Malware Analysis Report

2025-08-05 09:54

Sample ID 231207-e3dwdsagh5
Target 74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9
SHA256 49edd5552e23969ee92d51b31f85b09732981fe42f0f7bbc9656bf94c02a26db
Tags
dcrat djvu privateloader risepro smokeloader pu10 backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49edd5552e23969ee92d51b31f85b09732981fe42f0f7bbc9656bf94c02a26db

Threat Level: Known bad

The file 74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader pu10 backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan zgrat

Detect ZGRat V1

RisePro

Detected Djvu ransomware

PrivateLoader

Djvu Ransomware

ZGRat

SmokeLoader

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of local email clients

Themida packer

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_win_path

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 04:27

Reported

2023-12-07 04:30

Platform

win7-20231130-en

Max time kernel

71s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c0a98397-6584-4b98-b894-bf015a351570\\92F1.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\A386.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\92F1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1080 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 1300 wrote to memory of 2556 N/A N/A C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2556 N/A N/A C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2556 N/A N/A C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2556 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2556 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe
PID 1300 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe
PID 1300 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe
PID 1300 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\7EE3.exe
PID 1300 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 1300 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 1300 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 1300 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2960 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 936 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 2792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\92F1.exe C:\Users\Admin\AppData\Local\Temp\92F1.exe
PID 1300 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 1300 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 1300 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe
PID 2308 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe
PID 2308 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe
PID 2308 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe
PID 2308 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\9C16.exe C:\Users\Admin\AppData\Local\Temp\9C16.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7040.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7EE3.exe

C:\Users\Admin\AppData\Local\Temp\7EE3.exe

C:\Users\Admin\AppData\Local\Temp\92F1.exe

C:\Users\Admin\AppData\Local\Temp\92F1.exe

C:\Users\Admin\AppData\Local\Temp\92F1.exe

C:\Users\Admin\AppData\Local\Temp\92F1.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c0a98397-6584-4b98-b894-bf015a351570" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\92F1.exe

"C:\Users\Admin\AppData\Local\Temp\92F1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\92F1.exe

"C:\Users\Admin\AppData\Local\Temp\92F1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

"C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

"C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe"

C:\Users\Admin\AppData\Local\Temp\A386.exe

C:\Users\Admin\AppData\Local\Temp\A386.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\Temp\9C16.exe

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe

"C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1444

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe

"C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 276

C:\Users\Admin\AppData\Local\Temp\3441.exe

C:\Users\Admin\AppData\Local\Temp\3441.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
US 38.47.221.193:34368 tcp
BA 109.175.29.39:80 brusuax.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 104.21.65.24:443 api.2ip.ua tcp
BA 109.175.29.39:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.171.233.129:80 zexeq.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
NL 149.154.167.99:443 tcp
NL 149.154.167.99:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
KR 211.171.233.129:80 zexeq.com tcp
FI 95.217.240.71:443 tcp
US 193.233.132.51:50500 tcp
FI 95.217.240.71:443 tcp
FI 95.217.240.71:443 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
US 104.26.5.15:443 tcp
US 104.18.146.235:80 tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 85.143.222.45:80 tcp
US 8.8.8.8:53 udp
NL 149.154.167.99:443 tcp
NL 149.154.167.99:443 tcp
US 8.8.8.8:53 udp
US 34.117.59.81:443 tcp
US 34.117.59.81:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 81.19.131.34:80 81.19.131.34 tcp

Files

memory/380-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/380-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1080-5-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/1080-4-0x0000000000220000-0x0000000000229000-memory.dmp

memory/380-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1300-7-0x0000000002D30000-0x0000000002D46000-memory.dmp

memory/380-8-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1080-12-0x0000000000950000-0x0000000000A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7040.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7040.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7EE3.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/2728-43-0x00000000000F0000-0x0000000000BBA000-memory.dmp

memory/2728-44-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-45-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-46-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-47-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-50-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-52-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-57-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-63-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

memory/2728-62-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-61-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-60-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-59-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-58-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-56-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-55-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-54-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-53-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-65-0x00000000000F0000-0x0000000000BBA000-memory.dmp

memory/2728-64-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/2728-66-0x0000000007D60000-0x0000000007DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2960-73-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2960-82-0x0000000002260000-0x000000000237B000-memory.dmp

memory/936-83-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2960-79-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/936-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f298a5f9ed6d05e1080b813cc26b0d1e
SHA1 2f2d886c1287585b7bec393ed368605a8f838517
SHA256 ff258dacb08b7d3c87c94cfff1f0c71a80f004ab93a13c8010af9dbba8d0a52e
SHA512 57354743a4213b2508db1b2e2841fda90f01827fc98b04bd502d5394e71d85fae93dc0a8e93d9985d0b1b164b8d5de76c0c19a448101e2b65fbca0dcd5761dda

C:\Users\Admin\AppData\Local\c0a98397-6584-4b98-b894-bf015a351570\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\Local\Temp\Cab96A4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/936-109-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c05d57b974c3c9f0e6a12ce4c7fc774
SHA1 cbaa371fe2110a24f8eb29b0071e838059116116
SHA256 9b81d2da9ae3f1cdfe045b207ec2249d51a281eb49a65b40e89a0761d9ab6480
SHA512 7f52e1f44f2703ec654b9d0dc8a8aefb6385d0c29503b6d145bd39fcf4fd11c27f92700dbed6a59350ff407f4dabbeb82f682dec97ecdfdaf5a5724d7ad124e0

memory/2792-111-0x00000000008F0000-0x0000000000981000-memory.dmp

\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2792-118-0x00000000008F0000-0x0000000000981000-memory.dmp

memory/1828-119-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92F1.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/1828-120-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\Tar9A0F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd08fef09d385b60ce1fb4f2a01c25d3
SHA1 d71b3710a800c98b6e7e811d27f647f7aaaf09e3
SHA256 3b00ffb3e2aea1eb18a8791aed6f77be7b17f4f5181d2a0c8ad40be3f627b525
SHA512 12948984db1adc42068aa06afb58e42a65aef36c8abf053abbaa1f9c353690fec4e402ac7236440c09fdc6ddcf188be66e413393288283bf322f3d288853fe63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 125b0818bf2d89687336957f4d4a2ded
SHA1 c7b09fad9f1b8d807006c0dfd22a93d3980a339a
SHA256 9195cc1fb0b660fac51468f843d808931b22edbc1dac2903d3db018e68df0971
SHA512 2ca2e1514c2aebf7735be03b0034e8f62292f5ae18b2d615d4d41180f466ab2a78c1d46c603736bd08a064120148b3417cad6ce949b0b2f90e8ecf0fbb88d60a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 25718b3e7b531e219522600ebdc5e3cd
SHA1 9c2ab05a956349989d09a1052cd65c4931c48480
SHA256 76a02e048539e75111d6603677fa3421775053a4119f3e2572542a9ec86b8ab8
SHA512 726e97c2c4aaa1ef22d86a9007d56dce0c4826c171a95787683a3dc58ea5160bec0ef487f102d6c24650a3aa203e1818f5649bad881b198b8806173022d8cc6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1ab66c181fee06ecb7e3aa0054704175
SHA1 de4fd40bb3e9486e307e90eed535bdbc87ef0d8d
SHA256 356de5a22d055ad00bcda993489df03929f5722b73e71eecf86c9c8540766cbb
SHA512 80f3f41faa08846f50700a0614055ef09fcfbacde947b7adff9883b4db37000c763ecfb3ca0779dbe54ae31c41c0065e9cc63a6129779e9649e7d968083a50fc

memory/1828-134-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1828-133-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/2308-141-0x0000000000810000-0x000000000091C000-memory.dmp

memory/2728-140-0x00000000000F0000-0x0000000000BBA000-memory.dmp

memory/2308-142-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

memory/2728-146-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-147-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-148-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-145-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2308-150-0x000000001BDD0000-0x000000001BEB0000-memory.dmp

memory/2308-151-0x000000001BEB0000-0x000000001BF78000-memory.dmp

memory/2308-152-0x000000001C520000-0x000000001C5E8000-memory.dmp

memory/2308-153-0x00000000022B0000-0x00000000022FC000-memory.dmp

memory/2308-149-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/2728-144-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-143-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/2308-174-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/1828-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1828-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1828-178-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\A386.exe

MD5 27543e0a7ebe636ac7b27eb6b957081d
SHA1 d6373a02009793803b6647aea547cb3ac07e2add
SHA256 eaa35a4659a3e9bfab26deadf7d8fe2c6b92c1ffa146a3bbffdc8f744cdf5950
SHA512 e091d6e0e31f5414c498d9522a30edb53946edcb0d227e73f9fe41727b2c89a40ce1a160a449c4369d9399b0119d43597cd00b96ca5500c342f7683adb71bd2a

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

memory/2880-216-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/2880-217-0x0000000000220000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

memory/2176-244-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

memory/2728-241-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/2176-236-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/2176-219-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\Temp\A386.exe

MD5 27543e0a7ebe636ac7b27eb6b957081d
SHA1 d6373a02009793803b6647aea547cb3ac07e2add
SHA256 eaa35a4659a3e9bfab26deadf7d8fe2c6b92c1ffa146a3bbffdc8f744cdf5950
SHA512 e091d6e0e31f5414c498d9522a30edb53946edcb0d227e73f9fe41727b2c89a40ce1a160a449c4369d9399b0119d43597cd00b96ca5500c342f7683adb71bd2a

memory/1828-307-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A386.exe

MD5 27543e0a7ebe636ac7b27eb6b957081d
SHA1 d6373a02009793803b6647aea547cb3ac07e2add
SHA256 eaa35a4659a3e9bfab26deadf7d8fe2c6b92c1ffa146a3bbffdc8f744cdf5950
SHA512 e091d6e0e31f5414c498d9522a30edb53946edcb0d227e73f9fe41727b2c89a40ce1a160a449c4369d9399b0119d43597cd00b96ca5500c342f7683adb71bd2a

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

\Users\Admin\AppData\Local\Temp\9C16.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/2728-346-0x0000000007D60000-0x0000000007DA0000-memory.dmp

memory/1828-373-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\917df0c5-89a7-4886-b505-b1df368fa4e0\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1200-398-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1200-396-0x00000000009E2000-0x00000000009F3000-memory.dmp

memory/1188-401-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1188-399-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1188-395-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2176-438-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIA3nTP1GQvtcp_I\information.txt

MD5 9733f4fdeeb860a33930c7dd44213b16
SHA1 0ba3f07501725f1ccea13bd3f7458bdd7f9a9a8b
SHA256 b32e25bdbbeb2a4f6e2871434b0c9d329b5eb6ac631c3960232095bdd38b6794
SHA512 07b1a35fa53c1772059a8a8eda65d46bf099789057a7bf88cb88ac460c75a51067c45e92fea17a1690b68d8173c9436bd4b6c1338918deea96b48e0c2821003a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

MD5 37012d772500beaab78dfa3f0ff70f16
SHA1 3568401ed9746edca51f38f0674a800650a33d14
SHA256 e99f9f6e677fff2de2a31a8323430214e16d98e3357173be8af92717309cbdfc
SHA512 23846108aef60f1ab23c4f3967c285386911a5b1f9c33e424b284e2e245e0b84a8ede6718a7db3cf7c82fb83c6061d16bfc7b3a4295362f5129fc1ab818844aa

memory/284-492-0x0000000000020000-0x000000000002B000-memory.dmp

memory/284-491-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2860-490-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2860-489-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2728-494-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-496-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/2728-498-0x00000000766D0000-0x0000000076717000-memory.dmp

memory/2728-499-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-500-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/2728-501-0x00000000000F0000-0x0000000000BBA000-memory.dmp

memory/2728-497-0x0000000075AA0000-0x0000000075BB0000-memory.dmp

memory/1300-506-0x0000000003F90000-0x0000000003FA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

MD5 141215d59c148c18010077ebf2d25c3e
SHA1 6a31e12e600ddb50cb90975c9cc4bd99243d007f
SHA256 01d6e604095acc89d624f26735bd4efcd91f9c97a283f8d7f33fd78e6fa2dd51
SHA512 927597b1b81a6a2bd6b2b32a7593dab329ecfca1f846b4ea1af14deaad1d142c3a7ad0371ae084d1f697f52a1b3528973c10089eb84de80f8d56e411c6f1f235

memory/2044-516-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-518-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-519-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-525-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-523-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-531-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-521-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-520-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2044-517-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-515-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-514-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2044-532-0x0000000000400000-0x0000000000598000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 04:27

Reported

2023-12-07 04:30

Platform

win10v2004-20231201-en

Max time kernel

68s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B5B5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae7f1749-6f75-40d6-b19a-bb68a4ec96bb\\B5B5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B5B5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C5B5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A152.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A152.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 2596 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe
PID 3516 wrote to memory of 3536 N/A N/A C:\Windows\system32\cmd.exe
PID 3516 wrote to memory of 3536 N/A N/A C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3536 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3516 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\A152.exe
PID 3516 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\A152.exe
PID 3516 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\A152.exe
PID 3516 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3516 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3516 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 4112 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Windows\SysWOW64\icacls.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Windows\SysWOW64\icacls.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Windows\SysWOW64\icacls.exe
PID 2524 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 2524 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 2524 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3648 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\B5B5.exe C:\Users\Admin\AppData\Local\Temp\B5B5.exe
PID 3516 wrote to memory of 4976 N/A N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 3516 wrote to memory of 4976 N/A N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 4976 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\BECF.exe C:\Users\Admin\AppData\Local\Temp\BECF.exe
PID 3516 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe
PID 3516 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe
PID 3516 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe
PID 1976 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1976 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1976 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C5B5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe
PID 4736 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe
PID 4736 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe
PID 4836 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe
PID 4836 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe
PID 4836 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe
PID 1544 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe
PID 1544 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe

"C:\Users\Admin\AppData\Local\Temp\74afedc7e1ddfe9e427f4f32c964351abffecc6162f988846d4faa0c91c847f9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1180 -ip 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\978D.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A152.exe

C:\Users\Admin\AppData\Local\Temp\A152.exe

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ae7f1749-6f75-40d6-b19a-bb68a4ec96bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

"C:\Users\Admin\AppData\Local\Temp\B5B5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3636 -ip 3636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 568

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

"C:\Users\Admin\AppData\Local\Temp\B5B5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BECF.exe

C:\Users\Admin\AppData\Local\Temp\BECF.exe

C:\Users\Admin\AppData\Local\Temp\C5B5.exe

C:\Users\Admin\AppData\Local\Temp\C5B5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\AppData\Local\Temp\BECF.exe

C:\Users\Admin\AppData\Local\Temp\BECF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1480

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2240 -ip 2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nu1sk4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nu1sk4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1876 -ip 1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,6896989618102609283,3270062105285636873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6896989618102609283,3270062105285636873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,805178315120165036,2509445145118740844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,805178315120165036,2509445145118740844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12800995077525578097,13007918660907429497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,15153045791319481105,17365097850675819653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12800995077525578097,13007918660907429497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff90b046f8,0x7fff90b04708,0x7fff90b04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14222169203728423668,6642414100379871417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4F0A.exe

C:\Users\Admin\AppData\Local\Temp\4F0A.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 45.222.143.85.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 33.167.67.172.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
US 38.47.221.193:34368 tcp
KR 210.182.29.70:80 brusuax.com tcp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 70.29.182.210.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 accounts.google.com udp
BE 64.233.166.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 store.steampowered.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 173.222.13.119:443 store.steampowered.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 twitter.com udp
US 34.197.80.124:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 104.244.42.129:443 twitter.com tcp
US 151.101.1.21:443 www.paypal.com tcp
BE 64.233.166.84:443 accounts.google.com udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 119.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 124.80.197.34.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.92.85.52.in-addr.arpa udp
RU 85.143.222.45:80 tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 104.244.42.66:443 api.twitter.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
GB 216.58.212.214:443 i.ytimg.com tcp
US 104.244.42.197:443 t.co tcp
US 192.229.220.133:443 video.twimg.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 214.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 133.220.229.192.in-addr.arpa udp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
GB 199.232.56.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 157.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 200.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 udp
US 3.82.86.51:443 tracking.epicgames.com tcp
DE 52.85.92.73:443 static-assets-prod.unrealengine.com tcp
DE 52.85.92.73:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 73.92.85.52.in-addr.arpa udp
US 8.8.8.8:53 51.86.82.3.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 192.55.233.1:443 tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 192.229.221.25:443 t.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 52.85.92.73:443 static-assets-prod.unrealengine.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 rr4---sn-q4fl6nsd.googlevideo.com udp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 169.3.125.74.in-addr.arpa udp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 35.186.247.156:443 sentry.io udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp

Files

memory/2596-2-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/1180-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1180-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-3-0x0000000000930000-0x0000000000939000-memory.dmp

memory/3516-5-0x0000000002430000-0x0000000002446000-memory.dmp

memory/1180-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\978D.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A152.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

C:\Users\Admin\AppData\Local\Temp\A152.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/4760-21-0x0000000000F70000-0x0000000001A3A000-memory.dmp

memory/4760-22-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-23-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-25-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-26-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-24-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-27-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

memory/4760-30-0x0000000000F70000-0x0000000001A3A000-memory.dmp

memory/4760-31-0x0000000008620000-0x0000000008BC4000-memory.dmp

memory/4760-32-0x0000000008110000-0x00000000081A2000-memory.dmp

memory/4760-33-0x0000000003890000-0x000000000389A000-memory.dmp

memory/4760-34-0x00000000091F0000-0x0000000009808000-memory.dmp

memory/4760-35-0x00000000083B0000-0x00000000084BA000-memory.dmp

memory/4760-36-0x00000000082E0000-0x00000000082F2000-memory.dmp

memory/4760-37-0x0000000008340000-0x000000000837C000-memory.dmp

memory/4760-38-0x00000000084C0000-0x000000000850C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2524-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4112-46-0x00000000025F0000-0x000000000270B000-memory.dmp

memory/2524-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2524-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2524-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4112-44-0x0000000002550000-0x00000000025E5000-memory.dmp

C:\Users\Admin\AppData\Local\ae7f1749-6f75-40d6-b19a-bb68a4ec96bb\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/2524-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5B5.exe

MD5 b1f31236459cbda1153d838b547982a6
SHA1 39ab66f0d0c48cf14a3a201e58a1dbf0e327cc95
SHA256 cc76c8c1c3a5c3daadd88d5fa6d651dba5517a60bc26d19d6020668587b2bf43
SHA512 db1001ff09e1f950b01748081d6a83d9239811dbc54ec8eafbe2fe1e4c76de7d9f62afc9f3f206e8b8586467bb73b7e6d0087186001d5453e087b1139fa156dc

memory/3648-63-0x0000000002570000-0x0000000002605000-memory.dmp

memory/4976-76-0x0000018B2F080000-0x0000018B2F18C000-memory.dmp

memory/4760-77-0x0000000000F70000-0x0000000001A3A000-memory.dmp

memory/4760-79-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4976-80-0x0000018B49890000-0x0000018B49970000-memory.dmp

memory/4760-78-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4976-82-0x00007FFF8F2C0000-0x00007FFF8FD81000-memory.dmp

memory/4976-84-0x0000018B495B0000-0x0000018B495C0000-memory.dmp

memory/4760-85-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4976-83-0x0000018B49970000-0x0000018B49A38000-memory.dmp

memory/4760-81-0x0000000008D40000-0x0000000008DA6000-memory.dmp

memory/4760-86-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4976-87-0x0000018B49A40000-0x0000018B49B08000-memory.dmp

memory/4976-88-0x0000018B49B10000-0x0000018B49B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BECF.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\BECF.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Temp\BECF.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BECF.exe.log

MD5 638ba0507fa15cd4462cdd879c2114fa
SHA1 f23dfc22ea05f6abb8f9aa11a855ef8f3c51d7f2
SHA256 f91ebecc8963ff1840636f0c2a8f5350beb6eebab8b7d99068ad0b19bcccb478
SHA512 23d440dc8ecfa6c43e89895de038c564bb5e09174a6818a5952d5d589296a6ae77e71a4fc5de3773a6bf27aebb69bdb670f2a2609cf8658668759b50dffc8520

memory/4976-95-0x00007FFF8F2C0000-0x00007FFF8FD81000-memory.dmp

memory/4760-96-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/1860-93-0x0000025B797E0000-0x0000025B798C4000-memory.dmp

memory/1860-99-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-98-0x00007FFF8F2C0000-0x00007FFF8FD81000-memory.dmp

memory/1860-97-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-94-0x0000025B799B0000-0x0000025B799C0000-memory.dmp

memory/1860-107-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-111-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-117-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-119-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-125-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-129-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-133-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-135-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-141-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-139-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-137-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-131-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-127-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-123-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-121-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-115-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-113-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-109-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-105-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5B5.exe

MD5 27543e0a7ebe636ac7b27eb6b957081d
SHA1 d6373a02009793803b6647aea547cb3ac07e2add
SHA256 eaa35a4659a3e9bfab26deadf7d8fe2c6b92c1ffa146a3bbffdc8f744cdf5950
SHA512 e091d6e0e31f5414c498d9522a30edb53946edcb0d227e73f9fe41727b2c89a40ce1a160a449c4369d9399b0119d43597cd00b96ca5500c342f7683adb71bd2a

C:\Users\Admin\AppData\Local\Temp\C5B5.exe

MD5 27543e0a7ebe636ac7b27eb6b957081d
SHA1 d6373a02009793803b6647aea547cb3ac07e2add
SHA256 eaa35a4659a3e9bfab26deadf7d8fe2c6b92c1ffa146a3bbffdc8f744cdf5950
SHA512 e091d6e0e31f5414c498d9522a30edb53946edcb0d227e73f9fe41727b2c89a40ce1a160a449c4369d9399b0119d43597cd00b96ca5500c342f7683adb71bd2a

memory/1860-103-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rl93rB8.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tk2jk11.exe

MD5 72dad417c36796af99c888aa77da2341
SHA1 c5523b09ee05f966e1148b0df9ffede1f279240a
SHA256 5473ae7f972f4d35cc3c7d8d63e8fca19935f3c62fb07c5d79d86e0e3605f424
SHA512 968495bed29d398baadb398ffe004b71388d8c09c4159ebc4746976e8211a3525df34fb5d73d9f51b0896c729667e6529b142493049a5a5190a14e356ea18dd6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV7ln39.exe

MD5 416f8f7918af04562509c7996b101409
SHA1 aeb5b75129ddb2cecf1c5dd2b6046d462e306f94
SHA256 2d2f26c376bfb64f11ce44123334cd38176f0797195a856f77801b4288243908
SHA512 b69085eaa68c192c4857b9f75e08c8475013a334845c9f428b1ea17aa425afa84bdf0d696518ef9df76e7e59e22da4d1040747926b06311f488b96f0d4c1419e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sz7UZ31.exe

MD5 70367946d23c6939cfc67fe3f2d5a3ef
SHA1 c895f342f55455e3d61cdb204c864f01b0afa440
SHA256 3c65ee093498977c313a5bf94183d02b69c525c3f1685f1334a530f5479d672e
SHA512 05f832a951a469c5fcc03e81c03b377ac977e7132a10a16c34d0bdd79292051e3a7153c5e7cadd237a51ae1cfa732d7e7afe67e69a69b8f67d7052f2666f3176

memory/1860-101-0x0000025B797E0000-0x0000025B798C0000-memory.dmp

memory/1860-89-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/4760-732-0x0000000009B60000-0x0000000009BB0000-memory.dmp

memory/1860-2391-0x0000025B777F0000-0x0000025B777F8000-memory.dmp

memory/1860-2392-0x0000025B79AC0000-0x0000025B79B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIA3nTP1GQvtcp_I\information.txt

MD5 ebc36ad5f6b2f102211fcdd5b70ee41a
SHA1 080fbeec7e61c02599ce54f213f50888be4ea5bc
SHA256 6b7da46e20537230bfb36b0b9ee8ebb84f297c3c5f9eb138c44f618fe7dc398b
SHA512 bbace21b66d7673ee895eda5835e201bf55b805b3e8e356b9f4d46e51f4616be69f885b3f8af51f3644f66acc03ca4dc9bffa1deb2bb946ea153d9e667d038c9

memory/1860-2408-0x0000025B79E70000-0x0000025B79EC4000-memory.dmp

memory/1860-2410-0x00007FFF8F2C0000-0x00007FFF8FD81000-memory.dmp

memory/4760-2411-0x0000000009D80000-0x0000000009F42000-memory.dmp

memory/4760-2412-0x000000000A480000-0x000000000A9AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

MD5 37012d772500beaab78dfa3f0ff70f16
SHA1 3568401ed9746edca51f38f0674a800650a33d14
SHA256 e99f9f6e677fff2de2a31a8323430214e16d98e3357173be8af92717309cbdfc
SHA512 23846108aef60f1ab23c4f3967c285386911a5b1f9c33e424b284e2e245e0b84a8ede6718a7db3cf7c82fb83c6061d16bfc7b3a4295362f5129fc1ab818844aa

memory/1732-2417-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mx26da.exe

MD5 37012d772500beaab78dfa3f0ff70f16
SHA1 3568401ed9746edca51f38f0674a800650a33d14
SHA256 e99f9f6e677fff2de2a31a8323430214e16d98e3357173be8af92717309cbdfc
SHA512 23846108aef60f1ab23c4f3967c285386911a5b1f9c33e424b284e2e245e0b84a8ede6718a7db3cf7c82fb83c6061d16bfc7b3a4295362f5129fc1ab818844aa

memory/4760-2420-0x00000000756F0000-0x00000000757E0000-memory.dmp

memory/4760-2421-0x0000000000F70000-0x0000000001A3A000-memory.dmp

memory/1732-2423-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

MD5 141215d59c148c18010077ebf2d25c3e
SHA1 6a31e12e600ddb50cb90975c9cc4bd99243d007f
SHA256 01d6e604095acc89d624f26735bd4efcd91f9c97a283f8d7f33fd78e6fa2dd51
SHA512 927597b1b81a6a2bd6b2b32a7593dab329ecfca1f846b4ea1af14deaad1d142c3a7ad0371ae084d1f697f52a1b3528973c10089eb84de80f8d56e411c6f1f235

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4db682gg.exe

MD5 141215d59c148c18010077ebf2d25c3e
SHA1 6a31e12e600ddb50cb90975c9cc4bd99243d007f
SHA256 01d6e604095acc89d624f26735bd4efcd91f9c97a283f8d7f33fd78e6fa2dd51
SHA512 927597b1b81a6a2bd6b2b32a7593dab329ecfca1f846b4ea1af14deaad1d142c3a7ad0371ae084d1f697f52a1b3528973c10089eb84de80f8d56e411c6f1f235

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 179be4427e195731c6fb919e61aaba84
SHA1 7bbbdd1791ccd9c89003011800b709fa1395bed9
SHA256 6f675852d5665439530357973822f654fcb3c79863981f6712ab0a865dea8101
SHA512 4363e1affe0045cffc1adf937f42b11ffbf848aeb9620583fbe764c72444d94a2ef2e355c0f964168aa04c5fae1ed3d6616c2f6e3129bb1009480bc2ba529bcf

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 66351ea72e65dcf5b1b8194608a65823
SHA1 569f87936060583714bbb83aab914a9e272931e1
SHA256 1d422bacee488501c9fbc1d2d2403091d9b6e22e14b08f2e660a11e9db3b53f9
SHA512 d87e6c65f60b5bc93dd2fc9c7512b60ba510dfc499751bee26bd4663f628d1ed4a72761bc735e92f3bae263c46a39f0990a60c193e44eaa94ed6269e77039bd7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 1cbe0b33579b44c4817d71edb27ef2cb
SHA1 831cf03582586bfa1ccdc9d35ead8987a064e8c4
SHA256 068d83fd9ff37d758886a9cc60ac03a811a67cb419714faaebf115f0c785b5d6
SHA512 6d084fe419b246bc50141c789086d00addcd794d2232365d1dd73bb63127adcf2c6dbe4f7718b4f73cbcefeab96fe5d6fb8287830d859491044a635b77ebeca0

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nu1sk4.exe

MD5 a3b5d3ce78539118a1b60d2fa9b2ff86
SHA1 612fa5a61dde201936c7ea80b7b4bb43e98afa12
SHA256 475611038fa1bf52d4a090c5837bf99559e4f735dee01eeb9ca0f9f6b8ca7d1d
SHA512 19fbcc6fee2a492e6041c289e30150b07f90d11747830fdb0ecf011f4c3742a487631f50ab5a4fb891588ce5676b956a1141dcf20cdaea33ad86bd7d9077197d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nu1sk4.exe

MD5 a3b5d3ce78539118a1b60d2fa9b2ff86
SHA1 612fa5a61dde201936c7ea80b7b4bb43e98afa12
SHA256 475611038fa1bf52d4a090c5837bf99559e4f735dee01eeb9ca0f9f6b8ca7d1d
SHA512 19fbcc6fee2a492e6041c289e30150b07f90d11747830fdb0ecf011f4c3742a487631f50ab5a4fb891588ce5676b956a1141dcf20cdaea33ad86bd7d9077197d

memory/940-2452-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe

MD5 17e27d8786d334255628f0c8f735a6f0
SHA1 c30fbbf7229b49f68a261f87843cb16723dd32b8
SHA256 51b4fbd863ef1852d12be717044fc462510f09b4027b3cf358a519d94dda98df
SHA512 6bb9b6581ba03c4833e77fb6ceba44f858fbfa6a6b432fc070d7e4d6f36f86b2036bfd55a529982ee114ad42f8852f6b1f42991d4be7ceb4fd9313e048c70712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ih9vP3.exe

MD5 17e27d8786d334255628f0c8f735a6f0
SHA1 c30fbbf7229b49f68a261f87843cb16723dd32b8
SHA256 51b4fbd863ef1852d12be717044fc462510f09b4027b3cf358a519d94dda98df
SHA512 6bb9b6581ba03c4833e77fb6ceba44f858fbfa6a6b432fc070d7e4d6f36f86b2036bfd55a529982ee114ad42f8852f6b1f42991d4be7ceb4fd9313e048c70712

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7e28bd87b49b80368d7aba631ad5cced
SHA1 2e1e3221819f19cdafe0af74dc0bac7ea4754f93
SHA256 0a5962af258cc996e30f1dbb7fe93e31127db64a3ede9badf16dd1f43de85341
SHA512 3b14b752c6706abba6ba0760ccafb7e2160f9bc28e5ff241c67819ce152f4f0e31fc691a2b06cde2aefcbecbf8be8c1cd1de61b8b4eb5d13f1ed9fe9a30935fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7e28bd87b49b80368d7aba631ad5cced
SHA1 2e1e3221819f19cdafe0af74dc0bac7ea4754f93
SHA256 0a5962af258cc996e30f1dbb7fe93e31127db64a3ede9badf16dd1f43de85341
SHA512 3b14b752c6706abba6ba0760ccafb7e2160f9bc28e5ff241c67819ce152f4f0e31fc691a2b06cde2aefcbecbf8be8c1cd1de61b8b4eb5d13f1ed9fe9a30935fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

\??\pipe\LOCAL\crashpad_2280_NPSASOWVLHUPEMBZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2940_RCTICDIPGKIUGQFT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

\??\pipe\LOCAL\crashpad_3156_VAFYETTWURDCMWRO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cd83477947dc6c8cce2560198b053b40
SHA1 d597966948c35b037569cf2e2eae0f69af703cd4
SHA256 259395215459b45289dbc09b932bd3f54f1cd45bcc92fb88c6245e62cd7565ed
SHA512 7aeb299558ddf2488016dbecea7f23e5efed1821bc45e84f3a84c256fca5430069abb52233a332bbe4c265ab5d9147e029461194da115292e50b1822f9dd0254

\??\pipe\LOCAL\crashpad_4340_LQQPCGIGFFLFSXAE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e449b093a12230c284241a0f4b91e226
SHA1 189a382677a90750623d7924e2224b60c43feb5b
SHA256 2d6c21aa9c0611c20279ad171d8fc2b70f5b0efb5ab6fc41d274c41d30c5a596
SHA512 e1d23a98957e457e29d6f4b1aeb1fc40243d47e5d142ef24278430db3ce068e6f5fe40596cd8b4cd286d349f70245ccea4f127498cbe44d37840092a3a8fdf9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e449b093a12230c284241a0f4b91e226
SHA1 189a382677a90750623d7924e2224b60c43feb5b
SHA256 2d6c21aa9c0611c20279ad171d8fc2b70f5b0efb5ab6fc41d274c41d30c5a596
SHA512 e1d23a98957e457e29d6f4b1aeb1fc40243d47e5d142ef24278430db3ce068e6f5fe40596cd8b4cd286d349f70245ccea4f127498cbe44d37840092a3a8fdf9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 057909ad2b9957ff47e89d3b33fa7e49
SHA1 160be80035acdc6bb3e31156194f50493e18a854
SHA256 f9be8bc5bae0c5c073a6c8bc0db068d9c4a8da875389c2772036656349e8669b
SHA512 3f9c90e04baf1230e992d18e5db03ae51d70157feead0a6eb986eeb46a25ab78415270485c5011ae4bbcf06dc18bddc86816f3e59f43848b976fe522d8281dc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 057909ad2b9957ff47e89d3b33fa7e49
SHA1 160be80035acdc6bb3e31156194f50493e18a854
SHA256 f9be8bc5bae0c5c073a6c8bc0db068d9c4a8da875389c2772036656349e8669b
SHA512 3f9c90e04baf1230e992d18e5db03ae51d70157feead0a6eb986eeb46a25ab78415270485c5011ae4bbcf06dc18bddc86816f3e59f43848b976fe522d8281dc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 35f98e25d6fba745734b75b0936a16c6
SHA1 3ec0106fe479ccb62fc4b807c69f8fccaca0692b
SHA256 9e1fd48b6de87e67d30010e2abaf5f9d563080ee76f463db9f14efe93482b0e5
SHA512 d46d99530c58b559ec33b8aebc1498ce46c3331a857556b5758a0d81e345db1097d7ccea04ef0e8c341169678aa1de44744ffc92f6d15bb4af613611bdc349b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\defdb80f-64a5-4662-854b-e5772017af1a.tmp

MD5 1220cf52c0f14527ec2dcaf311c4cb50
SHA1 99c81b2ea7803b8a982fac43d0cf57399a3031f2
SHA256 b7d11d337613129f003bc20dd168c87dbb5c944ba3eac41f50ca2ae0677ac083
SHA512 40056bac72cb791519374ad30697b1df49a7d9fef6215142fb6c0394b0481b687caa76723b67cbb0955075cfc99b7862b99a152570bb3a4f18855297f8a7735d

memory/940-2734-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

MD5 9f61d7b1098e9a21920cf7abd68ca471
SHA1 c2a75ba9d5e426f34290ebda3e7b3874a4c26a50
SHA256 2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71
SHA512 3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8d88fa6ced1715ecdb01476aa85516b1
SHA1 cdaa1f43792bd883396dba145de8e1785fabac9f
SHA256 23d89091618e9b83a24f5199ffca01c460d52afc9fa29ec908b71f7b08e5539e
SHA512 872badbce4992e9cbc530705d14b15aa5f49e2d0650395eff4a2812759aecfa2903eb77ecddc2b0af26977baf730e8851e39b1f860cc8d56a9705ba4d691cd3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e5d3be0efe74b8f3837b522f269fc6d
SHA1 bc71f6eca47df7a04aac7a79ad01e130427f2807
SHA256 ffc243ed4fab40fd20097f363d99c78ccdc196b3b8f8321338e700fb64fd0c25
SHA512 39ed920f8d9ab32f50ddcc89173b2fdc19deb7b699e03242ee9dcc5eb8369a80579b2c5d14cd8fca1f028255a169add48dde36fdb039c45ada2942ca97d5eb66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5e4a2730ab179640ce181babac5b3e17
SHA1 4ad7a34c15eda101640d3c9d76e9bc80bc5aedae
SHA256 6d5df00c9ed0d1acc5800973e425e98d94caf8bf0e4cabe7a77e1adbf89d5037
SHA512 b7118fa73db71fb65f16658a7b49174c06acdf6a3702822d70324d8c9468c5e91b0ec02ab6b2b2af3c4fc48c626a1d3fb7468231216010d86427ab2042ecd07e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 16c54981eed485c4d186049fe61c2840
SHA1 fd9bca442946ada311f940e3a5370ea12b3b0827
SHA256 9015cc873e23df34d8a522389e23e32777a684ca1ca3018e24d150f67a99ccb3
SHA512 8e1795a0c61e8f39edcf0401406e8337803dfd64618e61e83f8e1937f98654afe994d7cff0d1a11fb5ff39364c952f6f4dcb866cd225e80e21b458e834252c4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe5839f7.TMP

MD5 9cd21d2d30152ff48acd10681ec93154
SHA1 050ece465dd81565d70e95e0e44fbc3b5ffaf442
SHA256 db933a36eae4bc2b1e900921ab7717bd36aec11e047bebc30da69469b5762eef
SHA512 f37e9d8f855b3eed100b2782ab562490c65cf8448d23238bca782b93be1b32e98c7440b771a976d251d945e8018de9fbee3094ea1349650947f3be2566582f13

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4f35a9eb9a083cf7ed16bd4072b36542
SHA1 04ced5da7edec1ef8d0d1422f5294990d86f5506
SHA256 a8b82ca61f1ac658eb9ff872968b7d8f9d3aed2aeebe759f5c1db4c817117759
SHA512 400ceb0f7fed48172373962b40701e315c05b1cffa97094ff335b6b447280932b64827339f11e93b5f6c5dffd34540cb6dfaedc5c77ff6d9332288fbec429029

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a259c01d-e8d3-4a71-a5a5-908d9c6423f1\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

MD5 2c2ae4021b98dc315ebc864764ea76ea
SHA1 0bf228f54d48808f25ee95344e70b334a8983c87
SHA256 3f1392e838d889e275a19c4b2d3b773a82b2225c7535ed044084b7252397561e
SHA512 178fba8243a83377e8034ea8e53e961028cdbcf4b1b091672be6f7f6356fd460e0404d650e5f8d3dbd3263a5aa40e16735a7f94d58f4194585ef91dbe1778c1d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6252497fd89943ff3a6e9c227789beed
SHA1 dd231606fad1da5f3e9fc0956d554cdb47a597cd
SHA256 f8ed2bbc0c5d976d61e68d42dd9f134a17163a297133dfc61c36a55a2d5aa414
SHA512 388dcf43d0721fd614887afac21d9c60387dc85123108c2b40f7a347a19c66d7940f68f6612f77835d0e140a0670b44f7bc6f24febcbac72b2a7f7f8736caf69