Malware Analysis Report

2024-10-10 10:31

Sample ID 231017-qtfjeadf97
Target b2a4aca9ebb9d8032d7ac5b426c3bbbfb59bff6051f963fc9d55239a48b06898.zip
SHA256 c5835fdee5b37ac6eb59449bd8506ef91c10d7a04a000225d5c8a6b849874574
Tags
agilenet rat %group% asyncrat arrowrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5835fdee5b37ac6eb59449bd8506ef91c10d7a04a000225d5c8a6b849874574

Threat Level: Known bad

The file b2a4aca9ebb9d8032d7ac5b426c3bbbfb59bff6051f963fc9d55239a48b06898.zip was found to be: Known bad.

Malicious Activity Summary

agilenet rat %group% asyncrat arrowrat

Async RAT payload

Arrowrat family

Asyncrat family

Obfuscated with Agile.Net obfuscator

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 13:33

Signatures

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

124s

Max time network

308s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Contracts.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Contracts.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

134s

Max time network

309s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Debug.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Debug.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

116s

Max time network

291s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.FileVersionInfo.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.FileVersionInfo.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.EventBasedAsync.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.EventBasedAsync.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win10v2004-20230915-en

Max time kernel

108s

Max time network

253s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.EventBasedAsync.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.EventBasedAsync.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

310s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.Primitives.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.Primitives.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

309s

Max time network

312s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

176s

Max time network

306s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Console.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Console.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win7-20230831-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.FileVersionInfo.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.FileVersionInfo.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

300s

Max time network

320s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.Specialized.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.Specialized.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:43

Platform

win10v2004-20230915-en

Max time kernel

359s

Max time network

442s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:44

Platform

win7-20230831-en

Max time kernel

273s

Max time network

316s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.TypeConverter.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.TypeConverter.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win10v2004-20230915-en

Max time kernel

127s

Max time network

308s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.TypeConverter.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.TypeConverter.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

123s

Max time network

310s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.StackTrace.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.StackTrace.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:40

Platform

win7-20230831-en

Max time kernel

298s

Max time network

297s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.NonGeneric.dll",#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E413261-6CF2-11EE-BACD-7200988DF339} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{484EE701-6CF2-11EE-BACD-7200988DF339} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000052e9cd122b4358ffe83d4320440609580a72b74e85b6292717bc340a9ef99aed000000000e80000000020000200000006dfaa0b1232907163a5bc94e857bf427ca678943ff7906c7c719681fd39ab2d9900000005f6db9a563d7a637dd68eadfc5a87d2bf01bca96f30afe0240256b50e6ae7e1942ba38121f23f726f2d7932b4342afd863211a097ec7c85531dc22bf3315914826fdc3d7d1a0b18d8739eae11c8e1c08ee488e7e77f103bf3318b861f580e051ed2c1fcedc78f4a11a1b8078716d6b2f8f3e51639dbf594a963be3bfff897b198b0bb999632400fcd6aca3be3008c311400000007b3cf64eeb149a98f75927f35dd838002652d6fa6d75d53016071a9b00ee6dd79527cce32dc33f855f17aac0842ba67be12ca42b91618091958594cf2fee4d3e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\mpeg3_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\mpeg3_auto_file\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\mpeg3_auto_file\shell\edit C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\mpeg3_auto_file\shell\edit\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 2128 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1112 wrote to memory of 2128 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1112 wrote to memory of 2128 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1112 wrote to memory of 2128 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2128 wrote to memory of 2264 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2128 wrote to memory of 2264 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2128 wrote to memory of 2264 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2128 wrote to memory of 2264 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 2860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 2860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 2860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 2860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 1156 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 1156 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 1156 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 1156 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 1016 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2356 wrote to memory of 1016 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2356 wrote to memory of 1016 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2356 wrote to memory of 1016 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.NonGeneric.dll",#1

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EditExit.odt"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConfirmInstall.docx"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\DisconnectDeny.pdf"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.adobe.com/go/reader9_create_pdf

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SubmitMove.ocx

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TestUnpublish.ps1xml

C:\Windows\system32\msinfo32.exe

"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\BackupRequest.nfo"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\MergeUnpublish.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ReceiveConvertFrom.mpeg3

C:\Program Files\Windows Mail\wab.exe

"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Desktop\ConnectMove.contact"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ReceiveConvertFrom.mpeg3

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ReceiveConvertFrom.mpeg3"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.adobe.com udp
NL 23.72.252.163:80 www.adobe.com tcp
NL 23.72.252.163:80 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
NL 23.72.252.163:443 www.adobe.com tcp
US 8.8.8.8:53 use.typekit.net udp
FR 95.101.134.97:443 use.typekit.net tcp
FR 95.101.134.97:443 use.typekit.net tcp
US 8.8.8.8:53 auth.services.adobe.com udp
US 18.238.243.3:443 auth.services.adobe.com tcp
US 18.238.243.3:443 auth.services.adobe.com tcp
US 8.8.8.8:53 assets.adobedtm.com udp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
US 8.8.8.8:53 geo2.adobe.com udp
FR 23.57.81.34:443 geo2.adobe.com tcp
FR 23.57.81.34:443 geo2.adobe.com tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp
FR 95.101.134.97:443 use.typekit.net tcp
FR 23.57.80.54:443 assets.adobedtm.com tcp

Files

memory/2576-0-0x000000002F841000-0x000000002F842000-memory.dmp

memory/2576-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2576-2-0x000000007187D000-0x0000000071888000-memory.dmp

memory/2576-14-0x000000007187D000-0x0000000071888000-memory.dmp

memory/2576-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e9646776a257094538913c147ba9c48a
SHA1 de1a02d2c0c6ad6b10703bc586f34aa89af23020
SHA256 f5155e6a53c06a1bed7ab3bc5e2fd406c5d1f2c3fa922bb1ebb428a287cc992a
SHA512 7dd9677dc0f1f6e0470ee435c1ba06f796e734ded50a55c5de2f47197cdc569ad9c3cffba57adbe84459780e6fe0d9ac382ef4e25671212c83ca6d744298c54e

memory/2576-28-0x000000007187D000-0x0000000071888000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0c6534dd068b511c50f9bac71b175020
SHA1 25dfac73da9af8812c1bcb0fa2d7167ba4cc8bc5
SHA256 bfff7e6deda24751020aeabad5640973b51a874b1e5d290f901ceaa7a0a39042
SHA512 1e90646d98beb7dd5bab0a07245befd04f224113d7fe31df1290ccb47f5909ebcb23b1c1cb262799f993b3c9b60062c9b66babdb3d7785aa54c63308dafd6f47

memory/2200-74-0x000000002F971000-0x000000002F972000-memory.dmp

memory/2200-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2200-76-0x0000000073E9D000-0x0000000073EA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e9646776a257094538913c147ba9c48a
SHA1 de1a02d2c0c6ad6b10703bc586f34aa89af23020
SHA256 f5155e6a53c06a1bed7ab3bc5e2fd406c5d1f2c3fa922bb1ebb428a287cc992a
SHA512 7dd9677dc0f1f6e0470ee435c1ba06f796e734ded50a55c5de2f47197cdc569ad9c3cffba57adbe84459780e6fe0d9ac382ef4e25671212c83ca6d744298c54e

memory/2200-82-0x0000000073E9D000-0x0000000073EA8000-memory.dmp

memory/2200-89-0x0000000073E9D000-0x0000000073EA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin

MD5 afa56bb453dfe7dea83b7d7a5de901e0
SHA1 0e37f845218f4f20de7f8612fbb3f3dcb4bbe226
SHA256 11020ddb2b81b269ff48383642d50142ed9055b3f1c68b25c16463095305c318
SHA512 be0a5dee5223b3a3feac0630c79cca7558dcf29bae331693c02ed38174cc97156f9356e82772a2117c15d66ff3b206b8fb9c7a89174d2f056eda4291b2e08ab7

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 865598db8bb93cacabade96e560c54b3
SHA1 bb495bb3b9b3bf352cf266fbfa3caa3665997fc2
SHA256 324c65ce7e04f2e73551526dae08231a35a2ed74603313e65e736e1196386134
SHA512 f21050fc30a8979f8f404e064bdebe1df5edb540190cd77aefa1cfb086dfdc4267abe54c7305c0187eec1f39cf562b150d03f03d9c97b4e9bd4168b6d6e5da2a

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d6a779bdd55538ab9c7a43ac4e76e4c7
SHA1 7b8b9df4f1487c57c903fe411bf388aee92e64fb
SHA256 b4e9ae238a5aa1e0de20d6a73b935c29541f9e35070e81da6a3203eaed50bfeb
SHA512 e36250393638acf60ab3de2df4fd48e1e0d512c66b37191866c2569c22f79392b34dcf87354794f708acc5ebe4322e5a07afb682b7a2e015a229abc2d3e63988

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js

MD5 57f3d8f5bcc781fb4a36b750bdd0aeaa
SHA1 e1819f851a49a59553a5c01859935c11a05ddca9
SHA256 02e5a385198d6faa3538f414fa8c2e4859bf4e2e0ce6b922c4254f008d287f38
SHA512 885f92ee8e1ffb2ffcef35dedf5f47c3a1e4e483e995db5fdb8e9309c009faa71ae05826de893f024d5942ff0460aae7d6390a2bb79cecf1b44cee23f1e99cd8

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\AdobeSysFnt09.lst

MD5 a3e82779d757fb4faf9cc73237c18b8a
SHA1 ea034b8be607b5244f71e3611aea533aba490177
SHA256 d4c9d7a37ef7b1dfa3411ff02127df69b6aab8f3e08abd8dacdaae5fb9fe0d9a
SHA512 b256f6f0e2566d86188ee56c9cf0e5ad28231a92cbea8368a178347ac75fa653f964340db541bddd7c7de7f66b918f2c51a4e8243b504b475c9ac09dd760c44f

C:\Users\Admin\AppData\Local\Temp\Cab717A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar717D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 741e98352291750af405b96d669f54fb
SHA1 2e1601e59f7f9f2d1d55c487f00878758421ed79
SHA256 b450ada404cd055021c4fa903544ca9b8365fd56e676c8816145176bb6379a65
SHA512 22a5149f4c3ed3fc273a8986d0908e3caccf3fe0dc3ef8980ab83f7cf37c7ec469b5307895101cfd2af42c6c0c493f0cf42dbca16ac5f4f10fa3c9755b833fc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e9f61ec2f53dc4f23b2db2aa813e82b
SHA1 8b978cddc3f4970dba8669ee05c3e09fd8cdd1e5
SHA256 f50b357a923a98729419c1e1af0bc8a99c71766bfabfb3f94009d3e9a3ac4e1c
SHA512 5000037a9db68530da6c28a15def275264265f045c959bb29b427aa9419011305055cb54526f3f1437cb4271036ff387c9bc10d12e8c8f821ea5c3f8ec241a21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c768adf86d18c12926a77dfef53bbef7
SHA1 0e3ccd6c4731c2184846895728ae319cf951f59e
SHA256 b624ba7b3aec755b477ab68b0ab374e42aaf5aabf417a22a09737522c8a29e99
SHA512 f8ab0facf287bc40cd01a27a50a66ae472c020f8383f8bb93dad1bcd6dab2608a8a194b1e89edfd16ad47aad87d4330402bb902fa1f8ea6590cd5a4633e3a32e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98d9c9e548eac503fe01f7c4c82c40d7
SHA1 788168b53bea3ddc1b56ede2945b3c9efd7f74cb
SHA256 6bfcd5de8290caed0d9e24b2a500db82a9c31807f2c3179e127ec9ba5d78c587
SHA512 ce9cdb042d7dda147e2f4e2085beeb70a0de7a6e9528683d05ff56611f99dd56c3cd494b6db1ae1bcae67c8653ea7bb089f2c17924cb73c7f93f09691531cc1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b74dd1b23e0d2e81205090178b923834
SHA1 c1945f2f7e365d18c696338b7b40b907e500c8c4
SHA256 235967a0167a275455f23a436522c58c9a48e3e46544bdf3f011bd7c4bfda16c
SHA512 4bb7ee4442d10e0fe3f09f32c0b0850e1a8995b69a507891a4863db8e72da69339ae167e5c9380ad5354525e0914b003d8a594713ffb230a90ef4dac0501108e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d144dba1a7afbe556d96752ba404e2de
SHA1 19506a8bda42c3ae749c275f59a84638dca5cbd6
SHA256 1f6d64b2470b82cda53169ca22ed09b1a5cfc83de8dbd3c3f0f9c55c976b5a36
SHA512 91e54e3cbaf1758653983e382b344359e73ce5056afdfd02af757f7d9fd3614996665c9ebd1a7da65a60cf22a86fb505a29b70d0c47659f8ddda221745d18aeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec330747746ee2ba754a5a5dde49116a
SHA1 f038e7474d47ec7eb1122b50804c962aeebaf3e9
SHA256 10b25ef6c4fd59c6488e4f6303caa16573835e5eed23af873bdd660836dc1ed3
SHA512 eb7cabe8f0f483c3781d97337ab80d056f1cae44b83fde12958bc77bcd1bd630111bdbcfd1df18aa5592caa065c5d1422c3a1113b089360ae5f7a489850744fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32550dc37e161e5e187790963914b5db
SHA1 fe1ca205635aeb6f22b0c17e4a28fb6e99bb6c3f
SHA256 f6ea80757e8e54d008219abe6aaef5528550b15f5de8c0768d83684ace8f5056
SHA512 5b853e3101a5bf324fface1e2049d43c18c9362766f014017fd47cba85889e51bbedf91667db02a8c2bf7b157164acdddc3b907f0a7b75234add2bff53370949

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5affb94481f9d4874e64df6b6dcf781c
SHA1 7d82cccdf5f9537ef094c01e615f4576c188e81f
SHA256 4567d74026a0d0015ec94f1f247835f332cd68176b7e9a6a4d708a5361618c91
SHA512 3327468a1a0550426bdbccb7a1aaa30696e84c97824823e211674827e2eb859d9659422b64ae6ad4108654441abecb8ccbc80208c23287631c439db1c72a543b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e000c00b8591666be5f9f53243b422b7
SHA1 0fb90791561e65f69bf84e7259e9abb4d05d60a1
SHA256 d1df32994626919c526f367adacedcf346d0068d86886deeb9e0e3214056fee8
SHA512 1600a9a286897e58b88e582525180b5f7cfe50b0f952cfddb688c94bb74d06d4ab0f96f227bc4b919a38cf1d3ad509dcd1f69e6beafd2d5c21613b284b8a9fa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c821a5e2cd9d49141a779a63645dfeb5
SHA1 624b0fd3591542fdf21e4fa5f746834cfdd12c13
SHA256 8c1d7453336f087f5ac2686b8722f3246cc370fd3b9118d033c0be5c18c32404
SHA512 f28a0ecff71aef17e6a5f4c559d8087f0f0722d0229ac77c6cd050b71e10971643abb54c9bed6f0e347a36a4b4e7043e095efd26e97cc535337c481273df73ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca6c7642ea3a2f026f5343adc6aa9f3f
SHA1 2cdec3f894d9baf58a759ebeeea3d91a14858340
SHA256 6c1715b2c08afd8a26698595701e2a49c131cb40931908a353924497eea0cc54
SHA512 95611150ab4d4ffd3dfbbe1f9fc2854f6661910971571488b016165c99261263eb58feb3392cb8809f7b5769040acb83060f091c2cea8a65a240251bd451aafa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e8ac1db1e3dc9706a7bd8cc1330a809
SHA1 dc47673dafe15a38d49ce5865f1371475195d664
SHA256 732c52c6108ce54724236c89974fdcaf995f7164ee1bd61a168e642e3b59046c
SHA512 163b0ce4e80d3b84087942e5c90c354fb128258cbd951419d75342955b977ae6a31a51bf3ddd03f38630e9493b8ef82c26242ddfc7e352b74ac473326a13375f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e09f85a41b4e8612d3f6d0a47283f07d
SHA1 4eb7caf84b2438648634f336a63124ea8f2fb88a
SHA256 c4013ddb1efc877f196519aa40fe72d22f07087fc7d1257f075745daca628c29
SHA512 c0ed3850dee3685154ff811a7bf30b34e7e65c46ccf800ee28e15eadb4825425ef675a5a18934e9bbdb6c6ec1ee146761f71f85599c731d67d5a1de28a9eeb60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eefcf0e2941e92f20a0ee181be9126b0
SHA1 41e61b4b06ba4c204b78820af46566062b98db83
SHA256 1facc0b64ea7d3bbc7823874b8b91e4e4698d88492623d6b74d5cf456035dec7
SHA512 efbfc646a1c33933ac93999e8664075168a27bb9488443f45157ee29cc9de178d7ffe909fd1b6f0f868864aaa076211c4c70957cef9c979b0ffc11c87d337bcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43ec66ab82d27bb9654793a32688108a
SHA1 ac0459f1852288c4b75601182d651ecbcf660d9f
SHA256 6b3ad3c0b09c02b2a0c93cfba2716ab275f31ee76de2cb36bb865ecf6a0002c7
SHA512 c588cc2a24de4bd438b3423ac5fdcf981b6f3af8cf89c96cbe9290fc102dc3296e1734013caf01aae32acfd4076dd8ef56e328a314cbd8897b3f086263d22731

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80b717baeb5b1ff943a7675b92bca20f
SHA1 e9aa0357a57c2991beae26c564d673c596a73a3a
SHA256 08d1a0ad50240f0fc6756731b716560c66b5c57d87ae7c6317b74f2b66144193
SHA512 21106caab80b9c54adcdd84599f802b9be786582332cd5f52c471d79ab7a6eef7c7ceff86cdfe5b3b1f226a24dbf4c8e5f70874504b90ae667d41911b5c703d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\feds[1].js

MD5 6233ac11501ad1a1719bbc47a48bf1c2
SHA1 bb6712250ceaeeade27937481b9e801e322bf7ad
SHA256 d3719893c61ce1e42cfc7a5db64c4e7d0ca70e6e79a92ae11d939b6d410f3b30
SHA512 67c22263c78ad0d2bb48a064483e1e44bcfa2bbcc3f014f6f6df04d036626be27acccf3e8e65adae3d72597ca2e2f3bedb73d3b20eef7d052802c5ba86e157f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\headIE.fp-e8a6969dfe5989bedf8c33869d1ca113[1].js

MD5 e8a6969dfe5989bedf8c33869d1ca113
SHA1 66e78c855b45f13a0162f9694be6eb8f917d68a5
SHA256 d4646f0f3644ae3f5757b129e9cd096ec629ca248b41cfa25fb9c965937cfebb
SHA512 afd9d6c68effd4281ccf10af9b11097f417ec661718705243060b1e8bcf92935501a934d244bd825f0b7db4ca985e3afc10f90e6556282fe621db42fd2f5e874

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\headPolyfills.fp-23a8eaa3e17b58312f2e9f6334f26b45[1].js

MD5 23a8eaa3e17b58312f2e9f6334f26b45
SHA1 f5051941752eda187767b962da092b8595c7dedc
SHA256 4ff5952e522855198d43f03af9fc60e895770d9a200e0d68f1cdb8eff24be6a6
SHA512 a652a9300b750e182fecb5328ab93fcb4de5bb6a97c8c73fca56e1565d5febb2323b3fefbb53eae163c3c324433aaa12bbdbd02a9b5e60462f631abd1a030d45

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\main.standard.min[2].js

MD5 6160e5b998841b43fa0486b52e2d47bd
SHA1 f02883f1f521446dfe087d0588aefd92341c0a7b
SHA256 77400bce2c2fceacf883f1d7b717de61c4a4b2c339c715a631e7b1a2e7e8b9ee
SHA512 9535e251e9228d6c5f493f645c844845eba9fe4d11b80cd3969d43f7fe85cdbbed0df1ca2e57551c49d815db6ddce56ec14f6a1de85fd67c3d3d9595ad34cc6a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\head.fp-f235d30c5d9c105e2f8a238c94a4e5b5[1].js

MD5 f235d30c5d9c105e2f8a238c94a4e5b5
SHA1 52405ee07a6b31229442661aeccd9af8e3cbb461
SHA256 fdfaa035982a48262a80f69a1541d2c3502ee324682272c190e838721c318f56
SHA512 a573f933b03921c98fe5749006b8c04204e23d14455e9e8570fd2bf18d79dff4ce5ad2efbbbecfb70fc27fadc8fa64404c1072bc67e63c7ef438902c840cd8c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fa7fd51f9c7fab65294bf892d48df64
SHA1 a4627e5288eaf9a21cd20b4ac282c9124ea6a6be
SHA256 f0d027a6c3ae4edad8d4a397194464511d09136c490326dab3cf0b1e9a980e05
SHA512 2f5f14992a62edee7a247421475f86f3c35d16d196025d5131d8f31fd05f26710471ff6705b50042847c85586806a23796ea17c70a86f66e8f1d412a0b8713c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77265f4d96d21cadba892eef646c2315
SHA1 d164a74170ea1c167f66cfcb324c28814298f6de
SHA256 08a1973a94091d17be5e7e20cca1e09af5c1f583caa2fd3c750a03ca0b6ff313
SHA512 e780fe6971e042c2c123df9e835f486348c0b76abe08586e394d2013f66dd3bbb0d85ee484eee59dbcff75da74378c6c60617b631e5e7b2e5607044a6ace752a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43f7fa79f60f09d4ad26ffb4bce8ba50
SHA1 569d29b272525709a153afe7d70e0cad45974b9d
SHA256 5d0e87de977d7544667d19b20da4174c96e14af43840a86bec13808d0d2cc9ca
SHA512 5789373466bfba990465f83e08afa5323e00f1d2473e3ce7351adec06ff6da34bda74568696f574671ee31428d13ac2ac68acb068a3bb384ee354d5ec32f8e76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c207dd4d3a83080d346b408c6cd8339
SHA1 05a64efe8e74a5d2c1c6df6078fefa14b57343ad
SHA256 cb408a904ce678393ffcae7f7921f11990ffa1bb63757d40afc205d3aacfb829
SHA512 faabd2e7f1e1fd7785c1777ac1db5d10c21bfc5a3755e075a752075e32afcd3623fa1053459a58f33e2670c5ebef31754e265c0c961d631376e136384db66ee5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 745793ac3f8ca1b345b376cdf5014219
SHA1 3e4baffef2aaa677a31206e09380cfc641f579de
SHA256 f023aca547df092ff9131401ac8e1227eef99492705bd9042226074f4fc6e8c7
SHA512 591c4e2ccb2e7df632dc5d33b853c79f8e1c5dd5ee45bc04f619b8be197321f9b066740c5129debb444a39e7553b4367fb9f4bf623d0f985e55566691cfdc13c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88a92b8111b57c289c94cf63b231f3f2
SHA1 df1cf11aa441a81dcee6dfef2393cfb1f88f76e3
SHA256 cb01d64d838c99ecea2fbaf636612293efac0dfdfd04610dcdd7eba69fe6bbf4
SHA512 36a3e0feffd8edf1ad540a6a88ea37da02dd4c9de20e50b044bdcff96dca87f88a1c897565a548631cbacd37c372763a086344190ecefb21a64e2dd4cbedfbbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 521e23f74bacad1ab8fc2afae9ecf710
SHA1 a41c5658f98a7e64481a6a38ecaed157899720ef
SHA256 70eca031c5652983cec7820ba4c53541754a5bd856aae8289a50ad8e766d59d7
SHA512 246e33a9878719965ae48a98048f2cf36bc2e2d1070f966faaee9bf37a8bf1cc3737bad714bdd2e7f69fa08d9c11b16f119f3a102a089ddb5d04c2ffb60a0bce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3d9100695b4bc2c04d53439a1f0c950
SHA1 3ea390e8b0b901d681dec7b6bf163ee85f516f3f
SHA256 271e1c2a488e3e0efd079a1b71578a6694c86b52c6c847198768ec49b2d18677
SHA512 f15a49c5fefc0c2fba37c894bb65d0a38c7ee826ac5c41abdb705a914118b197d964babec278e462c2a4cf667cc9c4460525e5d1b3b77269b9f128d2210ef7a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\publish.combined.fp-30eb7fbf1a18a0a2d7111ab3ad12edab[1].js

MD5 30eb7fbf1a18a0a2d7111ab3ad12edab
SHA1 cf389a0e9c9c82a14a94b19d098cf1bd8be649ae
SHA256 70ee17e11b13a8966dead9cd98cb1d67628acc0f011934c36f7cde780fd30daf
SHA512 8153316381f282aa283273787871c60535a8bcf20864b2307d2bc75d83cd3993093f93370c0acda1451da1c2d541fbf4969d98befa9cd31937757f47633c7224

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\commerce.fp-4d3664284bc1f1d7844739a4f83f16f2[1].js

MD5 4d3664284bc1f1d7844739a4f83f16f2
SHA1 6f39968be52d27265d336605cc7e2deed2d3fe70
SHA256 7e96c8962e6ba7661da45eb2f6b44e91e1148833e927ab70242fffad7128385f
SHA512 0c29263c31723f46ccbe162e14f94e8b326b6e19ebb9da7a4c746d794eb51c1d0aa194bae64deac0b6d25fb994c336870d82b854eda638b4ec4c4b408827a6d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\themethree.fp-041f03cf8fcb58244963649203146aa7[1].css

MD5 041f03cf8fcb58244963649203146aa7
SHA1 18362bcb7a4136075bb1617b27f3318acccf4912
SHA256 9de10172c1043e0b4e0fdf8b242daf8362cb45ffc39efa3188ec8a3f18ee28cb
SHA512 dd7cad044a08d587b0b51d9fdcfed220cf1936c1c01be2e7ccbd117acda864715eb740e4962b15979e665420d369b4d1f162223779d40e41d919ea6def3036a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\publish.combined.fp-ebde96dd3514a4937a5c5fe0b2f1f17e[1].css

MD5 ebde96dd3514a4937a5c5fe0b2f1f17e
SHA1 a67bb70b2c37a8d9155ba3e928da669961bb5260
SHA256 0f123aa738f509e55dd6bcd178c7b4b5438b8c1f6df6a28bf7e2ed8d03bd35cc
SHA512 dbba7221db1336c7b22a7f4d660436c6aa60791093cb1a23664c4a91f4811c8a0656cffb9ed6a0db40dd2e8c6d79d32c41fd51b9f95870879f11abeebb3ed050

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\imslib.min[1].js

MD5 9ae016db11862befb1bb98d894829b5e
SHA1 adf55e44ccbc370ae6f4b67f46765fa2b09fb1a3
SHA256 a2a36f4c0cd39f1082cc50e63ee76ef3c536d5d471c6642c44c9bfeaf73e84ec
SHA512 111ccc9a64264332573db4dfd2a85bb101a74aec11b8f0aa0d5eb795539c611751d083a0965771c780ed02afe65bd000ba5dc917b4be5e2383e2451abe8f4273

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\commerce.fp-f2b3948abab366f4204973c474b0fa60[1].css

MD5 f2b3948abab366f4204973c474b0fa60
SHA1 84943f7a8092c658d3726a08ad73a17641e695d4
SHA256 150a1ab02e572a2bcbe57d4f55e797f67a14b4706de53b5269f6dcdcb778a903
SHA512 2a6091f0b218ed7ada23c307a60958e8738ac4f46f1487471ffbbe4035309a834ffc59c8eac43442c2d429d0946d385e5c8c95bc7ef361005fe2e72d7915776a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ce4013c2da195d9d4a8bb09953f7a24
SHA1 91a36a51fe2c9501072c0e0e77eedc967868fffd
SHA256 e260e966fbc3a5a91a11d3dfcf00c888bd2408890ebdeafcb68fabbb4deb0dc6
SHA512 edc48fe6830584e7f5123af92d9a5f3670b7359965b1b46163e8af4d45f85434f83ccc1ebd22376cebc25d3999de26241d23d2855d6139e430561663ddfa768a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5fae0ea39c02ae76d502e866728c85d
SHA1 805053436887ea20beffddf12c3e380871334e11
SHA256 3b464e4c8521fa68079f479e5982c9fdbbe29f9cd4d60696b06b7aa9ab114759
SHA512 de527f89316e7ed7e967683e901d845d5a8bd7afcda2ebd6f1b9105ff1a6945c5667d209c13e9ce36219f93832719d582f5cba494dbfdb47e3b3cf47433fdfde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bdcd81d71c4e5fb4bca117758db6b19
SHA1 706268d0f57300d37e95f02d70f409946d4286f3
SHA256 d3f19879da006add7181264691346ffd00d7661c6141261dffc68543e065326c
SHA512 05ba4b2f922e44a5cc9fb126d4d57a1de767dcd779ada103bded946a3ff96f0ae26c393321155916c5008b8e462066cb6b3e2a065bc440fffc374796a606c340

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\acrobat[1].svg

MD5 325c8a2984f01a66681f42d5c7480dda
SHA1 5985d9bea1fe85a2ac2787231c919893e2ad2e3b
SHA256 d1e12c899e29f48adf45b0e2dabdc1c3eea604ccc833701f8590e8116efc19b1
SHA512 af476346c9cc67746c4f78a657e75e896ac8a561d174ec2123d1295885ddf1fc5264b1b96529802fcc5acbf2b2417d6cd4877e39988ef293e8353ccd2ef93fab

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\photoshop[1].svg

MD5 8ca8f89d1be259c6426e2b49efa0754a
SHA1 ea8f4a123d347cb904048f42b4eb1358914b1303
SHA256 4e8a55358541d6acf03c0a25b1f708e1378093c7b79e331200ea23997071e127
SHA512 2adb286a6e1aa146c7ca0a4d747c43d9712ff87587b790603a997dc9edc5689f43a0e94832e2eff86ee1ec6184569152478faa8884c1dce27ca3ffaa0f228b2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f8e4b513d6224295561ba7f18d67638
SHA1 f972ff32b42899b30f450ba2db30312bf4dece1f
SHA256 91da0f805e8adb91f75b73db1cbc447858cb8534b86a976b619b8b0ec45c47a1
SHA512 bdb543015267c371eedcdf309346ae1830bd465081f08286ab5df9ec69b7f0029e28dc296c2b008c68d73219fd57a6f3f4d96e25dc3b92fae7918da03bd793b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10fe336e16d2f72207e0efffba59dc1a
SHA1 224e4920446a1975195ba4061bda16d33c36b4f1
SHA256 6687e36e9c6c7ff192ae84b24157c88fe3f5e11d4df9a43222fa384ac813f226
SHA512 4dae7f9550b7b19aab1df178278daaf3089fae7131d25ca3d5de458f4fc8deb2bb849380ec63fb525900c5fce4d35bbcb3a774ad30504c46a612817ebdcbb67a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d4f7652fd9865a4a2e3240e79ada4c3
SHA1 a8805940e53101d884eb3f9c80fecd6e830eef55
SHA256 2f17f6fea4643811831b06cd219aadabf79cf0945bdb48f9a21db17a24e4a0bf
SHA512 511217da13e5fbc30649341c9ac9745752b80350f646b23772d0222575480af4dac96c688ea192ae0d58bbaf02465e6ebfeb0c0cfce5f96c23814a8221c8ec85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d33ec44460ca781ba135f35abfda6ae8
SHA1 65eca4a336d353360583e872a3c91f704e4077fb
SHA256 93ef03a48c28f28a1e250dfa0f27c3b8c134549258cbf6017bd2dc7533b845b9
SHA512 df660a3d6916310933df59f265839cb8fbb711398163fa2096195b371c411f3ffe92c72bb606c1cd41cb959d7f531ea0135bea3024a7401d91647c1dc65bc49f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cce064ef939ab5d02b9577627cf34bce
SHA1 04e6ed31216fe22926d8331c8a015724dee16edf
SHA256 df7415539b2f76795506df7fa4b12d45d3ae87b3085acb1f948fc4066699512d
SHA512 78a449fe1a25d66281933b5a8ab63294f5f7a4bc1b4d26f9a0fa6d5fb99b29f94c7616b72793e1bc45f703680177ac8bd4354aaefc9f7f701d4e2582b9206a15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d58c6ff2d981626d52a76bc9943bfdf7
SHA1 cd65ee42e49fbc7e8e4c93a57ec8e9df4b6c642d
SHA256 0f1659c54af8492e8d88824fc2cf6f72a527b45aafc8e32b1f1e7d56c5660cfa
SHA512 0c0bea9961d64b351a613ff893bdc1a89cc76f8897115b750fada8c2cd05d033e5fd4e475371bf0864a8a13230f4bf6a47c6aaad16763fd8cce6aa3ed67e646e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0df822a6f1c6dd79afa12932de39fe6a
SHA1 5aed29487382f72aa788c9fdd1c706d54f3d6151
SHA256 530a226773516064b5591fcfced969de6f7d8b5fcd9cdd7de8886db36b12344a
SHA512 9fa102c4e1fa542a49ff508266473c6bfd070a51c3a84604e28eab420b9291979d71e9755f36743bde18b7e3ecbb7fad0c3a1107a7dc7c89b6d50837390dd520

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39776a8628f83202a503994578c8152c
SHA1 381ce33a37e9e78548455704584587b2352489a0
SHA256 4cdbd6807399ff06a0f4ec26e5b2d1b5ced40ce06c0a221ecc5c78f861e95388
SHA512 9b8ea1f1ce38d04f928e1d9bf4f5b134047c452cca784c02010fbf58d38723f60b1abd48fe2eb78814b82946d75a6770228e999c698bf4a854515134c75c5a08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10bfeb050ebf2fd5829fa5be94388924
SHA1 2d21fb78c5d4b2d4c47a31902f4bb6260644a191
SHA256 6c853701dc2b40abf07d4f824e0651751cda88a0124672b50ed876b3d2404268
SHA512 ce1331afcfd41d5072a31dd6219ed7a32d5217944834af19d47bf8060ca816cf82366cc3301cdb43082ebe588c67fe32bb7e06db5cca7499266baf4fad7bac1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 694c1f67ffc75075273fd059a4ab8e89
SHA1 78ee7382c96927fb67b3788d4029e3d55d9b9629
SHA256 f95d0f207d3b4712ed657f79672f61ca5e7857f6a56333593086d97e811c3721
SHA512 c5a5ccc0b7b4ae9594196046c38dce05360ca924a7a97f7589c365a3371034c30adebf31af8103a53713af8a8b8aa529f7c6487e5d8d8f8bfd4a955e4d523d3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07f26af92f4492ad31462a1077fb8803
SHA1 5c666ed551787aad4a3c979d3b53242282fcdc13
SHA256 6c8822d99f9d0b1e303e90663b4650436c14b9e1e3c7b34398f08a5f8d2986e4
SHA512 b8059ac8905d3b24e4a6a8911098461ff4de08d53215b069b06d36eb231e4b514b969f4e3dac04e1c4c40cfdd39d7656f7d94b87572d84aa0cbbcfec988f7711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ea925a693a6a0b065265dce8f25ca5a
SHA1 59ae3265c4e626e3680243bc1fbdf40c8e21c1c1
SHA256 2a099d2e5b3df913396191f70cdd43be1b59fc25438a82500c0d60404387caf3
SHA512 f32c1adaa39eb9652220a42a4af96e9330c16a3bdd0853c70e0417e7eec71aa95c3fff73357b44251322ad4e5d99366834fab4d5f0975f4555e969f25b2b2ecb

C:\Users\Admin\AppData\Local\Temp\~DFA979DFA66A798F13.TMP

MD5 4174c407ca0145b09f115a7f0557815c
SHA1 c349161c66a10dad804d9093a25c4c0e44e79940
SHA256 ee92c7d2d70f34a7431a6646e6ee7aafa7a3dd1610b80568c29d926f6626e9ee
SHA512 a0a09bb775821a59450ec75119fdb1cc88a64321a49766162db0ddfe0c010129429dd8c968f14bdabe48db8604ee01b6acfd3f1b8b42cae767407a01f193ad4d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{484EE704-6CF2-11EE-BACD-7200988DF339}.dat

MD5 eb12ee0bb387ea90130a27dd6e98680b
SHA1 1db29d17227691c3184cdc9b8b0b4ad11ab588d3
SHA256 fbcb7682f0b3c58f9ed3df3792afd04e87e940da70f449a7763abd6ae3491108
SHA512 e3a517131c7c52ab5fabf39070998fced3e28add91b8aaaf1c9054e4c58590694bec704ffb4ebf92db91a12ae12d31593b9e5c8cd31cd0c170e14c63581b0d74

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{07765EA0-4869-11EE-BEE3-62B3D3F2749B}.dat

MD5 512053dfd274782cd63adcc6331c392c
SHA1 f09f406c3e1eaeebb89679c922f1631d4f1442c3
SHA256 6ed98a10a88398287f3d06d692d97682deb018fc3c23d8247a5e583c67289907
SHA512 af80143257bf933de8515258a1ddcedf244dd7ff948894c3ae9f46faebebaa0043d5c91c6811fb3e2695a8b1b57f8f7094b6ae80f45e7e9f4c5a3c9c280c9da4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ea925a693a6a0b065265dce8f25ca5a
SHA1 59ae3265c4e626e3680243bc1fbdf40c8e21c1c1
SHA256 2a099d2e5b3df913396191f70cdd43be1b59fc25438a82500c0d60404387caf3
SHA512 f32c1adaa39eb9652220a42a4af96e9330c16a3bdd0853c70e0417e7eec71aa95c3fff73357b44251322ad4e5d99366834fab4d5f0975f4555e969f25b2b2ecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7993146630b337592ed20d8f87e5f992
SHA1 063b75cef37bcb95ff862cae6cf840679afdbe67
SHA256 16ccc5ffdfdf072965a1f9223a51c8a24e2b4c6b6aef5a95fbaab661fbc8cbd0
SHA512 fcd7ea8fffa1047afd76bcc55a6d83b8d787265363d45ef5a93272ebb5c31c9885804f9d7a0e5af00a30a51864ee4aaa48b91eaa2df0b20a0f7f453b9b26a307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e45891a22fcf7a79f195e13ac3f3317c
SHA1 4b360d2feef4359188ab902242d4c0ad62fcaf2d
SHA256 bb5f092789092294d69f96bcfaccd359f5b8ddf53fd315870a7c11586a7d1899
SHA512 6990b1de422f759473d7709457baa2a6b76706c001b214c5822fe918ff755cc6657561c01f662d7805adaf3c58de0742dc7be952c77b0b44e63e14752561a1fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ece3763703e6287ffb7655ad71bf540
SHA1 8d4269ce8524bf4744b16f594c76897c62235c59
SHA256 c93d4e5961282b4d5fc2d2f9cebff1ae6fc85f8e88e99d4e43438f45be151c1c
SHA512 370da2d61c7a4316c9621082ee4a4dc7df957795933da4faf1d00e792aa64cd7dcbf90a92d94188591264550b49cb58a85693a5ea03df2fbc6bd7f3bf52ae076

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5332b8e1e3447bbc00cfa4acee80c34d
SHA1 883c8e71d50695372b1d97b8360b4804897ffbfe
SHA256 199b0b80274229d1593f288c1ebe89124f70cade26b6c2027090beb978f8e8cb
SHA512 8ba4f741247dd2a491f14c103b1f4c29891b7c3080f2f0c43717fbbef065288805e5b210bba29802a9107c429c119498d800f142fd14652c73279fe2e1c418c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59961fd5aa52c19800c27b10e386d130
SHA1 c094c95ccf768f65b835ef6d74afc4a9801a5bea
SHA256 69436744bef24585b6e2b06408da6e07239197c147d25a4a0f89035f996e2c3f
SHA512 c4f78a60aab24f5ff18387a17c3e4bc7d1f78329e0fcf3189e14ecc00364ddf06205fc5b7d768d3c63111a650102268e6026643286dbdcb08cc74d7c0988c068

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3c107106acc91b1f566dcd4a15c9a8c
SHA1 657f8d786d5562506092c0bd878b4d9ba067f5b2
SHA256 f4a64b585c2d9f459bc8440257bc117ffdaca9f0ad7c8c4e6c3988f7b5dbdae7
SHA512 a5e606efac7993305dcac66be984ed88709e482cf8c6e16f8a92a9d03a71b4663419a1fdb540ee2ae4a2a3d446159db10471edddd63e7f2ef381b2f071bd13e8

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4934881e61757b78c5b9f68b3c5c7d73
SHA1 acd42278f621ec3d46a7f8530bf872ed49ca2335
SHA256 b9d0193dfde7b69f68b9c47da3da1d7b2c3c5938f7087f26b39470a2445d44dc
SHA512 c2ae3d1e5c9d950e4f7a1ffb58351ab7d065745bb222856e85440a5d24206673c2b28677949b387f5245f6a4e62953dc1d629cb7f1c5546e86212bc96b28b282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbc414534a46257003ff5a0e49593f32
SHA1 dd3e72e163f3f8529775f91586f2a33e0c17a53a
SHA256 dca8eb7af3dde5c1bcc20aeaf12a3815b3d1e3000226504efaf31f3500a40b05
SHA512 2366c73511d5ca65bce9ef609babeb6245b466ab497cd3bdbd56c5c6736ae2513de86b1a06321fb99d6b5afa5582ea50ebbdfac63420d5b32bee0c7286933783

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0225578a8768f5d15c24db1d07cb41e7
SHA1 8dae13e2d244c9ea76ec2d38ab8af710a4ed2262
SHA256 b80811ed378876c045533626a53e486b147640ee9f9847fe5cb300ca0985e936
SHA512 29babe36c5dc1fc178c0c687a650e0db81b1a4671a93d4e29c99978e6f9e42adceab6c8d9e93ad0460c0c141671201005bfe8e06aeed0a90ea774fedd4e21e4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae34e305836353c6e0674836afcbcce9
SHA1 1a02acc4d36fa4fd50efb4031ec5f537fd4450a7
SHA256 65787fe462f0fca05dd64503f5027ccceb8ddcf6c086e79d7b20944bdc7332df
SHA512 f5dfce54ca18d99a6bd677b3cbfb868d586e565611cd0bf82c8a78e72573c587b4c0d612a4abb2a46eb76e1f566aedfbc7b874661dec5ec9da383d37ef6bcc9b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{52124AC4-6CF2-11EE-BACD-7200988DF339}.dat

MD5 e923f9dc91f1bf8b9bcc21ddcc6eaac9
SHA1 98910dbdcaa9359aa2d0ad9aefc39b8ce2d1f92b
SHA256 555b0cb8ea1ce669a4cc03c04ae8d082847b7d1431559d1b82b34b83c0f1c062
SHA512 4ddc1e0f9dcc9198dcca2b4aaab0b97a0619c1a99e6ae4b549d5e10c167d6d007b175f6643101fe0df6216a42410936c6e96c436d74da5d2ec9907252f596e86

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{07765EA0-4869-11EE-BEE3-62B3D3F2749B}.dat

MD5 f37ac0c86521562e5204318f636bc2ce
SHA1 7dbf756d33e71c37cf788566998b1312ba2f0a7c
SHA256 e37881305d926b3b2c8f28bcc67a0d6c0ef9b1be26d1c0cd7e58acd1811a0f02
SHA512 ab1f33cf22717fcfba12843164954b3cfe40203ed5f9ac32c4ba31a0d8f1e166a3a8f70d143b799ce40f7a21aae994fc27f16971978d0c69833b769e1b37321e

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1016-2999-0x000000002FE31000-0x000000002FE32000-memory.dmp

memory/1016-3001-0x000000007187D000-0x0000000071888000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 9ae0ddd1b4df0f4bf4e8129acd90050d
SHA1 55496f67d278738c51529944d54b7916a1dddbbb
SHA256 6f387a7452459b3649c100cb135122dd7dce042fcd67332687032e102af928be
SHA512 842a910dca87aaf7b22282800e19641e9d1b89f2b0107359a22c0d0eb928734f30f4931c9c2c833dd4aef5f6eac49b73e26a16aace110f090eb6be44ca51225c

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc

MD5 55dc7a414ce78d2c6ca4616d453e832b
SHA1 b8f162349519b070d963721bee1f6d1cfde88218
SHA256 6eb2f1c19fe9ee838b4a5b3907116cf3e3e111dee0e00c75a46097ee195959d5
SHA512 dc935fbbe8cb48bbfb4ac97b7c90d70fae83581caf516bcfd2f8666caf211a194d6ecc868874be7f6df099ffa0b13fff41ea20975017ce2309ab6bff018782c1

memory/1016-3035-0x000000007187D000-0x0000000071888000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.Primitives.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.Primitives.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win7-20230831-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Console.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Console.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

217s

Max time network

262s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Data.Common.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Data.Common.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:44

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

252s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Tools.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Tools.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:40

Platform

win10v2004-20230915-en

Max time kernel

130s

Max time network

310s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.NonGeneric.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.NonGeneric.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win10v2004-20230915-en

Max time kernel

122s

Max time network

307s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.Specialized.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.Specialized.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

120s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Data.Common.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Data.Common.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:45

Platform

win7-20230831-en

Max time kernel

283s

Max time network

319s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Contracts.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Contracts.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:43

Platform

win7-20230831-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.StackTrace.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.StackTrace.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:43

Platform

win7-20230831-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.TextWriterTraceListener.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.TextWriterTraceListener.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

286s

Max time network

318s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Collections.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:41

Platform

win7-20230831-en

Max time kernel

312s

Max time network

319s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.ComponentModel.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win7-20230831-en

Max time kernel

294s

Max time network

320s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Process.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Process.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:43

Platform

win10v2004-20230915-en

Max time kernel

273s

Max time network

281s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.TextWriterTraceListener.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.TextWriterTraceListener.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win7-20230831-en

Max time kernel

304s

Max time network

318s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Debug.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Debug.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:42

Platform

win10v2004-20230915-en

Max time kernel

263s

Max time network

272s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Process.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Process.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-10-17 13:32

Reported

2023-10-17 13:45

Platform

win7-20230831-en

Max time kernel

359s

Max time network

402s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Tools.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venom 5 HVNC RAT v5.0.4\System.Diagnostics.Tools.dll",#1

Network

N/A

Files

N/A