Malware Analysis Report

2025-04-13 09:51

Sample ID 230716-wb2xkshb2z
Target 2023-07-15.zip
SHA256 71f8c272463987c3323776ba0b07f2c500410b5aa8a1a50ae32f3e213d02413c
Tags
pdf link upx hacked sora unstable crypto rat default themida njrat blackmoon amadey gafgyt mirai redline sectoprat asyncrat djvu gcleaner healer netsupport lamp banker botnet discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71f8c272463987c3323776ba0b07f2c500410b5aa8a1a50ae32f3e213d02413c

Threat Level: Known bad

The file 2023-07-15.zip was found to be: Known bad.

Malicious Activity Summary

pdf link upx hacked sora unstable crypto rat default themida njrat blackmoon amadey gafgyt mirai redline sectoprat asyncrat djvu gcleaner healer netsupport lamp banker botnet discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Async RAT payload

Healer

Asyncrat family

Gafgyt/Bashlite

Mirai

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey family

RedLine payload

Blackmoon family

Amadey

Djvu Ransomware

GCleaner

Detected Gafgyt variant

SectopRAT payload

Redline family

Sectoprat family

NetSupport

Gafgyt family

Blackmoon, KrBanker

Mirai family

Njrat family

Detect Blackmoon payload

njRAT/Bladabindi

Detects Healer an antivirus disabler dropper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Checks BIOS information in registry

Requests dangerous framework permissions

Checks computer location settings

UPX packed file

Windows security modification

Accesses 2FA software files, possible credential harvesting

Checks whether UAC is enabled

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

HTTP links in PDF interactive object

Program crash

Enumerates physical storage devices

One or more HTTP URLs in PDF identified

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Runs net.exe

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-16 17:46

Signatures

Amadey family

amadey

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt family

gafgyt

Mirai family

mirai

Njrat family

njrat

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-16 17:45

Reported

2023-07-16 18:02

Platform

win10v2004-20230703-en

Max time kernel

444s

Max time network

902s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-07-15.zip

Signatures

Amadey

trojan amadey

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

GCleaner

loader gcleaner

Gafgyt/Bashlite

botnet gafgyt

Healer

dropper healer

Mirai

botnet mirai

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A

NetSupport

rat netsupport

RedLine

infostealer redline

njRAT/Bladabindi

trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\d9809524.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9203246.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7389349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3008907.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\f25f6e9dcfd0c26519ea437ef7c7bbfb0072640b03868b1e450daaf63ccdfd4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x6212548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x6841492.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f5934149.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\f56e9c3379c3d9e10485aad4cf74e97dd4578b5f594a0ffa94da6e131faccc28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\f99f8eb87369eca8dcb8c1ae4c964f39af5a2536bde56d95b67d65caa72a75e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8556293.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x7853339.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f1478350.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\f8008675eee8ef82dd1b56c2b400ab345f415ca32bdafec51bc50ed4550c10ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2977053.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x5291614.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f6503608.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{48cf2340-19df-11ee-a94e-806e6f6e6963}\xnEcXPm2KiS2D.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\fc838e1a5e3f4ee801d8f9162ce93d36e8081ba32a85cc436229d5980942a6ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v7064354.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v4550162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\v6014456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\x1762007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\x9359883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\f7670901.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\d2ae032262a8f1a87b7545ac6c7a93d17f5ba60d142dc09cea56fd367794cb02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\v9941993.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\v5108401.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\x4689687.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\x9660278.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\f4962868.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\8b6c0fc5b522a74102b87dc42c1fde82ff6783dd77bcb34801e946354b21122f.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\8b3b326b5933fe0df56ed8222a43f436799de3caa14ed09125bdbc537d56eb86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\y1886631.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\y3825745.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\7f14f9058b9aca46b621012998441597fcc6cea96d95c8585b2e085fc12b282a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\y4313616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\y8978427.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\7e66ce12cb717f604e25134c168ddcde4e271e6235f4b5233d875d10de68ef45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\x9429950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\x2060363.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP034.TMP\f5241043.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\y9416386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\y9844077.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\l2165870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\c2698527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\l6857822.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\y9844077.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x7853339.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v4550162.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\8b3b326b5933fe0df56ed8222a43f436799de3caa14ed09125bdbc537d56eb86.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\x9359883.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup22 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP022.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\y3825745.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup29 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP029.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\7f14f9058b9aca46b621012998441597fcc6cea96d95c8585b2e085fc12b282a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7389349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup10 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2977053.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\x9359883.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\v9941993.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup30 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP030.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\y4313616.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\x2060363.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\y8978427.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup37 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP037.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\y9844077.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\x1762007.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\f25f6e9dcfd0c26519ea437ef7c7bbfb0072640b03868b1e450daaf63ccdfd4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8556293.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\f8008675eee8ef82dd1b56c2b400ab345f415ca32bdafec51bc50ed4550c10ea.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\x4689687.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup26 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP026.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\8b3b326b5933fe0df56ed8222a43f436799de3caa14ed09125bdbc537d56eb86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup38 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP038.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\x1762007.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\f99f8eb87369eca8dcb8c1ae4c964f39af5a2536bde56d95b67d65caa72a75e3.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8556293.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup15 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP015.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\v6014456.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\x1762007.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\y4313616.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup19 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP019.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\d2ae032262a8f1a87b7545ac6c7a93d17f5ba60d142dc09cea56fd367794cb02.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\v5108401.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup23 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP023.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\y1886631.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup31 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP031.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\y8978427.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup32 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP032.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\7e66ce12cb717f604e25134c168ddcde4e271e6235f4b5233d875d10de68ef45.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup33 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP033.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\x9429950.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2bd214cc-e934-4e0e-8220-2f9c2a6f43f2\\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe\" --AutoStart" C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x6841492.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup12 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP012.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\fc838e1a5e3f4ee801d8f9162ce93d36e8081ba32a85cc436229d5980942a6ae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\v6014456.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\7f14f9058b9aca46b621012998441597fcc6cea96d95c8585b2e085fc12b282a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup39 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP039.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\x9359883.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup13 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP013.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v7064354.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup17 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP017.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\x1762007.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\y9416386.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup20 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP020.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\v9941993.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup35 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP035.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9203246.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x6841492.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x7853339.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup16 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP016.TMP\\\"" C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\d2ae032262a8f1a87b7545ac6c7a93d17f5ba60d142dc09cea56fd367794cb02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup36 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP036.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\y9416386.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2977053.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup11 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP011.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x5291614.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\x9660278.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup27 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP027.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\y1886631.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\7e66ce12cb717f604e25134c168ddcde4e271e6235f4b5233d875d10de68ef45.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Desktop\2023-07-15\f99f8eb87369eca8dcb8c1ae4c964f39af5a2536bde56d95b67d65caa72a75e3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup25 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP025.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\x9660278.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup34 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP034.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\x2060363.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-3N7UC.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Config\is-VKQDH.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-NJSDR.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File opened for modification C:\Program Files (x86)\RewSpacer714\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Config\is-FF6OS.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-ULV2E.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-Q5SBR.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-RLIAQ.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-S3GEV.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-V272C.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-OOQPT.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-J62M4.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-OQE2T.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-BDOTN.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-LCPAV.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-M8NR7.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-36PG0.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-KTVCF.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-BI6HV.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-JSL6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-I44RF.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-F45KR.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-NH2ES.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-OTQ6C.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-IBLFD.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-3012H.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-7HFLD.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-DASIF.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-KF7A8.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-KQJQ8.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-63JGJ.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-EJ2H1.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-UN1HI.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Config\is-JTN3H.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Config\is-7N4LT.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-UE0TC.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-J12F3.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-CIAKS.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File opened for modification C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-H693E.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-O8L0P.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-AQREJ.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-O65OJ.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-JBIDV.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-U0V8E.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-7C22Q.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Config\is-BBEB4.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-T93AI.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-KE169.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-4ATQM.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-2MQ8G.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\is-6S0Q7.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-H6IH1.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-OUAGF.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-A4VDO.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-SDFRC.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-BDE7K.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-7Q0HF.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-4RLRR.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-510F9.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-QCUJL.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-M4FGJ.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
File created C:\Program Files (x86)\RewSpacer714\Skins\Blue\is-6AP11.tmp C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\c2698527.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\c0b4b7b1183401644c556b5cc8e92c0f13970a370fca43635785f65f81e9a1d5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\xyx\rundl123.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\xyx\rundl123.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\2 = 4a00310000000000e3562c6510006f647400380009000400efbee3562c65e3562c652e000000d9ef0100000007000000000000000000000000000000de5c63006f0064007400000012000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1350" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\2\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\0\0\0\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\3\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000010000000300000000000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = 03000000000000000200000001000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\0\0\0\1\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "550" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\3\NodeSlot = "17" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "66" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\d9809524.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-07-15\f56e9c3379c3d9e10485aad4cf74e97dd4578b5f594a0ffa94da6e131faccc28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp N/A
N/A N/A C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\8b6c0fc5b522a74102b87dc42c1fde82ff6783dd77bcb34801e946354b21122f.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-07-15\8b6c0fc5b522a74102b87dc42c1fde82ff6783dd77bcb34801e946354b21122f.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A \??\c:\xyx\rundl123.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 4632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 4052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-07-15.zip

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2023-07-15\" -spe -an -ai#7zMap93:78:7zEvent406

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd1e8e46f8,0x7ffd1e8e4708,0x7ffd1e8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalTester-2.0-master\" -spe -an -ai#7zMap4692:102:7zEvent24162

C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe

"C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Users\Admin\Desktop\2023-07-15\06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301.exe

06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9203246.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9203246.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7389349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7389349.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0794642.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3008907.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3008907.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2377580323699580327,17283865449961574941,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4672 /prefetch:2

C:\Users\Admin\Desktop\2023-07-15\f25f6e9dcfd0c26519ea437ef7c7bbfb0072640b03868b1e450daaf63ccdfd4f.exe

"C:\Users\Admin\Desktop\2023-07-15\f25f6e9dcfd0c26519ea437ef7c7bbfb0072640b03868b1e450daaf63ccdfd4f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x6212548.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x6212548.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x6841492.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x6841492.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f5934149.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f5934149.exe

C:\Users\Admin\Desktop\2023-07-15\f56e9c3379c3d9e10485aad4cf74e97dd4578b5f594a0ffa94da6e131faccc28.exe

"C:\Users\Admin\Desktop\2023-07-15\f56e9c3379c3d9e10485aad4cf74e97dd4578b5f594a0ffa94da6e131faccc28.exe"

C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7UT4I.tmp\is-L4NNF.tmp" /SL4 $60236 "C:\Users\Admin\Desktop\2023-07-15\f56e9c3379c3d9e10485aad4cf74e97dd4578b5f594a0ffa94da6e131faccc28.exe" 1461412 69120

C:\Users\Admin\Desktop\2023-07-15\f99f8eb87369eca8dcb8c1ae4c964f39af5a2536bde56d95b67d65caa72a75e3.exe

"C:\Users\Admin\Desktop\2023-07-15\f99f8eb87369eca8dcb8c1ae4c964f39af5a2536bde56d95b67d65caa72a75e3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8556293.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8556293.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 14

C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe

"C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x7853339.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x7853339.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f1478350.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f1478350.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 14

C:\Users\Admin\Desktop\2023-07-15\f8008675eee8ef82dd1b56c2b400ab345f415ca32bdafec51bc50ed4550c10ea.exe

"C:\Users\Admin\Desktop\2023-07-15\f8008675eee8ef82dd1b56c2b400ab345f415ca32bdafec51bc50ed4550c10ea.exe"

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2977053.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2977053.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x5291614.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x5291614.exe

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f6503608.exe

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f6503608.exe

C:\Users\Admin\AppData\Roaming\{48cf2340-19df-11ee-a94e-806e6f6e6963}\xnEcXPm2KiS2D.exe

C:\Users\Admin\Desktop\2023-07-15\fc838e1a5e3f4ee801d8f9162ce93d36e8081ba32a85cc436229d5980942a6ae.exe

"C:\Users\Admin\Desktop\2023-07-15\fc838e1a5e3f4ee801d8f9162ce93d36e8081ba32a85cc436229d5980942a6ae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v7064354.exe

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v7064354.exe

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v4550162.exe

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v4550162.exe

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\v6014456.exe

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\v6014456.exe

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\a3970777.exe

C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe

"C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe"

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\x1762007.exe

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\x1762007.exe

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\x9359883.exe

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\x9359883.exe

C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\f7670901.exe

C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\f7670901.exe

C:\Users\Admin\Desktop\2023-07-15\d2ae032262a8f1a87b7545ac6c7a93d17f5ba60d142dc09cea56fd367794cb02.exe

"C:\Users\Admin\Desktop\2023-07-15\d2ae032262a8f1a87b7545ac6c7a93d17f5ba60d142dc09cea56fd367794cb02.exe"

C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\v9941993.exe

C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\v9941993.exe

C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\v5108401.exe

C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\v5108401.exe

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\v9098000.exe

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\v9098000.exe

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\a0991154.exe

C:\Users\Admin\Desktop\2023-07-15\5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6.exe

"C:\Users\Admin\Desktop\2023-07-15\5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\x4689687.exe

C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\x4689687.exe

C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\x9660278.exe

C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\x9660278.exe

C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\f4962868.exe

C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\f4962868.exe

C:\Users\Admin\Desktop\2023-07-15\8b6c0fc5b522a74102b87dc42c1fde82ff6783dd77bcb34801e946354b21122f.exe

"C:\Users\Admin\Desktop\2023-07-15\8b6c0fc5b522a74102b87dc42c1fde82ff6783dd77bcb34801e946354b21122f.exe"

\??\c:\xyx\rundl123.exe

"c:\xyx\rundl123.exe"

C:\Users\Admin\Desktop\2023-07-15\8b3b326b5933fe0df56ed8222a43f436799de3caa14ed09125bdbc537d56eb86.exe

"C:\Users\Admin\Desktop\2023-07-15\8b3b326b5933fe0df56ed8222a43f436799de3caa14ed09125bdbc537d56eb86.exe"

C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\y1886631.exe

C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\y1886631.exe

C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\y3825745.exe

C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\y3825745.exe

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\k3248676.exe

C:\Users\Admin\Desktop\2023-07-15\7f14f9058b9aca46b621012998441597fcc6cea96d95c8585b2e085fc12b282a.exe

"C:\Users\Admin\Desktop\2023-07-15\7f14f9058b9aca46b621012998441597fcc6cea96d95c8585b2e085fc12b282a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\y4313616.exe

C:\Users\Admin\AppData\Local\Temp\IXP029.TMP\y4313616.exe

C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\y8978427.exe

C:\Users\Admin\AppData\Local\Temp\IXP030.TMP\y8978427.exe

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\k2934424.exe

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\k2934424.exe

C:\Users\Admin\Desktop\2023-07-15\7e66ce12cb717f604e25134c168ddcde4e271e6235f4b5233d875d10de68ef45.exe

"C:\Users\Admin\Desktop\2023-07-15\7e66ce12cb717f604e25134c168ddcde4e271e6235f4b5233d875d10de68ef45.exe"

C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\x9429950.exe

C:\Users\Admin\AppData\Local\Temp\IXP032.TMP\x9429950.exe

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\b6138604.exe

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\b6138604.exe

C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\x2060363.exe

C:\Users\Admin\AppData\Local\Temp\IXP033.TMP\x2060363.exe

C:\Users\Admin\AppData\Local\Temp\IXP034.TMP\f5241043.exe

C:\Users\Admin\AppData\Local\Temp\IXP034.TMP\f5241043.exe

C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe

"C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe"

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\b2535753.exe

C:\Users\Admin\Desktop\2023-07-15\0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5.exe

"C:\Users\Admin\Desktop\2023-07-15\0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\y9416386.exe

C:\Users\Admin\AppData\Local\Temp\IXP035.TMP\y9416386.exe

C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\y9844077.exe

C:\Users\Admin\AppData\Local\Temp\IXP036.TMP\y9844077.exe

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\k7357202.exe

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\l2165870.exe

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\l2165870.exe

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\c2698527.exe

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\c2698527.exe

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\l6857822.exe

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\l6857822.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5872 -ip 5872

C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe

"C:\Users\Admin\Desktop\2023-07-15\ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839.exe"

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\x1762007.exe

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\x1762007.exe

C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\x9359883.exe

C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\x9359883.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\f7670901.exe

C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\f7670901.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\d9809524.exe

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\d9809524.exe

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "RewSpacer714.exe" /f & erase "C:\Program Files (x86)\RewSpacer714\RewSpacer714.exe" & exit

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\l2831548.exe

C:\Users\Admin\AppData\Local\Temp\IXP037.TMP\l2831548.exe

C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe

"C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "RewSpacer714.exe" /f

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2bd214cc-e934-4e0e-8220-2f9c2a6f43f2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe

"C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe

"C:\Users\Admin\Desktop\2023-07-15\6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe"

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe"

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build3.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe"

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe"

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build3.exe

"C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build3.exe"

C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe

"C:\Users\Admin\Desktop\2023-07-15\f2ad63902e8caa11b83d3457c899b957b39891df52188830f6702376bd2783cb.exe"

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\Desktop\2023-07-15\c0b4b7b1183401644c556b5cc8e92c0f13970a370fca43635785f65f81e9a1d5.exe

"C:\Users\Admin\Desktop\2023-07-15\c0b4b7b1183401644c556b5cc8e92c0f13970a370fca43635785f65f81e9a1d5.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 1752 -ip 1752

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1752 -s 184

C:\Users\Admin\Desktop\2023-07-15\cc0f70f4c9b185dacf984c2f7f721d11ad293a7e2b654fbf26180e7ebfe54f81.exe

"C:\Users\Admin\Desktop\2023-07-15\cc0f70f4c9b185dacf984c2f7f721d11ad293a7e2b654fbf26180e7ebfe54f81.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 808

C:\Users\Admin\Desktop\2023-07-15\a5ccd3bdbd42202c5ffa0c8da8dcddd38064607b84b356e7015d22c06c865514.exe

"C:\Users\Admin\Desktop\2023-07-15\a5ccd3bdbd42202c5ffa0c8da8dcddd38064607b84b356e7015d22c06c865514.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1520

C:\Users\Admin\Desktop\2023-07-15\93682aac34f1d48553ff05d088f225210bad9e69ea3efb75da3371d096aa2fed.exe

"C:\Users\Admin\Desktop\2023-07-15\93682aac34f1d48553ff05d088f225210bad9e69ea3efb75da3371d096aa2fed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5328 -ip 5328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1784

C:\Users\Admin\AppData\Roaming\UpdatwinSupp4354\client32.exe

"C:\Users\Admin\AppData\Roaming\UpdatwinSupp4354\client32.exe"

C:\Users\Admin\Desktop\2023-07-15\35822e68e8334cb47ca9cf01a80ec85047fbf6218298a4c4ee08b41b02bb9658.exe

"C:\Users\Admin\Desktop\2023-07-15\35822e68e8334cb47ca9cf01a80ec85047fbf6218298a4c4ee08b41b02bb9658.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\Desktop\2023-07-15\129c4c144e93fbc74c73e70d260ea088c238e2a6c6de24afd5da5c7cf693994e.exe

"C:\Users\Admin\Desktop\2023-07-15\129c4c144e93fbc74c73e70d260ea088c238e2a6c6de24afd5da5c7cf693994e.exe"

C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe

"C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe"

C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe

"C:\Users\Admin\Desktop\2023-07-15\93cd731eed51206fecdd8256968f39f07ba9d95087570d076a355bcf2012394c.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 5496 -ip 5496

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 3896 -ip 3896

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5496 -s 1100

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3896 -s 1056

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Users\Admin\Desktop\2023-07-15\09a80b3870d5af6dfa77084e125e4def7cc12a449424d49186a7abd18c083a51.exe

"C:\Users\Admin\Desktop\2023-07-15\09a80b3870d5af6dfa77084e125e4def7cc12a449424d49186a7abd18c083a51.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KSBPoqJvKv.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KSBPoqJvKv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CE7.tmp"

C:\Users\Admin\Desktop\2023-07-15\a5ccd3bdbd42202c5ffa0c8da8dcddd38064607b84b356e7015d22c06c865514.exe

"C:\Users\Admin\Desktop\2023-07-15\a5ccd3bdbd42202c5ffa0c8da8dcddd38064607b84b356e7015d22c06c865514.exe"

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\xyx\rundl123.exe

"C:\xyx\rundl123.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd203146f8,0x7ffd20314708,0x7ffd20314718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8568 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f8 0x324

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13237452832871214607,11584537197221294305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9088 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.90:443 assets.msn.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 90.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.222.173.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 95.101.74.28:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 95.101.74.28:443 th.bing.com tcp
NL 95.101.74.28:443 th.bing.com tcp
NL 95.101.74.28:443 th.bing.com tcp
NL 95.101.74.28:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.2:443 login.microsoftonline.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:443 github.com tcp
US 8.8.8.8:53 4.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.6:443 api.github.com tcp
US 140.82.113.6:443 api.github.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 204.79.197.200:443 www2.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
US 140.82.112.9:443 codeload.github.com tcp
US 8.8.8.8:53 9.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 25.238.16.2.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.111:443 assets.msn.com tcp
US 8.8.8.8:53 111.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
NL 45.12.253.56:80 45.12.253.56 tcp
NL 45.12.253.72:80 45.12.253.72 tcp
NL 45.12.253.75:80 45.12.253.75 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 72.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 75.253.12.45.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
HK 45.207.9.4:1150 tcp
US 8.8.8.8:53 4.9.207.45.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
HK 45.207.9.4:1150 tcp
US 8.8.8.8:53 whois.pconline.com.cn udp
CN 121.14.45.19:80 whois.pconline.com.cn tcp
US 8.8.8.8:53 19.45.14.121.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 77.91.68.3 tcp
US 8.8.8.8:53 3.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
RO 62.217.232.10:80 colisumy.com tcp
HU 84.224.64.169:80 zexeq.com tcp
HU 84.224.64.169:80 zexeq.com tcp
US 8.8.8.8:53 10.232.217.62.in-addr.arpa udp
US 8.8.8.8:53 169.64.224.84.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 128.140.92.122:8081 128.140.92.122 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 122.92.140.128.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.31:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 77.91.68.3 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.31:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 74.144.221.88.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.31:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 77.91.68.3 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 128.140.92.122:8081 128.140.92.122 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 download.microsoft.com udp
NL 173.222.113.107:80 download.microsoft.com tcp
NL 173.222.113.107:443 download.microsoft.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 107.113.222.173.in-addr.arpa udp
US 8.8.8.8:53 Dfaiernewa21.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
DE 185.212.44.49:1237 Dfaiernewa21.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 8.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 49.44.212.185.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 tyfdfdfs.ddns.net udp
EG 41.237.177.231:5552 tyfdfdfs.ddns.net tcp
US 8.8.8.8:53 231.177.237.41.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 191.67.124.3.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 139.56.68.138.in-addr.arpa udp
US 138.68.56.139:80 138.68.56.139 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 3.124.67.191:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 25.69.169.192.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FR 147.135.165.22:17748 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 168.188.125.3.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 77.91.68.3 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
NL 104.110.240.113:443 www.bing.com tcp
NL 104.110.240.113:443 www.bing.com tcp
NL 104.110.240.113:443 www.bing.com udp
US 8.8.8.8:53 113.240.110.104.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 104.110.240.121:443 r.bing.com tcp
NL 104.110.240.114:443 r.bing.com tcp
NL 104.110.240.114:443 r.bing.com tcp
NL 104.110.240.121:443 r.bing.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 121.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 114.240.110.104.in-addr.arpa udp
NL 104.110.240.114:443 r.bing.com udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 bing.com udp
US 13.107.21.200:443 bing.com tcp
US 13.107.21.200:443 bing.com tcp
US 8.8.8.8:53 www.hitmanpro.com udp
NL 104.110.240.75:443 www.hitmanpro.com tcp
NL 104.110.240.75:443 www.hitmanpro.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 92.122.101.18:80 apps.identrust.com tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 18.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 104.18.169.114:443 cdn.cookielaw.org tcp
US 104.18.169.114:443 cdn.cookielaw.org tcp
US 104.18.169.114:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 pricingapi.cleverbridge.com udp
US 104.18.28.38:443 geolocation.onetrust.com tcp
US 104.16.242.229:443 pricingapi.cleverbridge.com tcp
US 8.8.8.8:53 114.169.18.104.in-addr.arpa udp
US 8.8.8.8:53 js-agent.newrelic.com udp
NL 104.110.240.75:443 www.hitmanpro.com tcp
US 151.101.2.137:443 js-agent.newrelic.com tcp
US 151.101.2.137:443 js-agent.newrelic.com tcp
US 151.101.2.137:443 js-agent.newrelic.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 bam.nr-data.net udp
US 162.247.241.14:443 bam.nr-data.net tcp
US 8.8.8.8:53 scripts.demandbase.com udp
US 8.8.8.8:53 siteimproveanalytics.com udp
NL 65.9.86.83:443 scripts.demandbase.com tcp
US 8.8.8.8:53 38.28.18.104.in-addr.arpa udp
US 8.8.8.8:53 229.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 137.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 14.241.247.162.in-addr.arpa udp
US 172.64.172.12:443 siteimproveanalytics.com tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 8.8.8.8:53 api.company-target.com udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
GB 18.172.153.74:443 api.company-target.com tcp
US 8.8.8.8:53 id.rlcdn.com udp
US 35.190.60.146:443 id.rlcdn.com tcp
US 8.8.8.8:53 tag-logger.demandbase.com udp
US 8.8.8.8:53 6025286.global.siteimproveanalytics.io udp
NL 52.222.139.5:443 tag-logger.demandbase.com tcp
US 35.174.221.234:443 6025286.global.siteimproveanalytics.io tcp
US 8.8.8.8:53 83.86.9.65.in-addr.arpa udp
US 8.8.8.8:53 12.172.64.172.in-addr.arpa udp
US 8.8.8.8:53 74.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 146.60.190.35.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 5.139.222.52.in-addr.arpa udp
US 8.8.8.8:53 234.221.174.35.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 125.214.204.143.in-addr.arpa udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 35.157.111.131:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 35.157.111.131:14936 7.tcp.eu.ngrok.io tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 www.sophos.com udp
NL 104.110.240.73:443 www.sophos.com tcp
NL 104.110.240.73:443 www.sophos.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 img03.en25.com udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 73.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 s.company-target.com udp
DE 184.24.21.236:443 img03.en25.com tcp
DE 184.24.21.236:443 img03.en25.com tcp
US 34.96.71.22:443 s.company-target.com tcp
US 8.8.8.8:53 dev.visualwebsiteoptimizer.com udp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 35.190.60.146:443 id.rlcdn.com udp
US 8.8.8.8:53 js.driftt.com udp
US 8.8.8.8:53 dsum-sec.casalemedia.com udp
US 8.8.8.8:53 partners.tremorhub.com udp
NL 13.227.219.86:443 js.driftt.com tcp
CA 185.80.39.216:443 dsum-sec.casalemedia.com tcp
NL 213.19.162.80:443 pixel.rubiconproject.com tcp
US 34.236.168.162:443 partners.tremorhub.com tcp
US 8.8.8.8:53 236.21.24.184.in-addr.arpa udp
US 8.8.8.8:53 22.71.96.34.in-addr.arpa udp
US 8.8.8.8:53 137.102.96.34.in-addr.arpa udp
US 8.8.8.8:53 86.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 s1777052651.t.eloqua.com udp
US 8.8.8.8:53 216.39.80.185.in-addr.arpa udp
US 8.8.8.8:53 80.162.19.213.in-addr.arpa udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
NL 192.29.202.14:443 s1777052651.t.eloqua.com tcp
NL 192.29.202.14:443 s1777052651.t.eloqua.com tcp
US 8.8.8.8:53 api.demandbase.com udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
NL 65.9.86.2:443 api.demandbase.com tcp
US 8.8.8.8:53 162.168.236.34.in-addr.arpa udp
US 8.8.8.8:53 14.202.29.192.in-addr.arpa udp
US 8.8.8.8:53 2.86.9.65.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 metrics.api.drift.com udp
US 8.8.8.8:53 conversation.api.drift.com udp
US 8.8.8.8:53 customer.api.drift.com udp
US 8.8.8.8:53 targeting.api.drift.com udp
US 8.8.8.8:53 bootstrap.api.drift.com udp
US 34.193.113.164:443 bootstrap.api.drift.com tcp
GB 18.172.153.74:443 api.company-target.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 1037686-36.chat.api.drift.com udp
US 34.228.110.134:443 1037686-36.chat.api.drift.com tcp
US 8.8.8.8:53 presence.api.drift.com udp
US 54.173.95.250:443 presence.api.drift.com tcp
US 8.8.8.8:53 event.api.drift.com udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 8.8.8.8:53 flow.api.drift.com udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 134.110.228.34.in-addr.arpa udp
US 8.8.8.8:53 250.95.173.54.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 driftt.imgix.net udp
NL 199.232.150.208:443 driftt.imgix.net tcp
US 8.8.8.8:53 autocomplete.demandbase.com udp
NL 65.9.86.122:443 autocomplete.demandbase.com tcp
DE 35.157.111.131:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 208.150.232.199.in-addr.arpa udp
US 8.8.8.8:53 122.86.9.65.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 35.157.111.131:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 35.157.111.131:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 104.110.240.114:443 r.bing.com udp
NL 104.110.240.185:443 th.bing.com udp
US 8.8.8.8:53 185.240.110.104.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
FR 147.135.165.22:17748 tcp
US 8.8.8.8:53 169.15.67.3.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 fr.wikipedia.org udp
US 208.80.154.224:443 fr.wikipedia.org tcp
US 208.80.154.224:443 fr.wikipedia.org tcp
US 8.8.8.8:53 upload.wikimedia.org udp
US 8.8.8.8:53 login.wikimedia.org udp
US 8.8.8.8:53 meta.wikimedia.org udp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 208.80.154.240:443 upload.wikimedia.org tcp
US 8.8.8.8:53 224.154.80.208.in-addr.arpa udp
US 8.8.8.8:53 240.154.80.208.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
NL 104.110.240.114:443 r.bing.com udp
FI 77.91.68.56:19071 tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
NL 104.110.240.185:443 th.bing.com udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 aefd.nelreports.net udp
NL 95.101.21.11:443 aefd.nelreports.net tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 11.21.101.95.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.67.15.169:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.126.224.214:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 214.224.126.3.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
DE 3.126.224.214:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.126.224.214:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 77.91.68.3 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.126.224.214:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 emailgenerator.org udp
US 172.67.155.180:80 emailgenerator.org tcp
US 172.67.155.180:80 emailgenerator.org tcp
US 8.8.8.8:53 www.emailgenerator.org udp
US 172.67.155.180:443 www.emailgenerator.org tcp
US 172.67.155.180:443 www.emailgenerator.org udp
US 8.8.8.8:53 180.155.67.172.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 selfishsnake.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 34.110.253.203:443 selfishsnake.com tcp
US 8.8.8.8:53 www.clarity.ms udp
NL 142.250.179.206:443 fundingchoicesmessages.google.com tcp
US 13.107.246.67:443 www.clarity.ms tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 203.253.110.34.in-addr.arpa udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 static.adsafeprotected.com udp
NL 142.250.179.206:443 fundingchoicesmessages.google.com udp
US 18.65.39.115:443 static.adsafeprotected.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 18.65.39.115:443 static.adsafeprotected.com tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 115.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 partner.googleadservices.com udp
NL 142.251.36.2:443 partner.googleadservices.com tcp
US 8.8.8.8:53 w.clarity.ms udp
US 23.96.124.156:443 w.clarity.ms tcp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 23.96.124.156:443 w.clarity.ms tcp
US 34.110.253.203:443 selfishsnake.com udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-if-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.251.36.35:443 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-if-v6exp3-v4.metric.gstatic.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.250.179.162:443 www.googletagservices.com tcp
NL 142.250.179.162:443 www.googletagservices.com tcp
US 8.8.8.8:53 156.124.96.23.in-addr.arpa udp
US 8.8.8.8:53 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-if-v6exp3-v4.metric.gstatic.com udp
NL 142.251.36.1:443 tpc.googlesyndication.com udp
NL 142.250.179.163:443 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-if-v6exp3-v4.metric.gstatic.com tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
NL 142.251.36.35:443 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-if-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 csi.gstatic.com udp
US 142.251.163.120:443 csi.gstatic.com tcp
US 8.8.8.8:53 rr5---sn-5hne6nz6.googlevideo.com udp
NL 74.125.100.202:443 rr5---sn-5hne6nz6.googlevideo.com tcp
US 8.8.8.8:53 202.100.125.74.in-addr.arpa udp
US 8.8.8.8:53 120.163.251.142.in-addr.arpa udp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
US 142.251.163.120:443 csi.gstatic.com udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
NL 142.250.179.163:443 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-if-v6exp3-v4.metric.gstatic.com udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 c.clarity.ms udp
IE 68.219.88.97:443 c.clarity.ms tcp
US 8.8.8.8:53 c.bing.com udp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 97.88.219.68.in-addr.arpa udp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-850694-i2-v6exp3.v4.metric.gstatic.com udp
US 8.8.8.8:53 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-344398-i1-v6exp3.ds.metric.gstatic.com udp
US 8.8.8.8:53 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-850694-i1-v6exp3.ds.metric.gstatic.com udp
US 8.8.8.8:53 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-344398-i2-v6exp3.v4.metric.gstatic.com udp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
NL 142.251.39.114:443 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-850694-i1-v6exp3.ds.metric.gstatic.com tcp
NL 142.250.179.146:443 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-344398-i2-v6exp3.v4.metric.gstatic.com tcp
NL 142.251.39.114:443 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-850694-i1-v6exp3.ds.metric.gstatic.com tcp
NL 142.250.179.178:443 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-344398-i1-v6exp3.ds.metric.gstatic.com tcp
US 8.8.8.8:53 114.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 178.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 146.179.250.142.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
US 23.96.124.156:443 w.clarity.ms tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 p4-cvtt7yqfrf2o4-hk4bu6msvkvza62f-850694-s1-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 p4-bsknnycm7mfu2-t3ekhlbi7gcrm5oj-344398-s1-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FR 147.135.165.22:17748 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 w.clarity.ms udp
US 23.96.124.156:443 w.clarity.ms tcp
DE 3.125.188.168:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.68.56.232:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 232.56.68.3.in-addr.arpa udp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
DE 3.68.56.232:14936 7.tcp.eu.ngrok.io tcp
FI 77.91.68.56:19071 tcp
US 23.96.124.156:443 w.clarity.ms tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 138.68.56.139:80 138.68.56.139 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
DE 3.68.56.232:14936 7.tcp.eu.ngrok.io tcp
FR 147.135.165.22:17748 tcp
DE 3.68.56.232:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
FI 77.91.68.56:19071 tcp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
US 23.96.124.156:443 w.clarity.ms tcp
FI 77.91.68.56:19071 tcp
DE 3.68.56.232:14936 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp
US 208.80.154.224:443 login.wikimedia.org tcp
US 8.8.8.8:53 remitancegp.duckdns.org udp
US 192.169.69.25:6790 remitancegp.duckdns.org tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f6f47b83c67fe32ee32811d6611d269c
SHA1 b32353d1d0ed26e0dd5b5f1f402ffd41a105d025
SHA256 ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc
SHA512 6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

\??\pipe\LOCAL\crashpad_4672_UCZWWOCTCUVJFJAE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eac0679b8e4fed2e06df885b87562744
SHA1 bf9354f957de361acd5cf5a3f702e2ca0f0c79bd
SHA256 f1e92d39fd6352a82c2badceaeb3b4f18c7a6182273ccf3785df8e4400569087
SHA512 3a608672fd6cf25d6185e966c566f1e9d3bd3e8c7e81f2b2ebb3feb0ddc981cc0e6f41ffe7720ebb046de9baca79f212734ada8a1d97ca4bd71e5036564c9aa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\967aa00e-633d-42ec-9d07-f26eaad4ef35.tmp

MD5 f587bf7b0dd4f9bbed90c73bd81b5902
SHA1 f1e7611e2be3f1e245da519ef3aa4cb7cf551905
SHA256 57221697c833afde6e01cbc133dd47182e5a40b287d0ebac1afd98cc1e413a2b
SHA512 282e22bad644abd637d06e0709e50263719a99bef57eff216f023f9f58f648d9f5eb6ca64d26186b00c539ac319e67bd41127d0b4c3037b2b0f9bea252741232

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 efa306b72f6945894bf275a30e5e6896
SHA1 0f8e5505618d852ab7d14a8542ede3bc9427cf96
SHA256 870f2b2a4438fb42fd1dee44cfc0880dd154d6b90aab884ccf17b9def9c35f2d
SHA512 e59b842560e7e62542e580d98d37b287c1aa46ca225565d4b0742515f0419959876d824a90b5ed097feccc2be8351dbb6b924dc6007565ae5d0a87d70f7753b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5544c64f2a8f49dabc19eb84267b1c9b
SHA1 c5b78d63a8bab1c7b985f7ea2f268d0d7809071e
SHA256 a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f
SHA512 38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3383de6e55d433b9ea307170c53b50d5
SHA1 79c4c7e1ecf305459ffaff28eae6cd69f04d1d7b
SHA256 60b0412cdfe8715a64da764a4233c30f9a0cc31b342c5c4ccd80e96b1184ac32
SHA512 034da5abc66d224119ab88c448236b668cc1f9b2fcbab77a425cff38e9438fa7c936f01927e88731f37b9a1b1643ddf9deeb5c1b6a8dfb6c9e979e53a96076a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0cdeb41d71dda4cce00cc71e5e6a3417
SHA1 43630fd2aefa71918592bb9b339b575858057887
SHA256 7eccf8fa7441453ef320f246261650be81eb159a25c812678b5b393bba8e6a2b
SHA512 abdefa497055598086dc547a460d8853a5a9a0c2ab97c727e49e15d1a563b32f097b97be61505b4e69d57f6437edd24e9d709e40813e984fe2370b1bf8a3369a

C:\Users\Admin\Downloads\Unconfirmed 402483.crdownload

MD5 8e4e8e909d7e6946ce6945ba9dab6ffd
SHA1 54819df31a80f0b02e1ff770e83a0f602445b2e1
SHA256 ffe1da66575c55b2a0a64e53f30124ac43f69760062642a7458ac85ab127869d
SHA512 f320bde24719f59ce7fc99fd51d9c4fb6c31508926848d967f0fb519f87bc0f81e3b3f0c837d00c8a46d8d5768c5783c49e173f4923f67c41e61cdb437c8fd9f

C:\Users\Admin\Downloads\MalTester-2.0-master.zip

MD5 8e4e8e909d7e6946ce6945ba9dab6ffd
SHA1 54819df31a80f0b02e1ff770e83a0f602445b2e1
SHA256 ffe1da66575c55b2a0a64e53f30124ac43f69760062642a7458ac85ab127869d
SHA512 f320bde24719f59ce7fc99fd51d9c4fb6c31508926848d967f0fb519f87bc0f81e3b3f0c837d00c8a46d8d5768c5783c49e173f4923f67c41e61cdb437c8fd9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2bdbd21028fd173b2efc6edc277d29f3
SHA1 dab75544f857fb81afe207759acf4e41d110d1e8
SHA256 ba545873feb62155190fe95df5446dd01c2a04f1f28bb41a474b4fd9306cb737
SHA512 dcecf3478f47a942846aab1fff57ecb8c259f19e320f23c2fa31bfc32130174c2847c0111c5f5a3d13ac9552ac06cf6deded94d1d0f8208c5dff608a18ec3f49

C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe

MD5 e1606b69ee4e58966bc1d0b0db9c7d3c
SHA1 b9b266a20187f4d3649395545b92b86ec4982ca4
SHA256 fe29a89f3cafdae3c78ba4b7eac1c98dcbf2b6077871e8149db8a815472fdd8f
SHA512 0eeb924f1ab337b6421c09e7bae5c702ecea54e3acb2f8a800354f5362dfb440a7cd510af71b0b4285fb6f8d4c37b2911f9817e172a072421a789fbe025bb31b

C:\Users\Admin\Desktop\2023-07-15\MalTester2.exe

MD5 e1606b69ee4e58966bc1d0b0db9c7d3c
SHA1 b9b266a20187f4d3649395545b92b86ec4982ca4
SHA256 fe29a89f3cafdae3c78ba4b7eac1c98dcbf2b6077871e8149db8a815472fdd8f
SHA512 0eeb924f1ab337b6421c09e7bae5c702ecea54e3acb2f8a800354f5362dfb440a7cd510af71b0b4285fb6f8d4c37b2911f9817e172a072421a789fbe025bb31b

memory/2776-799-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-800-0x00007FFD3CDB0000-0x00007FFD3CE6E000-memory.dmp

memory/2776-801-0x00007FFD3C4A0000-0x00007FFD3C769000-memory.dmp

memory/2776-802-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/2776-803-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

memory/2776-804-0x00007FFD3C4A0000-0x00007FFD3C769000-memory.dmp

memory/2776-805-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

memory/2776-806-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-807-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-810-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-811-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-813-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-817-0x0000000180000000-0x0000000180017000-memory.dmp

memory/2776-815-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-824-0x000000001E000000-0x000000001E392000-memory.dmp

memory/2776-834-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-853-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-854-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-855-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-857-0x00007FFD3CDB0000-0x00007FFD3CE6E000-memory.dmp

memory/2776-858-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/2776-859-0x000000001D1A0000-0x000000001D1C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5ad987662efa40d87212f6b8098733d1
SHA1 97052586b3171f561d0ae55901d35efcfeea3618
SHA256 8b9689d11723c56704a7107002946e69331a2e066f1fd047238e86e136a2ccde
SHA512 eac5ce2ec16018651d5f2954a6fc0067c0bfc84522a9eafc6b488f883138f9118980cc2e487f783b88c5e6aa1613602ddf3d399aedee6c0e0804bc7c53ab35d1

memory/2776-875-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/2776-877-0x00007FFD3C4A0000-0x00007FFD3C769000-memory.dmp

C:\Users\Admin\Desktop\2023-07-15\03eb3ee05f268435324e7fb457b067a4c84506c7e30fc9e0776f3bb66f567317.dll

MD5 b2e023958e9d931b60f8963d3ba7bbd8
SHA1 90f184d723a68e24732e2002612c60b16780cef9
SHA256 03eb3ee05f268435324e7fb457b067a4c84506c7e30fc9e0776f3bb66f567317
SHA512 363460fa040e04d870e39e28ed0d93aaa78cb74d1d53a16fbbd4163169b3ab4c3de6eb816f1d3e46d87c75f80f0c1cf437bf336c6ba2ab4621eef52c7a4347f1

C:\Users\Admin\Desktop\2023-07-15\062b460fe70e37e2b3ebf3a03073970d7b302dae6886c0124a74a7c899184f97.pdf

MD5 a7e4bb3759a2c1250824d363606f54fd
SHA1 a95388f62553473e117659eadaaf6274b79b4da1
SHA256 062b460fe70e37e2b3ebf3a03073970d7b302dae6886c0124a74a7c899184f97
SHA512 81097deb477b1a6569fad996d7977422820fe65f31a38218ac0801cd63aa4789aada8ab5b65b404774fa2f6b00013d7157c6c636b2b4e4a743d67145b5389e4b

C:\Users\Admin\Desktop\2023-07-15\06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301.exe

MD5 e3ef0c50c6708cb146c567c962ea8fa6
SHA1 8d60b3273c73fb23816d6e3cf49c264fd667bcd6
SHA256 06fa25bf45ac966436327e2941921b0c5592810b08a9d9f7a7b02a5047fa7301
SHA512 4b5f2568e6494bed1510efaf841d4741122641e010cd907680e4b74ab8d7c78e92aa1698025701f5b6d2baee8612d6b19bf25b07352032ea6e5829cc2782842d

C:\Users\Admin\Desktop\2023-07-15\09a80b3870d5af6dfa77084e125e4def7cc12a449424d49186a7abd18c083a51.exe

MD5 1befbcbcd8f24344b834701d6f4a34c6
SHA1 9fcaf1a3e5b981fd45342f25a58aca9af723aeb9
SHA256 09a80b3870d5af6dfa77084e125e4def7cc12a449424d49186a7abd18c083a51
SHA512 1c79ca3c34447b3d7291f52d82add536e82796aaa9ad1c95607433ea770f972951dcdb7601657656484e0c61ed2e455f9e7197e4c8038b05448c22b06fa6d26b

C:\Users\Admin\Desktop\2023-07-15\3a72fc9f3393aca5c38f6760c73834037961903f36e357cfe8440ab068d51bcf.exe

MD5 2384c97477cb7db734defbfcd57bff0d
SHA1 b92549351e4cc19caed666f4d190dd48ef821e49
SHA256 3a72fc9f3393aca5c38f6760c73834037961903f36e357cfe8440ab068d51bcf
SHA512 649aae39248a9833eff5159bb1ff7cd749f4d243c6a4dc3ca7fc7f2ec826fd0af38dd265c7c0ba653d44c494c7b66d17e3d6433333f99265c488a5bd3dfe298d

C:\Users\Admin\Desktop\2023-07-15\3a0e00cd4624d8436b42d43e24ca4202c96d20ed6c032d64410eed824216b54c.elf

MD5 54d36cac8fdd4ca192f68011d5019f6b
SHA1 1c8b27c4b51d6d53d7ff4e1b03125a8ea7881620
SHA256 3a0e00cd4624d8436b42d43e24ca4202c96d20ed6c032d64410eed824216b54c
SHA512 4d7ccb19cee613246c3b67fdb4dfe9129982aad8503f0c88b7a174614abb7c639a87c35c82a7d6a4cd6ff4caaba4bd36262110758f38e7abd4a0b1cc93bfc007

C:\Users\Admin\Desktop\2023-07-15\39f61bb54268ac1f2907f2dd50b8890bd56527cb0685d0913fadb48814db3168.elf

MD5 a63bb1bc4a0d583201759456b68fd719
SHA1 6f8707734d0821c60861f4f0033c5eb5347696b4
SHA256 39f61bb54268ac1f2907f2dd50b8890bd56527cb0685d0913fadb48814db3168
SHA512 68dab3a80702867eeda3f85818b9b87c0c3e054abc5a9c1c35d485595b607097cb52a066ca657fe5a1ad1bec2fa8391985a14413069711013570c5e3bcabc1f3

C:\Users\Admin\Desktop\2023-07-15\3838b3748057b6afbf57524ac258eb631442870eb9a4f793ee1cc70a0e8bddff.exe

MD5 de6202e4bd878897abf62dc97ff065a2
SHA1 72d4e59e0701a320d55897172d6dadbe2bc84f67
SHA256 3838b3748057b6afbf57524ac258eb631442870eb9a4f793ee1cc70a0e8bddff
SHA512 1148d4132eb5b3af66ac5f02d95cfb52fe23190242513a17a973d5ea079ba9f94405988136335ae7e6c28799e0e22f0628fa719f08918dde700b7376c8131482

C:\Users\Admin\Desktop\2023-07-15\36b37d50a6a7fafeda2ca38bbf88c73ac85f8b8913e389b24824b4af97dfd40e.exe

MD5 06dd58af20da8523066a57966dee3d0d
SHA1 8843f556378d12a657009c48377bc7d2d44737fc
SHA256 36b37d50a6a7fafeda2ca38bbf88c73ac85f8b8913e389b24824b4af97dfd40e
SHA512 c7ee327d2704bbbfaab187db2c6f8d95b89f3cad92ad0818e74f83282354e644f25718c93013944b1bef89e9b1367eab2c1b81cf85684ffb0a36b459b8fafe21

C:\Users\Admin\Desktop\2023-07-15\35dd5894cd34027def53441e870ff03c67ff0301b12b94cda712bacd70dee160.elf

MD5 d5514251434fa2af07fbc3798e4e9483
SHA1 69e6bd2034faeeb6e0352038f0aa6cd27f630ecc
SHA256 35dd5894cd34027def53441e870ff03c67ff0301b12b94cda712bacd70dee160
SHA512 5f01d332a26e2386ffda558639a368ba0b764ca0da20bb3fdcf06ff748b04ffa5d86b5e978510fac4c56f0e83e2c9ea14b2d602b5557a8c6b631df60bed11b55

C:\Users\Admin\Desktop\2023-07-15\35822e68e8334cb47ca9cf01a80ec85047fbf6218298a4c4ee08b41b02bb9658.exe

MD5 131cc4da76d323e1792e458585a9161f
SHA1 2391bf26f9f880672a3469d8137fdd9c0daacd30
SHA256 35822e68e8334cb47ca9cf01a80ec85047fbf6218298a4c4ee08b41b02bb9658
SHA512 5c5b62217c04770f18e108b5623e0302329dceb28a695fe8bad316b9d8787aaa0dcf5f056bcc223d600aa45348c8e857e4bc48b56b878d3117e30afc64d0f1a4

C:\Users\Admin\Desktop\2023-07-15\34898928c7f591a9d4ff99b2472a8390e5d76e6b5f4013e515c4196497974a15.exe

MD5 b57b619a9b01a2f61df8e92fb902718e
SHA1 ffdf4b062bd347d7e3d1f2aaf269911f750b67e4
SHA256 34898928c7f591a9d4ff99b2472a8390e5d76e6b5f4013e515c4196497974a15
SHA512 d7ccfd94de6164729550204169dcb1fab1c895accfba43169b3c0a5ceae0774a85d977a235817ae81017c6358a780838245d0e793d0b0ddfafa63ab8cab40acb

C:\Users\Admin\Desktop\2023-07-15\343654200c9db2a900567314c843bc6ed5e3cec03733e0b0c05d0f3d656a44ff.exe

MD5 1a124274d3e7541658d99792c8f039ea
SHA1 2b4dbe0b0e2a5a88c6418e68b06a15b669955e1b
SHA256 343654200c9db2a900567314c843bc6ed5e3cec03733e0b0c05d0f3d656a44ff
SHA512 c7606c020dccd36b8347c0a91fcd57d630f97033fa25deb1f3263398eabb94732f518a85e9fcee51015558201e2178afe87732759074e455cb0284ac5202ac7c

C:\Users\Admin\Desktop\2023-07-15\339ca83fa250482aba6dcfeee8e5780adaa069eb67fc6f49907acd40fcf2a742.exe

MD5 871fccd209afd016eac3f4b8ecf36864
SHA1 cb1faa8daef0e8259820aef196abae6fa47c63cd
SHA256 339ca83fa250482aba6dcfeee8e5780adaa069eb67fc6f49907acd40fcf2a742
SHA512 2ed2c31f07297d05623e9aeed298dc931b432f5a4db0c5b1837298e85020b3127c0897a90c2b9f92cd3caedf2b1f67ec0bdc098c2e8a8a77f0a75b01cccb5fd5

C:\Users\Admin\Desktop\2023-07-15\30d7ad2ac73f27b333121e31d22949937dc62d122feb10ccb44ab0d24edd4e04.elf

MD5 d3b8af61dc11a65066bd60aac1d14400
SHA1 0991f9629fb3a68f527e9dcc810465e338cd3987
SHA256 30d7ad2ac73f27b333121e31d22949937dc62d122feb10ccb44ab0d24edd4e04
SHA512 fa604a1c4dd75d134e07aaecc2e8716366eee095cb54447acb2911a5a6d9bc55b82de7f097f363463e9814cd889776428bd0760461973be57af7307cd4062db3

C:\Users\Admin\Desktop\2023-07-15\2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026.exe

MD5 3bb3abaaf3c4eceded3899593f073ed2
SHA1 579951776a28aaeabe643e5e306258e5f2880485
SHA256 2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026
SHA512 7a6a08c4ec85b9ed86e943f7ad18a0d36026399db2c53a630f00a358015ed2ceb6fc9a27f98473022a61461b185eda1e1133ae775a0347ead24f213cff4ae70e

C:\Users\Admin\Desktop\2023-07-15\2eddb9ad4d2a0464b190b9b45f70123de0d57bbb9a78069a6776c40fe3065e9b.msi

MD5 bf2daa80d913adb5079e3ef317ee94ae
SHA1 098e4b2683b7de3d4472c6e27fb45ac51b87146c
SHA256 2eddb9ad4d2a0464b190b9b45f70123de0d57bbb9a78069a6776c40fe3065e9b
SHA512 9a93e07614caf5dfb1c33cc0bcd2a72b10e98e7b91fd9b674e6fb09150ae9757b1e125ce957ee023ee94a16ccd0ffc362dd8869f8e3e48657b196e84216d407d

C:\Users\Admin\Desktop\2023-07-15\2e9be9941bfa56dfbe3b93f05956d27b9ca13ee7d7cca9f0acafd0a0cf74f742.exe

MD5 5a2a7a6d62e1834e2726f6ec40abf3b3
SHA1 50223744d00088b6b717e06bbac655babe1c0b2d
SHA256 2e9be9941bfa56dfbe3b93f05956d27b9ca13ee7d7cca9f0acafd0a0cf74f742
SHA512 29f97b8a1d9d12cff2da4b41c35991b058a7220cec78eb8aea48448dc30591c6e50792821c88d6927d039a7093b296dc4f8e9716ed9adc7cd2d9dba330daf3fd

C:\Users\Admin\Desktop\2023-07-15\2d6bb4984408560ea6d9a08036984d102e5304627cbcf8cc5bc8ecc1bf4a3c2b.elf

MD5 6b3bfe53e6b4ee7461500b80bd5e8aba
SHA1 a4fd8f79a1ac5ff92aba4fe664334ae595ff359d
SHA256 2d6bb4984408560ea6d9a08036984d102e5304627cbcf8cc5bc8ecc1bf4a3c2b
SHA512 4473b7168a3a6d5ea9bcb11fd53b528cc0a77e9a2491495e6368791bb1665e5d1e5a7e3ca4e5acad409fc4a478172f6509f4d617b971412f6aec9ca81aa428e9

C:\Users\Admin\Desktop\2023-07-15\2abe0fecc0a8b88610b508c3cc81991b498a53860585a85af1334c2799fe2b53.exe

MD5 0b78cf77b51add1e796e907ab8b2fd46
SHA1 bd19941e783c723d60cd4c8296ddfee48d6753f2
SHA256 2abe0fecc0a8b88610b508c3cc81991b498a53860585a85af1334c2799fe2b53
SHA512 089dd35fdab187ead68f8e7f447d40476f5f7b50311a397016eafcaa66c2e2bffd12bd41b59355ec7c8f7ee6bfd380da1cd29d3e350892bd7118397345cd9722

C:\Users\Admin\Desktop\2023-07-15\28a49c600d6fb71e806482145c1c84070eb1da0e621211792a8bf8a2a6bc047c.exe

MD5 88a61c0bd35a5c2a1b3a44845acc60b5
SHA1 cc179931fe117eab845fb06c45f44c9c7cab031f
SHA256 28a49c600d6fb71e806482145c1c84070eb1da0e621211792a8bf8a2a6bc047c
SHA512 9c2f8814920a183ea5979236e6594956371f1aa39684dc387af4c1ef48018a173d83ff9960c70f94af1d8aa2ea86cd70290723ca8286d8073a7493cfdca38fbb

C:\Users\Admin\Desktop\2023-07-15\2748995dd79da265db6a23c20365943d3c3632fde874ad56c49915150bd01043.exe

MD5 dc4af13653424361c3cf615cdfff3afa
SHA1 1194c7654ecd0056e3c87ed9223d62f4380d52c6
SHA256 2748995dd79da265db6a23c20365943d3c3632fde874ad56c49915150bd01043
SHA512 850e180167cf3c430d3c5a8ed0ab7d261f368476eb7bef565e106da47e4d3ebc00d452f49f4aa670d065da167ec589a23305becc70323148caec2e719727c684

C:\Users\Admin\Desktop\2023-07-15\26a5d623f91c10a0c087eded6e2327bc9656916ff9c28f7e09c6775ac03fc74b.exe

MD5 ff0a9828a4057cb1c91f5f6d4fdc49c0
SHA1 38e3ef2507520010b92aa6bf9cb3102a3b66a9bf
SHA256 26a5d623f91c10a0c087eded6e2327bc9656916ff9c28f7e09c6775ac03fc74b
SHA512 fd369cbec358131735c3c0bef9591ca73a04537cc731d85089a182378d068d6ac7e67d9ff6b7c9ff1649e36b757db9722958ea09d2204709a3d0d1d35b5c6a02

C:\Users\Admin\Desktop\2023-07-15\2545c609ccb1017905021f389a11263b934bc58e4591c52a50c5840c4da798cc.elf

MD5 f4908c5177c8aac10b09e32a3cfa0593
SHA1 33827d132e1901aee3951ca536fc8437dfea8706
SHA256 2545c609ccb1017905021f389a11263b934bc58e4591c52a50c5840c4da798cc
SHA512 96ec68033401c7ff493360bc70471b63c364232a3b1c604ee60fe08bc972c4ca1b46ab542125d5df5e0a93edd35bd3c1640df2a5c8f6a16f2f29103f6e6152d3

C:\Users\Admin\Desktop\2023-07-15\24ab3142b0d486ac95fecfdafbdec4a55fab644cc846f1ef0ee5cff99815060b.exe

MD5 739091de71c6674a92a21e9cd6448f2b
SHA1 597e2377589846c1668c65c415ba19d8242802b9
SHA256 24ab3142b0d486ac95fecfdafbdec4a55fab644cc846f1ef0ee5cff99815060b
SHA512 4b89fae06db5e01c8244c10308c14af92b8a0bba73e8541c4b45f187bf466cb54bb95be1a312a5983afb597409cd3f607bcb45a14290907408d19aecaf90738f

C:\Users\Admin\Desktop\2023-07-15\241436ab1c6295c599571b0982dda15b2d965f7c4670780167047f58edaa618e.elf

MD5 ef6365c300b824d7ea2663ab628cbad7
SHA1 6376f21b1263373c8fa760d537c1842009aacc48
SHA256 241436ab1c6295c599571b0982dda15b2d965f7c4670780167047f58edaa618e
SHA512 9ea4a83b7bd508035327e05856200256c963289567f41ede8d1a9f26b0e0fefd122083242659ded1021394388215149d1a4b448c90f16d789bd85e8f09864dcc

C:\Users\Admin\Desktop\2023-07-15\224b7b26c1497adca4d5d55c997bbf9bb1f3dd2581601586ce9aea287153596c.exe

MD5 0a770a5612eaec3b511bd7d1923f52bf
SHA1 8886e0bb2e3f1eeb6977af0cebd76e4d92c7ea72
SHA256 224b7b26c1497adca4d5d55c997bbf9bb1f3dd2581601586ce9aea287153596c
SHA512 a247284f0bc353a9dc3ef40479587636e2a4dd018ff5f933afc795e99ce888880cc0383e5f4ec7e7700865c259c2b5eeef28e69ca03b7e41f8f50b5fdd448cbb

C:\Users\Admin\Desktop\2023-07-15\223c6b10a1be237146346e413a48fdb42e9daa605a574ea5b820882199163156.exe

MD5 1c8d25d3c68d2d7b1ec9eb38162f20c3
SHA1 564c22c9ff3d207a721fa02577a4eb60b9dc5d79
SHA256 223c6b10a1be237146346e413a48fdb42e9daa605a574ea5b820882199163156
SHA512 14a7178e2956745cff44677f685a9e333fe07a2f8e60f1d2e72ff4ccf65463c02c3b643d9c15a8093160a6c7a67ff819f8eac3e0a94c5bb53c1b2c23e6899c2c

C:\Users\Admin\Desktop\2023-07-15\2212f90549226b12ea3f904b203aa9d2b401d5c36e38aaa84590b19e72c35515.elf

MD5 8832e8e1f79e5176f78c5c361bb9729c
SHA1 ecee02a9b14b0fddc8a8109064fa7c86a9c49835
SHA256 2212f90549226b12ea3f904b203aa9d2b401d5c36e38aaa84590b19e72c35515
SHA512 1ef65189c3399b29c9f5fc21b86594e945f174c69a64e7f753d13638ebe8a69db998857e8845ae12d1a6f74fe10b04fcc176c4886a985586c1a4c6cd46460a8a

C:\Users\Admin\Desktop\2023-07-15\1f22cc9d2af57339c0ab4e4732f399e5959b3dfbb887e2abc7758d23a15365ca.exe

MD5 e2cf44f4b32e406e6a9eb72f8205f0d3
SHA1 f504821bd2c5df13231c1b731f555e26c562a936
SHA256 1f22cc9d2af57339c0ab4e4732f399e5959b3dfbb887e2abc7758d23a15365ca
SHA512 d4e6497cf2b705d513d8d8e873c2838a27a5c01813661200e164d1269279f528abd4bc403f71b0049369176fa4ec1f4ccd0618a3956288ac3b3591ee8b784465

C:\Users\Admin\Desktop\2023-07-15\1efc35be01df7d6b35bff6faf16867d16bf8f0b8eef5e1467af14f09ec7c47ea.exe

MD5 291bd504ef0c56e4e5afafb74e7e245f
SHA1 39250ba3840d98c152040c5504d51274a54afe16
SHA256 1efc35be01df7d6b35bff6faf16867d16bf8f0b8eef5e1467af14f09ec7c47ea
SHA512 1f972d23a02ec8cf8c912e7063e7e465202ad07df063d4346196c257cd7daf2afc206ba4366270a716532898b5b4b0f00689a78d2d60fff7fedfe7a8aeedfc81

C:\Users\Admin\Desktop\2023-07-15\1cdd7c76746f3ea695aaa39f2420e71638cdf6c0d05aa187f0a4d2d1eb23eb27.exe

MD5 7565de937291fdf2f686f518f1b16fa5
SHA1 f70e13819951f4abb172fa7e20321871c5dfc828
SHA256 1cdd7c76746f3ea695aaa39f2420e71638cdf6c0d05aa187f0a4d2d1eb23eb27
SHA512 1360e65810220c5c7b9034bc503ba8053b4a58518bb6a7cdb226fc1d3d8c57c46322cecdf2e77e8d38b434555968aa31ce18c97dbbe8f8c8844203a419c50972

C:\Users\Admin\Desktop\2023-07-15\1c1b7b481b545be25c3c4257d32d78d36d01af819143c3a6fbfafad8ba9829d7.exe

MD5 2bd8ce3f336859a8a76bc36b571e55ed
SHA1 a5a1a7da1ae620eb0bfe9a30aef18f78421fd956
SHA256 1c1b7b481b545be25c3c4257d32d78d36d01af819143c3a6fbfafad8ba9829d7
SHA512 8dc87c2fcf1ed43a28dfbf7c76795497ff07629018e93e83c9e0793c979fc4282fff5892a33b4e0313dc5f9615ceb4c74112b25ce6ccf7c2acb9a878aa913365

C:\Users\Admin\Desktop\2023-07-15\1a49e44c5b359bc89e4bf9f20620f6b1b20034c66476e9eb8bbb27909123b7ba.elf

MD5 164d66ee62c2954d5d329d1b8d503f70
SHA1 ed995ca94d98d2aa0679c7446f258bafa22ef778
SHA256 1a49e44c5b359bc89e4bf9f20620f6b1b20034c66476e9eb8bbb27909123b7ba
SHA512 5d412c1e77818f4366162b993f74615b33fb27e1618a818061045e6d6aab7288760ecdba0b839fadbb99912437247a9b7eff4bcd1a8f21aecc758b975ccccac1

C:\Users\Admin\Desktop\2023-07-15\19b389b0ab35c43e6c9331ca34eefdae65972a5cbe4baa0cf1e70ccc31e5b236.exe

MD5 a5b4436993909e210d1e1cc662a37f43
SHA1 ead806c4ae1bf62ba7ffe660370ca75979926b91
SHA256 19b389b0ab35c43e6c9331ca34eefdae65972a5cbe4baa0cf1e70ccc31e5b236
SHA512 581d824f5a9020d363e7609ad5a0fe35ac06c69b2ddd4b02959d2e375c5fc6c1393ec2b8fecfffa95baaa810a54f6c33544830e03821a72e7d0e157924332972

C:\Users\Admin\Desktop\2023-07-15\1769956679948e0bff3a2aeaac5ee6fc544cedeedf7097e871950437f15eca5c.exe

MD5 ed6ebe102f42d37c47aedab1c6b2224e
SHA1 d53cfe34b3b6c11ab0ad81da0e71663b78ea613b
SHA256 1769956679948e0bff3a2aeaac5ee6fc544cedeedf7097e871950437f15eca5c
SHA512 5e8c686c4d3f367604cfe42da247012ff0d7e595b5f16e0c8cad5c88745963953d86e2de1878b80aa8f2768bc5a7179100c578df2c266d765948cd7805dc7a34

C:\Users\Admin\Desktop\2023-07-15\149362dbc7d16e9cc94572978fce59b9564ff1ee564bb1b61da5e1a45b98e876.elf

MD5 3078f29682af8e258078592f0ae44528
SHA1 a824e26696221b697e430f6a7a9bf9d2657d34e7
SHA256 149362dbc7d16e9cc94572978fce59b9564ff1ee564bb1b61da5e1a45b98e876
SHA512 6f9268a814a89b2d3fc3e5148da3adf0881631c66414cb5e85ee5a846e7612d783725bd1e37eb59d5c797d68fe1d8a089b38617fc8726ec8b7f032c82419d788

C:\Users\Admin\Desktop\2023-07-15\129c4c144e93fbc74c73e70d260ea088c238e2a6c6de24afd5da5c7cf693994e.exe

MD5 acdcd0e846c7f1458c8e24336ed33bd0
SHA1 4133703ca1409916ce76731b66447d5b46dffaed
SHA256 129c4c144e93fbc74c73e70d260ea088c238e2a6c6de24afd5da5c7cf693994e
SHA512 82422acb85365dc2323688448ff812dc1d47f0dd260d1502971744bfcf2c5b2a5cffd045c777c602d66d091b48326b02ff6d983fec32aefd8f450c50c3c558e2

C:\Users\Admin\Desktop\2023-07-15\12824fea2ff92802e5d983b7c99c3e94ffcbd6712dc8e24f1d72e36db73ca023.exe

MD5 3cd42c1fb7030a447294068d1915a825
SHA1 f24328dd0c386b509aaafb1914d80cbb1be7d7c8
SHA256 12824fea2ff92802e5d983b7c99c3e94ffcbd6712dc8e24f1d72e36db73ca023
SHA512 15fbda9eb18b6ec483d6ae91d8806fba44c9924c9000bd3ea25382dc8e24e5b9db860021d65a301399f7fc97c10df36af3c1c757ec309315102f6ef400e21acd

C:\Users\Admin\Desktop\2023-07-15\0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5.exe

MD5 5f9868f8f5d9543a2026cf1976774a86
SHA1 b7d159ac3df1fdf81cbf07b46104c814499bf38b
SHA256 0e02bc2035e70151fd6ff41cd430a369188c063a8bf17b8e81ee55a6f5a612a5
SHA512 949604521186ce0da94749fcb5b192b5ec64716445b152205486435645059d697d2defc0f7191cb10a91a86b52d3cd6b7d9208b6732611f8ffe689ba75f2c261

C:\Users\Admin\Desktop\2023-07-15\0af720cebd22dd81eb2d8ad327d65c9bd4bdb7b7f3c50c400f270e7c19af5f19.exe

MD5 67a90f4a4bce7dce31f34e172728f717
SHA1 7594b687b020fe1487d25c347336106201106437
SHA256 0af720cebd22dd81eb2d8ad327d65c9bd4bdb7b7f3c50c400f270e7c19af5f19
SHA512 8b5bcfba556eb3e8f4a89224ec9483f76a3e5a9b322bbc593942bfe5fde01bb83bb4eb37e0d573fc04ccb44674ab150a57d0092a8634fe8fc4ca2520ec179045

C:\Users\Admin\Desktop\2023-07-15\0a5d1e1baa7798784b0dfc771acde2696ce291c1c8c08eaf1bd05378d1a4e456.elf

MD5 816801fca5186bdc2c41972d414d2898
SHA1 aedbd400689cb5690386ec689c8defc8cea6995f
SHA256 0a5d1e1baa7798784b0dfc771acde2696ce291c1c8c08eaf1bd05378d1a4e456
SHA512 3ea7e9ac4ccd9e23052de358d1d58ee6fa846037ed69e87cfcf0634e8d311bff118b80bce027f0f6b991d94d3a173aae5bc236f505280d177fa34ac513756cae

memory/2776-925-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/1668-951-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-950-0x0000000001F30000-0x0000000001F6E000-memory.dmp

memory/1668-957-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1668-958-0x0000000001F30000-0x0000000001F6E000-memory.dmp

memory/1668-959-0x0000000002500000-0x0000000002501000-memory.dmp

memory/2776-960-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/1668-961-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1668-964-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/5112-967-0x00000000005C0000-0x000000000064C000-memory.dmp

memory/5112-966-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5112-973-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/5112-974-0x00000000005C0000-0x000000000064C000-memory.dmp

memory/5112-976-0x0000000008520000-0x0000000008B38000-memory.dmp

memory/5112-977-0x0000000007F50000-0x000000000805A000-memory.dmp

memory/5112-978-0x0000000006C80000-0x0000000006C90000-memory.dmp

memory/5112-979-0x0000000008080000-0x0000000008092000-memory.dmp

memory/5112-980-0x00000000080A0000-0x00000000080DC000-memory.dmp

memory/2776-981-0x00007FF6B1EE0000-0x00007FF6B4D68000-memory.dmp

memory/5112-984-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5112-985-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/5112-986-0x0000000006C80000-0x0000000006C90000-memory.dmp

memory/4600-1006-0x0000000002020000-0x00000000020AC000-memory.dmp

memory/4600-1007-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4600-1013-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4600-1014-0x0000000002020000-0x00000000020AC000-memory.dmp

memory/4432-1017-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4652-1029-0x0000000002100000-0x0000000002101000-memory.dmp

memory/4600-1030-0x0000000006D20000-0x0000000006D30000-memory.dmp

C:\Program Files (x86)\RewSpacer714\readme.txt

MD5 ce494d2d223aed950fea67f657d3fa3e
SHA1 97a19c02487c41e3a079cd6764afffeb5e838b26
SHA256 c8fa111c5b9537e3b6cab9ba763e164e27fa469f2232b82a54b206a7d892b9e9
SHA512 687bf3bd7de28dc45ea622672dc59d7e45d9ce83530a7db6462447ea247a9bde061738c454e09b48531aab9cce802c8491aa730e4da65e63daf31c65ffc39fe1

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\i2976642.exe

MD5 09c7a2b7bef95d5087cffc6953055d0a
SHA1 00e0c74272555ef2f4350d0c581c845c0683ad6d
SHA256 ddaa953af210dcfcb5020fc61786f8626afcc10ada97506ac28d879dbe5f69e1
SHA512 d0100c2d8560efd0e633d6b19efc65db58841fd778b0e01f63c6caffa142100520887e6f6625c5fcae8ac4fb99b7570548b3ae22ba3f4b2941e40a357aff9c93

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g7591861.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

memory/5092-1220-0x0000000000400000-0x000000000148F000-memory.dmp

memory/4936-1223-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4936-1228-0x00000000005D0000-0x000000000065C000-memory.dmp

memory/4936-1238-0x0000000074790000-0x0000000074F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\h3672457.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4936-1256-0x0000000006B50000-0x0000000006B60000-memory.dmp

memory/4600-1257-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1700-1259-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1700-1267-0x0000000002000000-0x000000000208C000-memory.dmp

memory/4600-1268-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1700-1269-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4432-1288-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4652-1292-0x0000000002100000-0x0000000002101000-memory.dmp

memory/1700-1317-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/3856-1319-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4600-1321-0x0000000006D20000-0x0000000006D30000-memory.dmp

memory/5092-1323-0x0000000000400000-0x000000000148F000-memory.dmp

memory/3856-1324-0x0000000000430000-0x000000000043A000-memory.dmp

memory/3856-1326-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4472-1330-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4472-1333-0x0000000002020000-0x00000000020AC000-memory.dmp

memory/4936-1334-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4472-1335-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4936-1341-0x0000000006B50000-0x0000000006B60000-memory.dmp

memory/4472-1347-0x0000000006D30000-0x0000000006D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\c9331399.exe

MD5 96fbcfa061fb8f37f03aadac1ada8b3a
SHA1 5560302ff9a72063a37d62dc0f9a0b0d51fe70ab
SHA256 6a37494e388428cd63c83b271db0cc730af9f7fa322e96b9f07e94327d7bd2d6
SHA512 95a7631a63df2fcf94a65910ed3c208ed14ec90872408be00bd95ce80941131eca757db98cea533265ed552b8c50f5c301e6d9283ce263b11390a576be53365f

memory/3488-1371-0x0000000001F50000-0x0000000001F8E000-memory.dmp

memory/1700-1372-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3488-1373-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3488-1375-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1700-1378-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/3856-1394-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/5204-1398-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5204-1404-0x00000000005D0000-0x000000000065C000-memory.dmp

memory/5204-1405-0x0000000074790000-0x0000000074F40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1Y0EG8YX\dll[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4472-1409-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/5204-1410-0x0000000002280000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP031.TMP\k2934424.exe

MD5 3abffec7a9d624610b5f82e8b9db12f6
SHA1 078871a1b046e38effbddbe5031cd8422c9e6049
SHA256 d9cf45d86ca5fbf4dc7966cceca86beb73034f56a09fd19e9455ef45d12ff66d
SHA512 8034405fd6da7cef6131c8a3ae0f69ce4c23953576ab5402680014d7c6b5f4b69fede92294142aa85d191d43ca2206a04ea81884e645565ed545d7a130ce023a

C:\Users\Admin\AppData\Local\Temp\IXP028.TMP\l2165870.exe

MD5 c17b26498ce24b93db974c0e7cbd1fb7
SHA1 55c64e4fefea5684bd8fb952bf6b427757d58e39
SHA256 742e13313ae8665432ea86be99830f92e6a902d48f7d0a564e07049c7cd69854
SHA512 6661a89c837d743667b8aac645d4e83dd05627c99d4b7a24a8f03de86306191686a43d72cc70a52ed2c18803d4473c73da55d3d1de9b9a10039dcf8aa91d4a4c

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\x1762007.exe

MD5 f6df16bae2871aedc79c6565e0f37ef5
SHA1 574525b48efc7d990a22bfe6eeb3c0f976bdf418
SHA256 8555d6839089d414ce5929ce2f95cca072e97bc63afaedcf14ea770d6e3b3c34
SHA512 fe81b831b5c3972bf98e0ae7c3d8d30637939a9c79a5f018e754813ca7fd9dbc78e856f1309cfb36cbc63cf0f11e2990bbdb2592e6d1d9fb18b3e666405f3673

C:\Users\Admin\AppData\Local\Temp\IXP038.TMP\x9359883.exe

MD5 8f7db7f8e0cf00797facef0f0bfdf1cd
SHA1 f451bce9b4d7731c46a34e746448fff0dc21ae11
SHA256 d211b0a63efd1e2f06e53705dbf60586255c9c6d30fc7fd6a33588720c4d64dd
SHA512 b0e3d8481900ff9a849d44abc8b3bc78ebb5c204a68bfadcbf496513a966c9200c3ade442ddf1dee97e59b7a6a8c9196c9946c1800ff5d0ce0fdc570368f4b0a

C:\Users\Admin\AppData\Local\Temp\IXP039.TMP\f7670901.exe

MD5 cc00bc38e5b879a9e8e6deafcfeb0b4c
SHA1 7c48d43e05fc45c346942262dc3ba51f40d56730
SHA256 b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2
SHA512 3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\e7393157.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build2.exe

MD5 08819e55df0897a6dded1e5e6bf83601
SHA1 22d39992c6245b86ee8b14e0cc820e46a9094c45
SHA256 3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
SHA512 36ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b

C:\Users\Admin\AppData\Local\81dbf022-7548-48ad-b2bb-c71fcc531e75\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 d867eabb1be5b45bc77bb06814e23640
SHA1 3139a51ce7e8462c31070363b9532c13cc52c82d
SHA256 38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512 afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 dc587d08b8ca3cd62e5dc057d41a966b
SHA1 0ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA256 7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA512 7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 af5b5bbd755f77d4ccd0ce4bc0b9f096
SHA1 13b90af5458cc98100b714f66b70c17a40c5a79c
SHA256 20bb6235becce8020d08f49f7e3cbd4a1ce7b0ae007bfe9f46f9a5e18a55907e
SHA512 bb39a3d84c1e68e3648897153d2a5ee63ca6ea578089ba956f745de176f4d24f72efbe600ea7c1774855b3842872c932ab1455357055d9be9fbc7c03b5f7e32c

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\17572011987269260775432751

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\ProgramData\17572011987269260775432751

MD5 fe9ae946c704bc4c03416f0f64efeab0
SHA1 43eaf9b3e00b355c34a0f9d7b6999692a6c80764
SHA256 a28ef03ea60ced703666a867c6db6ba7ca0c4a4d9d7906fd20275e8fbc248c84
SHA512 2553fe4ef4ac438d79e49b46aead466bbab7ae0597961c34c2ac7dfff7735e67307680b226fd2bbb49cc6e9a55e0a7b04fb755a1ed4071027767cc115cf0f7ef

C:\ProgramData\67806901258220739745318230

MD5 b9a6b4efa64f7da936f9486fe37db49d
SHA1 4bc391523e5e3b11d70b5a6e5ee88f52a17d2359
SHA256 36b27674a2aa6b9d45b2d8aa420eb079d0ccccedfed99a8d31b31012d79f37ca
SHA512 5a52747d8a86bcfd7840d049682e732609d24c301cc671c18179195ca3461977c8ea0f6daae9f85536f3a83578c53e8588f90792fc667e7bd785bae2df6d2a33

C:\ProgramData\30453862105801076518527219

MD5 018e704b8c3d92a43838942127ecea75
SHA1 c05754a3c1dc8c923a5877372f924cfac30a87e2
SHA256 65e0d542f162dda914b9323448e21285be85079061daf5b3ec283cd27a0bafb5
SHA512 cd8bb1700972c5dae396c9e3d3831f13350d9678dcfe1ff6bdcb6e423a5b15ad08dc550778181795d6d915f134b1b169a9a3d2cc856da64d52a6cb90f0dd62a6

C:\Users\Admin\AppData\Roaming\UpdatwinSupp4354\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 4fa8add6fc5821676245de5c3a3ff2b5
SHA1 d676e4d65f74724d2f7a6c6385ed36a2d0efac77
SHA256 40951afa1869484ca354dba200154bcf0719113c29a90662ff1867392480b3de
SHA512 e22efd4d9f8b04490e582dcb057cec4cc032da30c7c2d272094735cbcda4d236f548606a9fa95c7f9a5caa0b4ff08c80a40caec5d59f3da3ab4076708e0e2adf

C:\Users\Admin\AppData\Roaming\server.exe

MD5 acdcd0e846c7f1458c8e24336ed33bd0
SHA1 4133703ca1409916ce76731b66447d5b46dffaed
SHA256 129c4c144e93fbc74c73e70d260ea088c238e2a6c6de24afd5da5c7cf693994e
SHA512 82422acb85365dc2323688448ff812dc1d47f0dd260d1502971744bfcf2c5b2a5cffd045c777c602d66d091b48326b02ff6d983fec32aefd8f450c50c3c558e2

C:\Users\Admin\AppData\Roaming\KSBPoqJvKv.exe

MD5 a9015ad39ce66cd0649c00491c81587b
SHA1 bc4d7fdbd600d2214543e3fe0dfaeb95e2523abf
SHA256 a5ccd3bdbd42202c5ffa0c8da8dcddd38064607b84b356e7015d22c06c865514
SHA512 2269410f147a8a9857ca92f833a2c12993c6b3f32889d7433483c898aef4f4ce40a650630ab8ae357fe0573803285154982e4b18113590ed50dabcc7770cea46

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5i5nvwxy.1l0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a187b807b436c8c56ef474876f8d323a
SHA1 7128c5e4a88a664afcc2fd0c024a7ce046a6df3c
SHA256 1a0b310010c07985f534e3403dbe66c16099688e2119e7d72090e6266057950c
SHA512 77ccbd9bf04335bc7bf349c1e98ec0bbe6e1046f3a1d0dbd4c007fddefc5a8929f218ccb6dabdf038d9af1452070adef5f8764a02a29d3a67035f65969087deb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 abe090cd17173ba5242d8c640deaf8f0
SHA1 1bd4f20f68ec212f4203fbe883d762d7c66454bf
SHA256 64cab75096dc7d93c9f2bad9906d4ff0d7043ee54dbe34809db6d2d45ce8fbf8
SHA512 0490632d4138c9f73613e0a323a034cfcb7be4a6920e6b510cd3fb8abf3730e4fbb5ef4b889f48d053b3ece4fdbc974dfe1253dab6ce625dacb843d3dd025474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 89d3d69a9f1f4e928f034f4cb15b53a1
SHA1 d9898e9d82e77c8eb8a8650f447be6d4146f572a
SHA256 e0e46fac9839d38d8aee08f2be1d0f7aedfc85311e333485851993597704bdc9
SHA512 383dcd4d3be5e2a5d82bb74978bdeb7ce67de317405af683bc55fa2ba32085ee134b3e5151727d7a84f5183c258f32c3669627e0692ce1f09604130e0a0029c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 38e966ed5335617393804190ee917908
SHA1 5fdfe54c1cfd9eceda71fefcb20f97cf0aa6ab55
SHA256 7feb6f2867811589bf1d5d91ef8fb97c3660d0bfe71ac4cfc57a331d8555b0e5
SHA512 76a01645a610048dc9b42e2c875b5dc5813e044cef1fb269becf1c8a3dd6ff0ebd337cb73d8bcd3254f0d510578d4e154300e8ad8e520db9e1bf4f71a02ad694

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 f1f77be1e9dfb31e4691cb8cdef0b794
SHA1 ffe91cfb81aaee76ed5c4776cf7c618865c10c1a
SHA256 6e87d9f029079418ef0e011d22468e4f8e9ef12288a2936011874c102b351c10
SHA512 e2108a4e88ef110d2ad8d39e640c8a62e494f0b7644ad704e9cb8b072f6cee9febd794ea64903cf2287f9429a4bc3f32e1154543084f68549e135b681e79469b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c1af925206c8d1b608003f0fb2ee2a44
SHA1 a116d973c21efcc3362f3edc7db9bc5b1b97cc58
SHA256 ce609f065e31eeaa56d57f777d2ff2d06415a867e16bc12e73994d18ba483b18
SHA512 05e8bfb6434cf4eb7b160c0f33ff20b922721349ac05d6fb3e5389f51c495364f7c266c4f3fc8fd42e4d30266bec9e9e0b60cdbd2c9079e4c7a37f20a707549e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 990749990a8050d72c19dc59794e2e58
SHA1 cfdfd2b08d3679fd93dcb6df61c87ba269507246
SHA256 1074d73e338aeaabd7760e1ce250678d115a8bcc8b72577ef9b1d59a2c95e802
SHA512 0290af1e9eb002a7fc8b48fc124fe688449c6631e75e17b2e28d3a10347c78bdc2fffce42c8c7dfb7ec6194c34c439e06cd093690d06bff59dd03cf3cb0eedf1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 374779943a2f53635b25c9b45f3bb042
SHA1 722c30d0ebc135ddbb8886bc0405c2e5baeed53f
SHA256 9fc1f5b5bd441984c7c4e183915a83301c8d27aba3fbaa4ae3b0317e985b1886
SHA512 9c42e07f589abd340918f2824a081376daee5d0c51b0256770716854d7920bb8fa4c8f97138315287fbe47848a7c98f208696ebdf1f8118798ad70c2022e1834

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cbb9581f2effc987916810634b45817e
SHA1 a6499d3aa55949ea5848cb7750f579aab320ded4
SHA256 57e4f998e0bf410310142c6b57f7df3fce9a8e0ad7d9931582275cfc05c9a3b8
SHA512 e84aad479b55bac599e70574aa7113f2bbb1e0b8d1963bce620e76b769a75cb7de2dec6bd81e5ce16dac7b3e7199d1784f08efd615b6d549eed6c34c9791439f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c78673f01f08ab54b99bf72987cd7b40
SHA1 de59a5d50d90bf7253938688891f912868a23bd1
SHA256 d524eaf7d5e2b070dd3b30c55ab275690b6a67f3fe306a7917f273b2d667ed2c
SHA512 4d3cc856b7f7972728e24f4af877dc839d9bb4c4eb03102d7abf55893018ae978ac2b9196a8a30f1ef929f3335ac9bf0bc0a558b3864a01a1d0b269d7ed7a72b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f611f61a8570fe7f942e850b8a1dda4f
SHA1 1f3a8dafe8d3b426bb15d51009b2865bb12907ad
SHA256 3713c5d76d8ed6a1024a4deb81509224d6736018acf471583b7a56780f58300d
SHA512 7c76de071658cfbb658866aab52d6b304709253b5a5bafb403a81dcefeeda7c56cd8f47689b504d48f463d0369945f097f5e5deea151fcdf0e6624124e862103

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a84841b75d6e22b535f58712479168b8
SHA1 a2bfa05ffb914b233695d6df325ddbb4e208d3e7
SHA256 5297818e3159895fdc06b9322c46b77cc77ea0580627a5da727355b8cb2611c2
SHA512 74d6c22a9ef8b860ac32a6d789a731faf7aed3955d06c3579c99efa116a6c08ce765139c8da9295f71b719ec85f4e0f3a00f148657bf7c5ba03de8b2f4946211

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 91f5991d248856c613a23a0659b32d30
SHA1 94714c58ba19891e4b6c8a80cda86891039400ea
SHA256 57f2fca069b86fa8062b7eb8582dff566030552d3e71a798f29e453e99a0a2c7
SHA512 ce695a1756e9709fe27c38e7db3a96888ca168d4d338ca11af478733a2ded33c16636446edf17dc78674ad83658c49548c44f9f1c33c2b2e0d322f9034ace51c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5258cd36f7f1cb699ee7a5669902d32e
SHA1 97a1ef534a7fe495df9e2f3e524767977408de62
SHA256 6f62c52d35e9e14ddcd065b55415a88bdad696c561beb4916cabfb9be92a1131
SHA512 734b1088093bb95c5fa1cda80955623bc6fae080a0bf482539cd6bfc39102f97f24031ad7a3ae98d299f2c73a8a6da6bf63e150382f304a9213830ae06c65ba2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a7a7322203a81afba1bf360b103d8821
SHA1 546d8c5c87fa6b553b0f90913c35b676e293e5a6
SHA256 29d99546b4470078613641e800420df3514866f716409c8964d38246b2ea1d7a
SHA512 d9c9e46b600d3854e555a767b2d4c073d8f597ba5c5e4a957b43c5d09af759ae9ec6de1ae0675d1da1ce63515f4d891873da484af2c52f952073ad521103750d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 f0d11cde238eb54a334858a3b0432a3f
SHA1 7c764fe6f00cab8058caeba38eb7482088a378f4
SHA256 579adf148a5905868140df9075b90a2ff33c9070dfd35b3ab869a2d9aacd9a96
SHA512 b3e590c88b462004b29ced18027f640addd1ea6ce9ae584820054ca508ce7d626acb3bd729e3693b50ccdc5e4694b1aa400cb33a315a475de47f5b25ed964d02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 c3c0eb5e044497577bec91b5970f6d30
SHA1 d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256 eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA512 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 a90d7c369b2a589d9034e9a201efe567
SHA1 7afe40e9e4002a2254885901d66451e2ab0994c0
SHA256 7cc054981e642ae7bcbdbc78152eccb11b31a6d922ea1dfe61e749f8985e498d
SHA512 befddc83828674c9993b8912ea83486dcb04389e0d7b45a4e6c19b6bb5e6e0ed2b16d9247c2e633870658697131c094864d3cdd9a2a4c0fb17bb503ad2915b21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 0243d388e8b9f0f12f7d2b67e719cf73
SHA1 39bd292a8a602c774ce189103b51cbdbee85c14e
SHA256 f7a8bf314a7a54ef1a2ce6d2ed661c6ed9c41dcf756783254739cf72416c0c73
SHA512 c5dbfb863e46ecb046727f23444f1748b24085618e423d00a936ce6870a00a670c9fad389d5b95a1527713c987a73432b43973a30439c59b4f137388b544acde

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 20b4214373f69aa87de9275e453f6b2d
SHA1 05d5a9980b96319015843eee1bd58c5e6673e0c2
SHA256 aa3989bee002801f726b171dcc39c806371112d0cfd4b4d1d4ae91495a419820
SHA512 c1e86e909473386b890d25d934de803f313a8d8572eb54984b97f3f9b2b88cbe2fb43a20f9c3361b53b040b3b61afb154b3ec99a60e35df8cf3563dabf335f54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 b126af8614b44fea32935941c142fbc7
SHA1 197ebdc1df63ef7c101edeeb37bda94f944be2a9
SHA256 208c1d88dc9b29334d7fbfed5b583929364805ee6893ec58bcc860060c1cc2b3
SHA512 b38caa4872085495aa422a7f918c5ffcdbb6d6a0fbbcc819a7ee9a814989406d6118e6367a8fc7522a386f7b0368a675a9bcd8eda0711ab32a3a2f2757e79f6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f3f605340a0e7a2702ae2f4e10e47795
SHA1 11c82cec73df143c33a7cb2e54511600c5f59362
SHA256 db746203a95110e5bb3608e659ff5789c0c0585b6ac677f9210bc49f2974b674
SHA512 8278b99b9cd945d8f8d10b9ec1c642af3cb5550af5a86efe59fba7f9712c2100876fa34c931ecd42706372413408ee7a6994bc6051d09e0a3ecb8af3b24f10be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 254290a5bf66a2801cfe31f1f11bc49e
SHA1 6b4723aa8b36e3ddf67308c65eec9d76bb27d7a3
SHA256 95eb1085582ed2349b9f4f0fd6271e63ece8905a9ff30cd438e813e75fb42181
SHA512 b836a7e06e49921aad42e5626e5bb4323cfd11d03255b03f407eebd5479951c3d4fdae06e193e265aee7a55580525434d1c01e16f62cac8890dd0bf258742080

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29365571af07ec0700899224b904edb3
SHA1 dab4e1f80ba47f2c8ffd0abda65e69ae82a2a1a5
SHA256 5a22d3144343d2f5bd6c1514f50e635684c52d5beb329934c6728b4169f3e507
SHA512 848c007ce58f6794f2eac7d738eb9906960b52a7a1eaeddb15b1e490dc30bc3d92e04e6f47bf6391afc91963a5820fd8912255e40dde8cc732c060f464a7dda8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b5385f8da540d88039925dd262041721
SHA1 1e7ff0021a921913f84cd6886355c2e2446ba666
SHA256 31e3c91d3f7cc584980ec70c8825bdeafdf1169c32ac491d3379f64a264cc807
SHA512 49a3a72c96aa3198e9002e805fa563039c819ca10a702008a384e3598c695a2e2a227b4c3840cd7762d7918b1dd308200544d81299d59d5e3a36b0d0976c8353

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

MD5 3051c1e179d84292d3f84a1a0a112c80
SHA1 c11a63236373abfe574f2935a0e7024688b71ccb
SHA256 992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512 df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

MD5 68f0a51fa86985999964ee43de12cdd5
SHA1 bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256 f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA512 3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 122f7a8628d611682797eb01b187677d
SHA1 1e79110ffcb784d02423d377f8fb0e734bddc75e
SHA256 c91fc784a4202606f075fe3cfb7aa5f1d0122aea15f0d955e5e35fc7b0c43185
SHA512 5af9042868e5b6ee5fd2af9013e255f89f023de31dbd5b709672eabeac6816ca0da83fa602039388920e287d69aa030ed0ab04270241f3a44463bad5f0aa335e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec7dc4335db17b80becc2757beb63fbd
SHA1 7f218c3b41d28355ce9d5092cd3a60de48009d25
SHA256 c2741082c96f768e3e616d8d343dd2c595a367c0c097c6d251c29e914373580e
SHA512 793a620f4af07187aa249bc7dc53f8878b64cabd5c24eb36c53394b6605d117a7b616e8335fc838a40ee63a5ef2aff6d66b0bd199295beb28338ed9b0c14185e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4522af04767d3bfec6ce1149fddb60d3
SHA1 d09da12c42d1f2019982dc4764bd5f9a752c503a
SHA256 6cb360cdba25a21554484b314d2a83bcdf98b7cd4331912eaff2b9d6b9d80233
SHA512 fe99ae70768ac4bdc8dae047b8884625d53e2b1086e93f05e30c94127d6ddbc620bfeeeeb9a84b3d19efe511aca065177e1d8dec6aff55af969a7805f20a67ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a08db72047e0c17587666d6e32b8afc0
SHA1 bd78cc346946303fafa3f93055891c709e8660b5
SHA256 a0efbbc5211a0577a6138839aec0ac597c11312e15a85638f74181d36ffdf4d8
SHA512 ae7eed5f7e1657fc3ddc2f3e1a5ea2754cb42ce482ccf6474ed3f49a543836750499e634d599839b129470da0e3018be22cf651b0cf125615c9f7d50ea1e255f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60188ccf6963cbfd550b99b26767cb32
SHA1 b009056eb1546c3b2af49169ad76692ac082de1f
SHA256 f1c6ef8f89b9d4a9541f016a2ef0e75304c4c77ac4c9c367bf18a735c99c29a1
SHA512 b13d2d06c3582aae85392825c83c781d3608d336cd496423ce33da2c6246ecc6860e7f5e909c3c22d3eb0ebe9e09b5081a0a53e7422dcecd14f3c9d04423069d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

MD5 92f0bb21de86c6c660bb835f40365184
SHA1 ee7dfcc9328ad0560e1d9fd6a035b8efdae3d7be
SHA256 3eaea657e2d8557cc8e98102697e4fb358abfe10b4d95f8dd5cafd1585a2df82
SHA512 f52731ff5972853ab4cf84edb84e18373656f77a3ca1054de48ffffbf452f77e930e5d15e1c6ed0268ffc6bc5651a5c754d237c86f73e40e4848b0f57c91d1c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aaab27c6191fb8d3ea5a082e07838f55
SHA1 66b3a89c63d538d580d55b7b13b02b1a4cdcf458
SHA256 3728062b0c863441eea0fdd2813cec7af9e699fb06fed38903f881fbfc143227
SHA512 cba2ed913e9e4ce0298882138568615d2e94139b9a9de10482976a23161c1d26ed1ee3815061135ba22db6dc0938c8c6b041132a92721e9d480ac80b80a736dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c5a2618c8600e03027003699ab60d97f
SHA1 0a81b4a4a81da951ccb5c1f42ce149fe9461cf60
SHA256 793791fc782366ce6f78f7f2dc40daff25e4ca66e5d2d733661beddbb84ab3bf
SHA512 20c009639aa7400122676681daffa746b1f98eeecb6047a276f6f9c5da1c216984def6bcfb14d8631dbb31997214339ad2e7c4169cf845152b20afc17f4e9b26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7e0ab47cdefd17933a6703261c6daf61
SHA1 340b5e2d9dfead8aa1ce935052e5efa4d7653cae
SHA256 39b71684d01f4e85b7eab52c450f47eec50f36642b41f95fffb44a47b189aa55
SHA512 2f266938751ede5d2cfb62e5f6a1c43c05d7ce733f252b126fd23bf8c742ecc3a77de57bed34d91ec4c7d2d174d426e7fcdde6befd840c0161d52e729c1c3712

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b7d33aa284d9f0f5543a1ceb6cfd79e1
SHA1 c74201e394cc7730b5622f5acd6673e35d2eb087
SHA256 ff8900ed56944e63958eb7fd844145ff21109bbaf06c8fd48712cabd25f8eba7
SHA512 634615999a485b451d05a6cc89303fe6515bd74044436e324287190c40b147b841893c9b4a0a95551b0e4543ee8754181bf003524bd81c8d82cdc8e53f41a0da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9934d9131d5e9f0422a81c7a62e31b60
SHA1 663b3640e1c667bfa5a5cf660433eff0f53ee23c
SHA256 bc96da0ba81c9ae7ed0ddc5271f6d03db93fe83e24fd9bd9c3fb6b86c17f573a
SHA512 be9fe53ae02f9b25cea656463e15f585bee757a6961aa0c6eef42a4b1deb2331e16c040460a157cd8124ecb6328c2b4c5d0d21168dbb9b666bc468ca9ebad9d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4ec0289ce9124d5755aa08c8b453a27d
SHA1 13603d2ccbb40ca4047b8771fd1957700909f5d2
SHA256 b82aad1edb2a90b37e3c54f5ca84a3064822c56b1b7258324ef5147e7337f09e
SHA512 c3e6388cd67f37057e18541fa16308e64d6422d68d11762ff080f1481156f4c535a3265247116f2a06eed40be23c0a08e820b67f7068f137e2668db9491db52c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 1eb2e17236578ed1c53a229cb725cc34
SHA1 3f99131f2bac76cfa9e1f37f409c80176153544a
SHA256 c1bd26f8242ded1dce0fe204c83615308e36abdbb2f15c44b273e3bea1460e4f
SHA512 84a4b9b2622f0818cf65a06049c58f01e83c8e9524d7fa0900a4ab2e50ecd6c47d5b39862904462a6fcfab14cf5786c6e3c38aef521968627771366d24a10a44