u1oo390.cloudfront.net tcp
US 8.8.8.8:53 downloads.joinmassive.com udp
US 18.65.39.36:443 downloads.joinmassive.com tcp
US 18.65.39.36:443 downloads.joinmassive.com tcp
US 104.26.3.25:443 cdn.computewall.com tcp
US 8.8.8.8:53 115.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 36.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 downloads.adblockfast.com udp
US 104.21.93.193:443 downloads.adblockfast.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 193.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 post.securestudies.com udp
US 165.193.78.234:443 post.securestudies.com tcp
US 8.8.8.8:53 234.78.193.165.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 18.65.39.26:443 api.joinmassive.com tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 dpd.securestudies.com udp
NL 65.9.86.40:443 dpd.securestudies.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 54.192.87.164:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 40.86.9.65.in-addr.arpa udp
US 8.8.8.8:53 208.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 miami-golf-club.com udp
US 66.85.157.98:443 miami-golf-club.com tcp
US 8.8.8.8:53 98.157.85.66.in-addr.arpa udp
US 8.8.8.8:53 post.securestudies.com udp
US 165.193.78.234:443 post.securestudies.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
NL 65.9.86.40:443 dpd.securestudies.com tcp
US 8.8.8.8:53 rules.securestudies.com udp
US 66.119.41.118:443 rules.securestudies.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 www.premieropinion.com udp
US 165.193.78.250:80 www.premieropinion.com tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
US 8.8.8.8:53 118.41.119.66.in-addr.arpa udp
US 8.8.8.8:53 250.78.193.165.in-addr.arpa udp
US 165.193.78.234:443 post.securestudies.com tcp
US 8.8.8.8:53 lodar2ben.top udp
N/A 127.0.0.1:51021 tcp
US 8.8.8.8:53 loadre2f.top udp
N/A 127.0.0.1:51035 tcp
N/A 127.0.0.1:51051 tcp
N/A 127.0.0.1:51070 tcp
N/A 127.0.0.1:51074 tcp
N/A 127.0.0.1:51080 tcp
N/A 127.0.0.1:51085 tcp
N/A 127.0.0.1:51105 tcp
N/A 127.0.0.1:51111 tcp
N/A 127.0.0.1:51144 tcp
N/A 127.0.0.1:51158 tcp
US 8.8.8.8:53 ca-ferrari-club.com udp
US 165.227.8.65:443 ca-ferrari-club.com tcp
US 165.227.8.65:443 ca-ferrari-club.com tcp
US 8.8.8.8:53 65.8.227.165.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
N/A 127.0.0.1:53142 tcp
N/A 127.0.0.1:53175 tcp
N/A 127.0.0.1:53231 tcp
US 66.85.157.98:443 miami-golf-club.com tcp
N/A 127.0.0.1:53315 tcp
N/A 127.0.0.1:53317 tcp
N/A 127.0.0.1:53332 tcp
N/A 127.0.0.1:53334 tcp
N/A 127.0.0.1:53347 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 g-cleanit.hk udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g-cleanit.hk udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 g-cleanit.hk udp

Files

memory/1216-133-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B617K.tmp\d30e54f53559860093096109d25ecabb.tmp

MD5 db1470008f6805943f9c9087979d3ce0
SHA1 ddefc5021c74feee9d41a54a0aa384fcbd8633bd
SHA256 79a87b06d4b7abd27372d1f390d1c9fc8c32b7e67b3a3cbff6787e4d8ff1e5ff
SHA512 4d90e4abd912f419cb083283d7627f545eedd9a6f9073ccd2c09e119a166ea40f70420dc00ff7ab2d116cf1e332df1abea15fefaf1d3a823e4e4717d517ced80

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/944-143-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/1216-144-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/944-145-0x0000000000400000-0x000000000071C000-memory.dmp

memory/944-146-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/944-154-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe

MD5 384237f84c017bd91c3f84b87e95dfb0
SHA1 25aa01b98f19cec71a730f0dbb64bdb1614b8272
SHA256 3f24847849c627fe7f70da3d001e9e8596094a55b5a8018ed40d81c2ab75e693
SHA512 04e178283eec89c568fb4d01dee2372b1b4ecf726fd02d4306355e883b0e99f7599487604e99b93fcc1cac285f9adc184e1d92566456e891c76d4e491ab5eb23

memory/2328-158-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s0.exe

MD5 384237f84c017bd91c3f84b87e95dfb0
SHA1 25aa01b98f19cec71a730f0dbb64bdb1614b8272
SHA256 3f24847849c627fe7f70da3d001e9e8596094a55b5a8018ed40d81c2ab75e693
SHA512 04e178283eec89c568fb4d01dee2372b1b4ecf726fd02d4306355e883b0e99f7599487604e99b93fcc1cac285f9adc184e1d92566456e891c76d4e491ab5eb23

C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp

MD5 d0bc960f033fd18142abfa509fa69efd
SHA1 fa335075a415fe7612b5b509ce70e854e80da903
SHA256 550485e2335f1343151d742eb7c6fd56c0f994f2379228a4d8eb26e3bd1502e6
SHA512 36fc3971578e0544e4cde41eb72ce38215595c38fe5055784da690f214fb738605c41aba2f64034f2174ed3ce7a44ed5faaef13c45d64b3d85fbf3aa73941c2f

C:\Users\Admin\AppData\Local\Temp\is-P68BS.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2852-168-0x00000000008E0000-0x00000000008E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AGS5A.tmp\s0.tmp

MD5 d0bc960f033fd18142abfa509fa69efd
SHA1 fa335075a415fe7612b5b509ce70e854e80da903
SHA256 550485e2335f1343151d742eb7c6fd56c0f994f2379228a4d8eb26e3bd1502e6
SHA512 36fc3971578e0544e4cde41eb72ce38215595c38fe5055784da690f214fb738605c41aba2f64034f2174ed3ce7a44ed5faaef13c45d64b3d85fbf3aa73941c2f

memory/2852-181-0x0000000000400000-0x000000000071B000-memory.dmp

memory/2328-182-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s1.exe

MD5 ff4af820ea78f651ac64bf6904d0fce7
SHA1 b89c1d6a6f1a9c2c18556ad0166f5b5f82bc67ad
SHA256 9a01aafc86187e4f8638afb8f0c6c953e334a3dc0d2831027979d2e2acb67d9e
SHA512 3d87e3051c07eda0180b80ba1d7c452c98b70bda9b574b278d729758c2f9b74b872a71ab45af73db47b36cf57d535e59f32d5ff848950e63086bcea99263b92a

memory/928-194-0x0000000002290000-0x00000000022D2000-memory.dmp

memory/944-196-0x0000000000400000-0x000000000071C000-memory.dmp

memory/928-200-0x0000000010000000-0x000000001001B000-memory.dmp

C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe

MD5 e4699b90ea532a8ef72223289261ca1c
SHA1 2b0bca7036b63e4dbed6f58366c338d079afcb28
SHA256 f17694550f57c6605f37588e37f55898bbc969c1f24b18f0be8ce416c95ab91c
SHA512 fe05a17f066ce8ddcd4d7d9c7d66176da6423d8409b16c423ce92a6800a0770bd736fa962a98b4846d76531848040da595765481d737d394cc1ed86b4014d317

C:\Users\Admin\AppData\Roaming\98EuqrTz\grw2tDzzuP.exe

MD5 e4699b90ea532a8ef72223289261ca1c
SHA1 2b0bca7036b63e4dbed6f58366c338d079afcb28
SHA256 f17694550f57c6605f37588e37f55898bbc969c1f24b18f0be8ce416c95ab91c
SHA512 fe05a17f066ce8ddcd4d7d9c7d66176da6423d8409b16c423ce92a6800a0770bd736fa962a98b4846d76531848040da595765481d737d394cc1ed86b4014d317

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\btgngym.bat

MD5 391ed7b3ea130d27468e5bc795965e56
SHA1 4fcdf7e1a4369a9886162725756734325ad34745
SHA256 5c162c864115fd6608666aa6a7a5124f69aac00dcc41138392979e2ff1c99060
SHA512 4899dfc84aafa2a84ee685375ff9ea28dd39d4f8c5022089f5200b779f3cbcae9db3cc6478001605ebc11ab3d11f226b0adc9f0d7ba6eac6753fd46f386f838e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exsdygjpgto.dat

MD5 69691c7bdcc3ce6d5d8a1361f22d04ac
SHA1 c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA256 08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512 253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exsdygjpgto.dat.1

MD5 158b365b9eedcfaf539f5dedfd82ee97
SHA1 529f5d61ac99f60a8e473368eff1b32095a3e2bf
SHA256 39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90
SHA512 a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exsdygjpgto.dat.2

MD5 500ba63e2664798939744b8a8c9be982
SHA1 54743a77e4186cb327b803efb1ef5b3d4ac163ce
SHA256 4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba
SHA512 9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exsdygjpgto.dat.3

MD5 1cdcac73345a1648c88469a9220dcd50
SHA1 ef8517f1c343e1c1f50dbd868d0ba7f3b5557581
SHA256 98a9eb5818e8caa8067f9ac10aeda157cdad972d45ea144a5c3c35a3a5df1253
SHA512 0c9b0a4afb4990abad86981607241df9395d75a09926fdb0a9d177610dc7577c5c7b2689e210c6db0697274ec11ff281717920ff89e9bac57ab9ae77fb39b8b2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe

MD5 8037fcd47b0e6228e8a9a10cc27f5535
SHA1 b2f6ae6d348fce24a85623bf082819e90df07a05
SHA256 d08256e94e7f0006495f48f04bfde0f08fe57bb3d6f881ffd5d3e7382a437379
SHA512 365e901156859b743fad1e89f035ae9d38be53d2ce60131328aebe630db62e67d059c76cba17dcb4a5c2601775638c078b0e57f10c86190039f60b3510267649

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkfowhrvytj.exe

MD5 8037fcd47b0e6228e8a9a10cc27f5535
SHA1 b2f6ae6d348fce24a85623bf082819e90df07a05
SHA256 d08256e94e7f0006495f48f04bfde0f08fe57bb3d6f881ffd5d3e7382a437379
SHA512 365e901156859b743fad1e89f035ae9d38be53d2ce60131328aebe630db62e67d059c76cba17dcb4a5c2601775638c078b0e57f10c86190039f60b3510267649

memory/3752-231-0x000000001F600000-0x000000001F601000-memory.dmp

memory/3752-232-0x000000003D500000-0x000000003D501000-memory.dmp

memory/3752-233-0x0000000005700000-0x0000000005701000-memory.dmp

memory/3752-235-0x0000000024A00000-0x0000000024A01000-memory.dmp

memory/3752-236-0x000000003EA00000-0x000000003EA01000-memory.dmp

memory/3752-234-0x000000000EF00000-0x000000000EF01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lvjbdyfw.dat

MD5 1d75f9fe26bf78dd42740c1a19366dc1
SHA1 b22815fd3a528bbb0320f7fead2eabf347ba00ab
SHA256 abb0bcfea4b003085e49e828d44a423da5c4a952fe0854f2a1d66f3f33a3d6cd
SHA512 82988ce93a22ab83f944b50a1f2e13de6bd15143765c74fbaa553c7cdbafde2f0d739f9d32d8eb9681558afadc80dd988a91d227fa3af15b0c111e1ad7134592

memory/928-238-0x0000000000400000-0x000000000069C000-memory.dmp

C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe

MD5 7417ada3df61c7f7c8ebb71f9af49d4b
SHA1 ae54fd36dfe71a45d65dc479b2971795e3d1801f
SHA256 d8fcc7a8ec98bab70477a9c84688157f2f9111af12b389f782b610011d02e7ed
SHA512 029473814831fda65e36ae5dcd5d714db7448df3b4a7f3b9787e46fd022b6b9244e699eced98bcbc44ce81041e8d3402627629b94f6011310638d6ccedd608d3

C:\Users\Admin\AppData\Roaming\stLrjwZxswT\sNFhtON.exe

MD5 7417ada3df61c7f7c8ebb71f9af49d4b
SHA1 ae54fd36dfe71a45d65dc479b2971795e3d1801f
SHA256 d8fcc7a8ec98bab70477a9c84688157f2f9111af12b389f782b610011d02e7ed
SHA512 029473814831fda65e36ae5dcd5d714db7448df3b4a7f3b9787e46fd022b6b9244e699eced98bcbc44ce81041e8d3402627629b94f6011310638d6ccedd608d3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat

MD5 a1099e439c142789ff2183c18f77cdca
SHA1 f7efcca92b6138c091c926277d5c29dfefe0872e
SHA256 8fd34feb39582f009552d460e8d24539dd00bb1251f2e721277fb3559c998917
SHA512 7bc34150f5662589f6d16803716deb7974c56e4665907bd7e2a4337c6e9397603b3a8d9e4f8f64c5bbb4c948c168843555fcc744f86eb932cddb3d94af6b7cdc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe

MD5 ed20182b8e001d17bd9e4069a5aab9de
SHA1 50472145fd8ecdbc8c68839695999830e809122d
SHA256 237697bd8af2a3a9e914e33d4d8914aa0768ff99378aa57e5e1cae81c61ce927
SHA512 1de5b59dc68d87f84104f1035000ee70c96768025dc5f94c795b19fcc0244be8fc83b2f747d4a7d2250f51255312a42c2dcb9efbe1535083ad9d2591572e2b62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\epo2fxguyfxq.exe

MD5 ed20182b8e001d17bd9e4069a5aab9de
SHA1 50472145fd8ecdbc8c68839695999830e809122d
SHA256 237697bd8af2a3a9e914e33d4d8914aa0768ff99378aa57e5e1cae81c61ce927
SHA512 1de5b59dc68d87f84104f1035000ee70c96768025dc5f94c795b19fcc0244be8fc83b2f747d4a7d2250f51255312a42c2dcb9efbe1535083ad9d2591572e2b62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe

MD5 6f748d2dc492ee1a3127a9f67e101f68
SHA1 f94f10969e3c7ae0e572992ed2492809876eb9ef
SHA256 58cbab6cc65adc654be2db237c9848ef73d408d2b58198a93762cdcee65eb70f
SHA512 f29f837bb545b81c94522c1c82265dab29289084b37a96de48591b2555feca842f912ef862f8da33dee5e81eafe08f4bb3160ff3521db3fe3445d6d14f150ab9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcz0xwxdy3l.exe

MD5 6f748d2dc492ee1a3127a9f67e101f68
SHA1 f94f10969e3c7ae0e572992ed2492809876eb9ef
SHA256 58cbab6cc65adc654be2db237c9848ef73d408d2b58198a93762cdcee65eb70f
SHA512 f29f837bb545b81c94522c1c82265dab29289084b37a96de48591b2555feca842f912ef862f8da33dee5e81eafe08f4bb3160ff3521db3fe3445d6d14f150ab9

memory/4772-262-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4772-268-0x0000000007FB0000-0x00000000085C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe

MD5 37575568d98e3ebbdfb354e510aff47f
SHA1 4fb0bbf255020c5190f87c8f476d62c0d7297991
SHA256 eaec2c42930a52d2f721a37e9915f554c63a1c1360621c721de55d948b44ae26
SHA512 b1aa7440ea1bc713146ecfa764a73b9066ff90b03d14acaf1722107237a7e175195f3b72e6f2e099c37c98ad0ad81d23e295a3b580dbefa5c2e20a907fa0fd66

C:\Users\Admin\AppData\Roaming\CO66IEvQSs\NPi0tJVg86.exe

MD5 37575568d98e3ebbdfb354e510aff47f
SHA1 4fb0bbf255020c5190f87c8f476d62c0d7297991
SHA256 eaec2c42930a52d2f721a37e9915f554c63a1c1360621c721de55d948b44ae26
SHA512 b1aa7440ea1bc713146ecfa764a73b9066ff90b03d14acaf1722107237a7e175195f3b72e6f2e099c37c98ad0ad81d23e295a3b580dbefa5c2e20a907fa0fd66

memory/4772-275-0x0000000007990000-0x00000000079A2000-memory.dmp

memory/4772-276-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

memory/4772-277-0x00000000079F0000-0x0000000007A2C000-memory.dmp

memory/4736-284-0x0000000002200000-0x0000000002259000-memory.dmp

memory/4772-285-0x0000000007D20000-0x0000000007D30000-memory.dmp

memory/4772-289-0x0000000007D30000-0x0000000007D96000-memory.dmp

memory/4772-290-0x0000000008DD0000-0x0000000009374000-memory.dmp

memory/4736-291-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4772-294-0x00000000088F0000-0x0000000008982000-memory.dmp

memory/2228-293-0x0000000000400000-0x000000000056C000-memory.dmp

C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe

MD5 56c6dc11344ec09e1587de2e2f15d489
SHA1 82f9b8a2260a796648b9ea9f06e4be85aeb60399
SHA256 3350f50e705b773254b1506e65950b9d610e97b6d002fd02c0307f1e8abf2a3a
SHA512 0e496b07316b29a4affdb1a79651190ebbcb4f8a22c02b3c29a5d79567aac03b9a9f839a61d739aa2ce0c08db53a4b0c50da2548e9f145beae799781e03f2528

C:\Users\Admin\AppData\Roaming\OObhuP\nzvkpME2.exe

MD5 56c6dc11344ec09e1587de2e2f15d489
SHA1 82f9b8a2260a796648b9ea9f06e4be85aeb60399
SHA256 3350f50e705b773254b1506e65950b9d610e97b6d002fd02c0307f1e8abf2a3a
SHA512 0e496b07316b29a4affdb1a79651190ebbcb4f8a22c02b3c29a5d79567aac03b9a9f839a61d739aa2ce0c08db53a4b0c50da2548e9f145beae799781e03f2528

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/5100-400-0x00000000007E0000-0x00000000007E9000-memory.dmp

memory/4772-458-0x0000000001320000-0x0000000001370000-memory.dmp

memory/4772-461-0x00000000067C0000-0x0000000006836000-memory.dmp

memory/4772-472-0x0000000006770000-0x000000000678E000-memory.dmp

memory/4772-488-0x0000000006AC0000-0x0000000006C82000-memory.dmp

memory/4772-493-0x00000000071C0000-0x00000000076EC000-memory.dmp

memory/4772-685-0x0000000007D20000-0x0000000007D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe

MD5 202aac25d0a4dd92c53f5ac473de3d6c
SHA1 329cd2405b0928827744d4baec4af338e3295440
SHA256 679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb
SHA512 c53dc41a8a29beb5695f3ae370915b2c0ca9eea0bed72b9950550ed93a36c817614c9daafac36c461468f61ebe31224540091b9d2667b16b1132277d3e8d86ea

C:\Users\Admin\Desktop\Cleaner.lnk

MD5 834b32dba9291adac61ef6019767dcb3
SHA1 0c27b7d2569e571817a9e832e85af86e461f27d8
SHA256 3639ca037ae76d3d0ed76ca6318f3c1c150c1161a8ce3fcf093066247b231f1d
SHA512 164308a45247bdccd73d3fada2c764ff9b31ba64d4282d225b851e3ba4cbc0bfde11175b4c8e60e0bbf7aaedf306b436a686831ce59704f45897e9ffb10a41db

C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Cleaner.exe

MD5 202aac25d0a4dd92c53f5ac473de3d6c
SHA1 329cd2405b0928827744d4baec4af338e3295440
SHA256 679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb
SHA512 c53dc41a8a29beb5695f3ae370915b2c0ca9eea0bed72b9950550ed93a36c817614c9daafac36c461468f61ebe31224540091b9d2667b16b1132277d3e8d86ea

memory/2592-722-0x000001D99F390000-0x000001D99F4EA000-memory.dmp

memory/2592-729-0x000001D9A11F0000-0x000001D9A1232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f6VUaSION8uGZb5pdjxRsz5MRz5L\Bunifu_UI_v1.5.3.dll

MD5 2ecb51ab00c5f340380ecf849291dbcf
SHA1 1a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256 f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512 e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

memory/2592-755-0x000001D9B9AA0000-0x000001D9B9AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\status.log

MD5 444bcb3a3fcf8389296c49467f27e1d6
SHA1 7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA256 2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA512 9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe

MD5 757c922baacb619f3823e9f1b2f6a49f
SHA1 d7f030fc9fe2df18fd891804c89a56d698d32fc4
SHA256 e9c9932ba000a141fd12ffbdd0a14567168baee363496c6fa3945bba22d45bc3
SHA512 87ce7731849c4393c69ccf722590d7dfd97a9c3089c35afbf83ec1797a2a1a4bce7ea195db60febfbdf8929aa7d49b138781618f98ddc52c5d1e1e6d003e2e7c

C:\Users\Admin\AppData\Local\Temp\is-3CIOV.tmp\s2.exe

MD5 757c922baacb619f3823e9f1b2f6a49f
SHA1 d7f030fc9fe2df18fd891804c89a56d698d32fc4
SHA256 e9c9932ba000a141fd12ffbdd0a14567168baee363496c6fa3945bba22d45bc3
SHA512 87ce7731849c4393c69ccf722590d7dfd97a9c3089c35afbf83ec1797a2a1a4bce7ea195db60febfbdf8929aa7d49b138781618f98ddc52c5d1e1e6d003e2e7c

C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp

MD5 73db3e66d044251d06663356654521c3
SHA1 8b8d62187bd48a16f2812f2798931b3f4cc56c77
SHA256 fad695c51030e30ee764262d33a3ce6ef54a77c7370c31de85593cb5a489144e
SHA512 28004092ff0cb3049836be911a026e069fb7db99f0ea5e59113fac8530f64dfa40bb6e118e51f84258424f73a5528d351c85a2b01aa20a4dc693ef1f436421d0

memory/5224-946-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FBCUJ.tmp\PEInjector.dll

MD5 a4cf124b21795dfd382c12422fd901ca
SHA1 7e2832f3b8b8e06ae594558d81416e96a81d3898
SHA256 9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7
SHA512 3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

memory/2592-1078-0x000001D9B9AA0000-0x000001D9B9AB0000-memory.dmp

memory/2592-1122-0x000001D9B9AA0000-0x000001D9B9AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VVG8I.tmp\s2.tmp

MD5 73db3e66d044251d06663356654521c3
SHA1 8b8d62187bd48a16f2812f2798931b3f4cc56c77
SHA256 fad695c51030e30ee764262d33a3ce6ef54a77c7370c31de85593cb5a489144e
SHA512 28004092ff0cb3049836be911a026e069fb7db99f0ea5e59113fac8530f64dfa40bb6e118e51f84258424f73a5528d351c85a2b01aa20a4dc693ef1f436421d0

C:\Users\Admin\Programs\Adblock\Adblock.exe

MD5 b6ffb3bc883521a468662c232b2a2c84
SHA1 1ac32d19242edb763cdf4acce92e829727a6c607
SHA256 8785a1e8ab78484e9f6c8075358143fb84b937e55549a0374a57c975723f4ae5
SHA512 b7daa98b7ecf7141c04d3c245c5c6be84c473512f9b1468183f397beb7229a7b836a131f4952e6f1da822c7cfe10d1f4c17b5ee537cee462232ae9bd378617e4

C:\Users\Admin\Programs\Adblock\Adblock.exe

MD5 b6ffb3bc883521a468662c232b2a2c84
SHA1 1ac32d19242edb763cdf4acce92e829727a6c607
SHA256 8785a1e8ab78484e9f6c8075358143fb84b937e55549a0374a57c975723f4ae5
SHA512 b7daa98b7ecf7141c04d3c245c5c6be84c473512f9b1468183f397beb7229a7b836a131f4952e6f1da822c7cfe10d1f4c17b5ee537cee462232ae9bd378617e4

C:\Users\Admin\Programs\Adblock\MassiveService.dll

MD5 bb7f507f09eaea2afaa62ffc03a54eb9
SHA1 23cd987db0f877af76e91a7e3597260a73d936fd
SHA256 70f2ca248c1eafbc6e8dbf35e2a0cd358816ee7069051f34b2c026f8142febf5
SHA512 b3c7859b7e65de43f725f8c11286fa93da3b3b3da30b4659cf92d2c4c89ef6fe5f8b7c0a6e679b44c9592adb3c40aa5fc7ca0678f69d1bb38f50f17a533ed2e5

C:\Users\Admin\Programs\Adblock\MassiveService.dll

MD5 bb7f507f09eaea2afaa62ffc03a54eb9
SHA1 23cd987db0f877af76e91a7e3597260a73d936fd
SHA256 70f2ca248c1eafbc6e8dbf35e2a0cd358816ee7069051f34b2c026f8142febf5
SHA512 b3c7859b7e65de43f725f8c11286fa93da3b3b3da30b4659cf92d2c4c89ef6fe5f8b7c0a6e679b44c9592adb3c40aa5fc7ca0678f69d1bb38f50f17a533ed2e5

C:\Users\Admin\Programs\Adblock\WinSparkle.dll

MD5 a9f6113bf04e82b2ccb49bf7dd18d124
SHA1 f1402f8d649bc7754536fd043e57d705e3c17c65
SHA256 67d513ff02b53edae0726a6580cfb298d860a7cf261284c00722617e594d06cf
SHA512 319ae66901530af278e45cdd0599039955c39fe1eafb4e624bb47a0440e3a65001de917120c0ce59cbc279505a8d807de5f6ac111bf3f298e6c553fd000b92a9

C:\Users\Admin\Programs\Adblock\WinSparkle.dll

MD5 a9f6113bf04e82b2ccb49bf7dd18d124
SHA1 f1402f8d649bc7754536fd043e57d705e3c17c65
SHA256 67d513ff02b53edae0726a6580cfb298d860a7cf261284c00722617e594d06cf
SHA512 319ae66901530af278e45cdd0599039955c39fe1eafb4e624bb47a0440e3a65001de917120c0ce59cbc279505a8d807de5f6ac111bf3f298e6c553fd000b92a9

C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll

MD5 90c7bde39601db4ec7a89b7bbb17e271
SHA1 dd4012df902070c9d00f5caf16d6b12334c7f02e
SHA256 c466bf25cab4fdda7089d2447e33733d2769ae0f12a281c999505a1471f7cce5
SHA512 34957791698b7e073c63ab3e58395ddd9af089e27cdc152a1f18b38b91566965890f6fa8ff3dc5c16b9bc8837ee7ea9d7a1ba34547af6af88e94ed92809cbf46

C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll

MD5 90c7bde39601db4ec7a89b7bbb17e271
SHA1 dd4012df902070c9d00f5caf16d6b12334c7f02e
SHA256 c466bf25cab4fdda7089d2447e33733d2769ae0f12a281c999505a1471f7cce5
SHA512 34957791698b7e073c63ab3e58395ddd9af089e27cdc152a1f18b38b91566965890f6fa8ff3dc5c16b9bc8837ee7ea9d7a1ba34547af6af88e94ed92809cbf46

C:\Users\Admin\Programs\Adblock\nvml.dll

MD5 89b1ed3141d6aa0518ed5f137880e5e6
SHA1 af2cc67b4cc35ff8687d5516992a683f06c84d38
SHA256 691fed97d57250203d5b5241d2580f3e3a76e1dbc9d45d6f1383688b1ba733f3
SHA512 06ff10e04bfe782067a8ea00c5bd3885a2ee9b844a6c732f7465d27270654219584ec9fcd21e1569c1b34251bace0df177fa7e888c4269943af3398f6ef3e09e

C:\Users\Admin\Programs\Adblock\nvml.dll

MD5 89b1ed3141d6aa0518ed5f137880e5e6
SHA1 af2cc67b4cc35ff8687d5516992a683f06c84d38
SHA256 691fed97d57250203d5b5241d2580f3e3a76e1dbc9d45d6f1383688b1ba733f3
SHA512 06ff10e04bfe782067a8ea00c5bd3885a2ee9b844a6c732f7465d27270654219584ec9fcd21e1569c1b34251bace0df177fa7e888c4269943af3398f6ef3e09e

C:\Users\Admin\Programs\Adblock\Adblock.exe

MD5 b6ffb3bc883521a468662c232b2a2c84
SHA1 1ac32d19242edb763cdf4acce92e829727a6c607
SHA256 8785a1e8ab78484e9f6c8075358143fb84b937e55549a0374a57c975723f4ae5
SHA512 b7daa98b7ecf7141c04d3c245c5c6be84c473512f9b1468183f397beb7229a7b836a131f4952e6f1da822c7cfe10d1f4c17b5ee537cee462232ae9bd378617e4

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe

MD5 13235d2949319011e44a1ff3861725f7
SHA1 f0bf4a0ecfab17f4a65bc330b5ba38c0bad5ab31
SHA256 f57fec732e10fe48f62137c4f4aa1b602ffe4dbfde42f0aa73fabbfdcc94879c
SHA512 b1c92da54516c11bb0814dd26961f73fd50a3373e3d701e537473d838b29ed5e15067bc5aba55a867b7a504714f5360bd79eb1625175067258a339be1fda92be

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe

MD5 13235d2949319011e44a1ff3861725f7
SHA1 f0bf4a0ecfab17f4a65bc330b5ba38c0bad5ab31
SHA256 f57fec732e10fe48f62137c4f4aa1b602ffe4dbfde42f0aa73fabbfdcc94879c
SHA512 b1c92da54516c11bb0814dd26961f73fd50a3373e3d701e537473d838b29ed5e15067bc5aba55a867b7a504714f5360bd79eb1625175067258a339be1fda92be

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adblock.lnk

MD5 e25e02745c02bc7514162362b2cf8c0e
SHA1 cf49b12e68e115bda60ef268714faa7b9944044e
SHA256 cba22920a6d07332b01518d802252e3ddc276d59ae9e42e50ce22b025da270c6
SHA512 5415ec22b6e3dc3f6b35dca472f9869ee42631174bfbed5b3ba43f1057544549299ab5d002e6d64c74e5126eb0de11f3e6df97b7704c066d1054ba511b1b5a4d

C:\Users\Admin\Programs\Adblock\domains\initial\adservers.conf

MD5 c7183c7e129894d2634e14d86c2c9d94
SHA1 40a97a2d57daccd4ae455958be3f0c44aef12521
SHA256 1c288bd7a4bf7bf322f3c2949f65af3302019e93e7f92f211955a15c666a4a8b
SHA512 56a1add9de07eb49de8440f00772b211e382dc244a5cd9d5d4c7ae73cf56abdb2e76f3cdb1d81cc8d2cd0e21616844f20c9e24c9f3b21a46307c983a455b5e8b

C:\Users\Admin\Programs\Adblock\domains\initial\facebook.conf

MD5 ba1435f50eb74c8a1ad64a75eb9d478b
SHA1 70ef49a54615637db396ddde8fb011bd62af1e4c
SHA256 5a718bc1916d74a426905484022551fa3ec4da678b0b1126f1d5cf674b42054d
SHA512 d73240e16152de66c5bd20a270528ac93d66d14e7458e753254767c37c7b292197e0fd1e3c4b4b44d91bf720c038d2df294b1ae1a5884dda45d4955b248fe9e5

memory/5224-1377-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Users\Admin\Programs\Adblock\SPCDNS.dll

MD5 2317bb1292fd34d690939a3106d9dff5
SHA1 bfb3aaa607c56c51cee81058c327690bdf91ea4c
SHA256 7a4dbe513762a9d94d6912a6011e0ddc529ef78b007952722a727f87d7f56286
SHA512 75f148648eecd2dd2f03d2b2d0b18d44bb077117537ca37c995f7ae660d20f0c6a6b5bbf2906eb05671eb1b356ae6bb51149f0ed912777c499e589a4658a22c9

C:\Users\Admin\Programs\Adblock\SPCDNS.dll

MD5 2317bb1292fd34d690939a3106d9dff5
SHA1 bfb3aaa607c56c51cee81058c327690bdf91ea4c
SHA256 7a4dbe513762a9d94d6912a6011e0ddc529ef78b007952722a727f87d7f56286
SHA512 75f148648eecd2dd2f03d2b2d0b18d44bb077117537ca37c995f7ae660d20f0c6a6b5bbf2906eb05671eb1b356ae6bb51149f0ed912777c499e589a4658a22c9

C:\Users\Admin\Programs\Adblock\DnsService.exe

MD5 d5870deabe2d3ab3a15196522c47ebf5
SHA1 f34f7b32c827d0bc204105d48da551da691fd057
SHA256 22b2cd4f3c6644712914dcf376f3f15c6c73e7ee2d99ec426490a27d5e6d5a62
SHA512 d02b56ea5b8b294c187366696524bead82c5bbd78992c1d2ec4ea22fddfc4be84a42853485e94ab77b7dfafd3126d839b99847a8f2d1feab3b372d9db289029d

C:\Users\Admin\Programs\Adblock\DnsService.exe

MD5 d5870deabe2d3ab3a15196522c47ebf5
SHA1 f34f7b32c827d0bc204105d48da551da691fd057
SHA256 22b2cd4f3c6644712914dcf376f3f15c6c73e7ee2d99ec426490a27d5e6d5a62
SHA512 d02b56ea5b8b294c187366696524bead82c5bbd78992c1d2ec4ea22fddfc4be84a42853485e94ab77b7dfafd3126d839b99847a8f2d1feab3b372d9db289029d

C:\Users\Admin\Programs\Adblock\dns.conf

MD5 d9229b2bf6ea93565ebbeb81459025c1
SHA1 5b8af056d1a853b73ac94903edd1d6f167af8d22
SHA256 f975168980dc06d1f64400c045f73e13e4e68ab8f350aa23304924461cce1cb6
SHA512 ab8650d51b0606738001e70acb28f18a7b3a89445ba64f1264908e6d9cc6a94fa93d7b35377e817a5db98e8050c8c9942782ddccceb0c9795f3e05b5e9d4304c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 de4f5fd06322379f981eaf908c1500f1
SHA1 428e1352bf1543263564feadbd8d7faa7fdef7da
SHA256 5f7041c8245b228a8060312d330e6b4a190a2701aff38d091bec844f7e4972a3
SHA512 11e4d6ae0599c8e0e71ed92f4593320ac6c970a6f3d78dab83b6be0b1b313fbf14491b838a2baf104c3118aadcbd9e964d49c9d38ec3fcce0128b61c4439a91f

memory/2592-1554-0x000001D9B9AA0000-0x000001D9B9AB0000-memory.dmp

memory/2592-1576-0x000001D9B9AA0000-0x000001D9B9AB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\Update-50775ef7-a0eb-4929-8c31-b9cca5ebdeac\AdblockInstaller.exe

MD5 702ac5e0f27caa9c0e7d5ad7480d27a5
SHA1 639a80af3b0b27d5ff3f94c83f28ba8dcb22574c
SHA256 264eca2d04af6d55e302f7dc5a74a86cbd5a8d619488ad248374a2f6af106dd0
SHA512 9b8e871615ea23518c99d9903cafd89abc264eece6b9fdf64c9fdd28a2531f0e0e6ae43cbf64ec69b76d8c51f0922c7e6dd63e47c1a4bc303564793d40fb09a2

memory/6908-1673-0x00000000008C0000-0x00000000008C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JOJBG.tmp\PEInjector.dll

MD5 a4cf124b21795dfd382c12422fd901ca
SHA1 7e2832f3b8b8e06ae594558d81416e96a81d3898
SHA256 9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7
SHA512 3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

C:\Windows\System32\drivers\etc\hosts

MD5 008fba141529811128b8cd5f52300f6e
SHA1 1a350b35d82cb4bd7a924b6840c36a678105f793
SHA256 ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA512 80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

C:\Windows\System32\drivers\etc\hosts

MD5 3a19121498aa4a500f33519964565b99
SHA1 a881fe7bce9804b653a087a073c97472ca27fc14
SHA256 e5c414ee59ffc5fe19bf968ecadd6271ffcd1fc22b51ef772dfcfe956579f9ec
SHA512 c70fdacebd725b43fe65f84cbf9d7ddf9e9c95919b58d772211b2aa9fc2f24639fb13080a8fb38a6688ffa95ca14d4855e882f8f92a346bae6c134db1cffafc9

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\inetc.dll

MD5 cab75d596adf6bac4ba6a8374dd71de9
SHA1 fb90d4f13331d0c9275fa815937a4ff22ead6fa3
SHA256 89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a
SHA512 510786599289c8793526969cfe0a96e049436d40809c1c351642b2c67d5fb2394cb20887010727a5da35c52a20c5557ad940967053b1b59ad91ca1307208c391

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\xml.dll

MD5 42df1fbaa87567adf2b4050805a1a545
SHA1 b892a6efbb39b7144248e0c0d79e53da474a9373
SHA256 e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845
SHA512 4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\unicode.dll

MD5 51d0cb97e99ec2c7d39714d600377cdb
SHA1 0264565c9d67b6d95b2e9a9df0fccf11d1638b45
SHA256 ddbc0589401c65c4bcec03bd51c02cfdce40f2885f44846b36dd00bb57a88625
SHA512 b5513365b349474131b02a52317f51cfe8996e4fa51db5fcd1d34cbe9da86cab74f12e6fc79ad070a91a8802e1499b1252c5ded696aacc91b694440ed1c3c459

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\TapAction[2].htm

MD5 2e5751b7cfd7f053cd29e946fb2649a4
SHA1 1ee9183b1f737da4d348ea42281bd1dd682c5d52
SHA256 7daed43814b633951fa277cd01695574df6e05a9cb10523f1763e842b06be0ff
SHA512 3595817cf0e1f1852bc3d279f38df6f899ca963dedd143af810d3c50844a7ca3e0c25be6d3761e9a7010641756110c344ab57e6e5fe3e89a4cb6532705a8c47d

C:\Users\Admin\AppData\Roaming\hseguec

MD5 56c6dc11344ec09e1587de2e2f15d489
SHA1 82f9b8a2260a796648b9ea9f06e4be85aeb60399
SHA256 3350f50e705b773254b1506e65950b9d610e97b6d002fd02c0307f1e8abf2a3a
SHA512 0e496b07316b29a4affdb1a79651190ebbcb4f8a22c02b3c29a5d79567aac03b9a9f839a61d739aa2ce0c08db53a4b0c50da2548e9f145beae799781e03f2528

memory/3192-3079-0x0000000001180000-0x000000000118F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbA385.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\~os5177.tmp\pmservice.exe

MD5 7cfa0fd9a852db026ffe2d44c74ab533
SHA1 776e26c505fb349caf28897d2bf373131f699c1f
SHA256 4efb75b693e1c9e0d337e4203cf2e5003ab7ae2c4d60ca4095322da4f6586096
SHA512 1d9bc307c909523c553d1e707c28009d4d343b7ca3d561be80b8b85341089fa4da5ede9c445e4ecce18a48e0d0e12c134c6dc95a8475c98e430e4c6ef9683315

C:\Program Files (x86)\PremierOpinion\pmls64.dll

MD5 c038c7a5f9320242300bd7c435dc0dcd
SHA1 e65f83fb724238207d55301b6ebc73aed86b1aa7
SHA256 dd0f6f7a1b72daab980c51ae654dd80831cbee5bbfd6eed09224a76513c0c12c
SHA512 db6f5410abc9ad15f2f1f03d8f53c9da2f66b9db9e6f782991df68ddc4602cc8ecb33c9a76e62ecc06460c9a4efa6acb1399b6ecd867cd4c56d53c1613a311ed

C:\Program Files (x86)\PremierOpinion\pmropn64.exe

MD5 543ad9de900fb7363c16e5f6dddc2bc9
SHA1 3373f88285ab603e71f91155cb3099bac583608b
SHA256 9085c6d73cbf769924f2116b1824dd4f1a14ce03d5658587d10dfbbc24d49a19
SHA512 1fde395263b936d445a49655dad18f52b3af2c20b1e46005d2e27f33427ae14cd3f6b270664df018576288eb953211ab5007e8065898f07519a44ef4a6b19afe

C:\Users\Admin\AppData\Local\Temp\~os5177.tmp\pmls.dll

MD5 0ba9ecf96bed0720b93c941809f5e315
SHA1 c80ca9d8e6a3cde9df5580fba9b3664f6d128d97
SHA256 ef5188707e91d8a8412129f69ca3b8204df3519c582e61d94074e3d5f644a7b5
SHA512 80feb15a693641d402f95f5082be27905b496419d364d0d54a8ba9085e34a1f43dea74df2429c76e7b9a12a6b363d59d99136b7127abb0cc0f5d137f136b7791

C:\Program Files (x86)\PremierOpinion\pmropn32.exe

MD5 873e1d723a8f52a0c775eacec02fcc4e
SHA1 263291dee3b33b0fa0dba2234ace7780c95dba84
SHA256 4003b56e19ff2ef868ec228f8ade7717654743fd7674e4849cc561f57fcaf81a
SHA512 fb2c0edc7a1de2c6f6cf4ea9dee183b7ea9b9211f94fd34860ed9bdf705324f1a25ffbf05dae46c56220660abeeca71a3e81c6e9dbacf0830ee8f1943a513c06

C:\Program Files (x86)\PremierOpinion\pmropn.exe

MD5 dc4501a9f1ac246caa8998c8fe1002eb
SHA1 b81a460cd947f685ff8cee251ba7808523152552
SHA256 2f04cdd89ae79b81070ed7ca5b3851a8ef4df59fd41e83dde24c87da5464c78d
SHA512 184b6a6126b9aa240b4c56002e9e8dec925d8457bd1150cf8de86d47a12baed1383d75afc4d51c72b456abe0134e4c7f0641b3132a16e7c4f17a51a4e2300bd7

memory/788-3635-0x00007FFD40AD0000-0x00007FFD40AE0000-memory.dmp

memory/1516-3646-0x0000000001470000-0x00000000014F0000-memory.dmp

memory/1516-3647-0x0000000001400000-0x000000000146B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D010.tmp

MD5 651d855bcf44adceccfd3fffcd32956d
SHA1 45ac6cb8bd69976f45a37bf86193bd4c8e03fce9
SHA256 4ada554163d26c8a3385d4fe372fc132971c867e23927a35d72a98aadb25b57b
SHA512 67b4683a4e780093e5b3e73ea906a42c74f96a9234845114e0ea6e61ab0308c2e5b7f12d3428ce5bf48928863c102f57c011f9cdc4589d2d82c078b3db70c31f

C:\Users\Admin\AppData\Local\Temp\D031.tmp

MD5 780853cddeaee8de70f28a4b255a600b
SHA1 ad7a5da33f7ad12946153c497e990720b09005ed
SHA256 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512 e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

memory/4376-3667-0x00000000001E0000-0x00000000001EC000-memory.dmp

memory/1516-3668-0x0000000001400000-0x000000000146B000-memory.dmp

memory/3400-3671-0x0000000000B20000-0x0000000000B2B000-memory.dmp

memory/3400-3670-0x0000000000B30000-0x0000000000B37000-memory.dmp

memory/10192-3673-0x00000000006C0000-0x00000000006C9000-memory.dmp

memory/10192-3674-0x00000000006B0000-0x00000000006BF000-memory.dmp

memory/9252-3677-0x0000000000990000-0x0000000000999000-memory.dmp

memory/9252-3676-0x00000000009A0000-0x00000000009A5000-memory.dmp

memory/9340-3679-0x00000000012E0000-0x00000000012E6000-memory.dmp

memory/9340-3680-0x00000000012D0000-0x00000000012DC000-memory.dmp

memory/9352-3684-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

memory/9352-3685-0x0000000000AE0000-0x0000000000AEB000-memory.dmp

memory/8276-3688-0x0000000001080000-0x000000000108D000-memory.dmp

memory/8276-3687-0x0000000001090000-0x0000000001097000-memory.dmp

memory/3400-3689-0x0000000000B30000-0x0000000000B37000-memory.dmp

memory/10192-3690-0x00000000006C0000-0x00000000006C9000-memory.dmp

memory/9252-3691-0x00000000009A0000-0x00000000009A5000-memory.dmp

memory/9340-3693-0x00000000012E0000-0x00000000012E6000-memory.dmp

memory/9352-3695-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

memory/8276-3696-0x0000000001090000-0x0000000001097000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3445.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5a10efe23009825eadc90c37a38d9401
SHA1 fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0
SHA256 05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5
SHA512 89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c1a3c45dc07f766430f7feaa3000fb18
SHA1 698a0485bcf0ab2a9283d4ebd31ade980b0661d1
SHA256 adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48
SHA512 9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5edab6d3ffbeee247ccb4423f929a323
SHA1 a4ad201d149d59392a2a3163bd86ee900e20f3d9
SHA256 460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933
SHA512 263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32b25c1bd3d0842d89f1d2f13bc529d4
SHA1 f505d2fb02b044649a42e048953f8fb8b9460b6d
SHA256 9aaa72d1b651c1f9a45cdac0397ccb96a5536f5d959ec2cb07f52e18c697d31d
SHA512 fe12202a9bffb5aceae1bd0490fe676c25e3553196a0ed5595146ec5591a48b0589664fc567d13820deb170fe215bf910ee19bed99b01974471afa34dd14bf12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 eb9b32160523bfbd5d7c245aed05e423
SHA1 225a46df2d844bbc98ebade6abee49d541e88777
SHA256 bbb8aa446da7f59bcd4d03ebb84c34ded389d2d501e553dc662f08c207ebb2a3
SHA512 a9a7ac068aff62396041f56a00f63a277809f0dee4ebea9baf948bff7cb3eb6fc7b97f45505f48b84ae866d363f840c89db5104f3f5b33caba9d741e351023e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 02a7a2dde8032906003cf650a8bd6581
SHA1 9e40288b9be22406bc66e880bb54947d6222c16f
SHA256 f503ae84babcd56a75b1113b24ccc3260b6554f3dc1074c56c9c6b4760b2c724
SHA512 eee201ea115d34fe3ef39a4cb1fe23f893f023e6b5b13fbedd34504642f18b57ecc3346523d8153ac52ff9d26534a294dc841b33d58fe4b204c14f7a9909f6b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 810873ec5bb4dd16e28dddc61f9c676e
SHA1 0467fc77080908e3ef0ee015f0c6e57b949e5afa
SHA256 dba1e16aa8a1983e734806ba8121ced9e1d8a93f92d94178ddd1ef71ef20a455
SHA512 e6e7b645321e7d55c827508f01c840af07edd92b29663f3de0d39d119c15cd5782d45b6cc57484a97334c9d5c384c6a9ba6b41b33c1b236cd09ec669f270f8a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 12c2ac4d6d0c84df51e211beea95be04
SHA1 a49560f3a5853557981e658e4b01eca6c49893e2
SHA256 91e32d9fbc1499da491fba65b620fd94b1efa03aca88482e61664786c34189d2
SHA512 50d9a0acf16f0a9dbdab52f159ac5ee88b97366828175420f5ceb38103924f301143f7b19d93b22bcf8099f3d549258d5d3a2d8170ce15e47e718ccdf66fbc3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 784a51387993e9aeb34d4ad4ed93ab48
SHA1 1cbf9ea1b6c2ea18c8670f26ebf9c11d7d245bc4
SHA256 567af49b26f4676e8c8ad07b34db13ae7a9e19ba01e6bd1af390a611b44413f8
SHA512 ba34c55cea5840723b16f09f0a790f823a5a65657f8163018cbfcbc3a13c83b1b4b6a1f8ca0fe188c1ba7d78cc9319889235c0f6042a2013755fc6d820e4b9e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cd7926ae6d7b38b3e8d11bf99bf13e2a
SHA1 239f543d27c039c6f5565a93f42f920d65dd12f7
SHA256 8eecfe11edf4a875d871df82b4f68782bf80fc5365a41bb0a11b7e94ec6fe85c
SHA512 8bec96c0e53fc41448def76e9afc5c8383a072d7c7c938f1d917294a4f0f5af15fdad6f31fc591a411e1f81e033d0a3432c417aecd70cf2b2232f43c658b1e9d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 ebef7fdc56937aaa030d0fa7526edc5d
SHA1 9498a34661ba545251f7341c7231d52f8ce99b02
SHA256 aff6b4abd93dd7e50682de04b9b4dfb2f6bc73e7ed617a69b6fc052a8d279906
SHA512 5170503e966557f451e6637cb4d7b8ff842068742e3f4151bf6d9621b3638ed232681e12e67dc4428995d23d06b27f1e56128db2dbee30c19d50749c47e6fd1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4c0baf6704bcc9e67e41020045b4f6c9
SHA1 3b345bb755620dc98bfc170be3ede5e65feba008
SHA256 13a7a84f221df6d19766efa964f03d5e999bac0a0a3a97b272202c67588b225f
SHA512 a4d4c32a68b5d1a00dad18da7601cc7b585974563886c3c428da2e8c5406718767fd75d63443327d4938acdb6ebbce7642b57fd4aa08d48c8791a2ad8bef060b