Malware Analysis Report

2025-08-05 09:55

Sample ID 231207-ygys8afb44
Target f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
SHA256 f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542
Tags
dcrat djvu redline smokeloader zgrat 1206-55000 up3 backdoor discovery evasion infostealer ransomware rat themida trojan 55000
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542

Threat Level: Known bad

The file f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu redline smokeloader zgrat 1206-55000 up3 backdoor discovery evasion infostealer ransomware rat themida trojan 55000

Detected Djvu ransomware

ZGRat

SmokeLoader

RedLine payload

RedLine

Djvu Ransomware

Detect ZGRat V1

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Deletes itself

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 19:46

Reported

2023-12-07 19:50

Platform

win7-20231130-en

Max time kernel

29s

Max time network

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 2028 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 1372 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2652 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2652 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1372 wrote to memory of 2840 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2840 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2840 N/A N/A C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1372 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe
PID 1372 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe
PID 1372 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe
PID 1372 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5F30.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6182.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7B6B.exe

C:\Users\Admin\AppData\Local\Temp\7B6B.exe

C:\Users\Admin\AppData\Local\Temp\A069.exe

C:\Users\Admin\AppData\Local\Temp\A069.exe

C:\Users\Admin\AppData\Local\Temp\A069.exe

C:\Users\Admin\AppData\Local\Temp\A069.exe

C:\Users\Admin\AppData\Local\Temp\A069.exe

"C:\Users\Admin\AppData\Local\Temp\A069.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A069.exe

"C:\Users\Admin\AppData\Local\Temp\A069.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\937b3ca8-ac03-439e-afd3-11c3d69515af" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AF59.exe

C:\Users\Admin\AppData\Local\Temp\AF59.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

"C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe"

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

"C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe"

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

"C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe"

C:\Users\Admin\AppData\Local\Temp\A97F.exe

C:\Users\Admin\AppData\Local\Temp\A97F.exe

C:\Users\Admin\AppData\Local\Temp\A97F.exe

C:\Users\Admin\AppData\Local\Temp\A97F.exe

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

"C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 284

C:\Windows\system32\taskeng.exe

taskeng.exe {60C1EDC4-1FAB-4EA0-95B6-C7D9566B203F} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 188.114.96.2:443 edarululoom.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp

Files

memory/2344-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2028-4-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/2344-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2344-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1372-7-0x0000000002D50000-0x0000000002D66000-memory.dmp

memory/2344-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F30.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\5F30.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6182.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7B6B.exe

MD5 774e4ec1ccf153d58a0bc40515ea82ec
SHA1 ebc42a0cd84c9e581c8f2d8e03864d3c023af0d9
SHA256 f692ccb100723be2d83f7efb8bb3b0dc53724eeba31ab463648bb075d7c3cb4c
SHA512 1cb33eb770f8c4eec29ffe781ca53aff84fd3f1ce305c1b25ec8fbfac8f505487ba2bc8c4c455eeb933e81f06951df0c445b4acd2b6fef0d206db8ca07cd7aba

memory/2776-51-0x0000000000C90000-0x0000000001614000-memory.dmp

memory/2776-54-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-55-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-56-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-58-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-61-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-67-0x0000000075630000-0x0000000075677000-memory.dmp

memory/2776-71-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-72-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2776-70-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-74-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2776-73-0x0000000000C90000-0x0000000001614000-memory.dmp

memory/2776-69-0x0000000075630000-0x0000000075677000-memory.dmp

memory/2776-68-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-66-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-75-0x0000000000C50000-0x0000000000C90000-memory.dmp

memory/2776-65-0x0000000075630000-0x0000000075677000-memory.dmp

memory/2776-64-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-63-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-53-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-52-0x0000000075630000-0x0000000075677000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 d50ac90291b25ee17e04d093ea560a6a
SHA1 3a1923d48dc7af9ef0e412142d5fd253827ab0a3
SHA256 29ff82a000c87e50bf6616190ab453083a052750b5bb816dc14e1382d067bc25
SHA512 f7422f8df932782383cdeb7c244bd99637a9f9cdaa959b2c44ce9c3758378606845f9c6fb17ba4a7796f5d69453c053b054d5574334c74803711f23af662dbf5

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\A069.exe

MD5 981bcaa914fac9d781ceb8eea86f9188
SHA1 b2a7c553dbf5c0e896f55c49c82190e17c54760f
SHA256 00ad5379605d565ce09d5a3e3fd1c6a293399d242db695a3037c1591fedaf8f0
SHA512 aa38b866891c6f32faa825047ebb32e0c93b48b79a2bc84b1a4cfc3a7725e6a4cc9b95fd3f346371a74842b4a3d90221f91f67c65f21c8fbc135d025a41329e9

memory/1088-86-0x00000000008F0000-0x0000000000981000-memory.dmp

memory/816-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/816-93-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 981bcaa914fac9d781ceb8eea86f9188
SHA1 b2a7c553dbf5c0e896f55c49c82190e17c54760f
SHA256 00ad5379605d565ce09d5a3e3fd1c6a293399d242db695a3037c1591fedaf8f0
SHA512 aa38b866891c6f32faa825047ebb32e0c93b48b79a2bc84b1a4cfc3a7725e6a4cc9b95fd3f346371a74842b4a3d90221f91f67c65f21c8fbc135d025a41329e9

memory/816-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1088-88-0x00000000021F0000-0x000000000230B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1088-82-0x00000000008F0000-0x0000000000981000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e8552edd1a497ef503b2c3c6afb45804
SHA1 9e788da4a040d2e3cae6cbae80599cae27d08c40
SHA256 137abddac99c493f9bed2d67fde3b8d2ba05f1fc4054047e2156d9adbc664988
SHA512 6e2c30cd15056956da55bb3de7ec29705d4bd987c9c5dfd3e75b56229df999c385be630dad98523f9d4c6c8338fabce1a7ea0426da8db04ab64babcdd5d15ded

C:\Users\Admin\AppData\Local\937b3ca8-ac03-439e-afd3-11c3d69515af\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/816-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/692-120-0x0000000002090000-0x0000000002121000-memory.dmp

\Users\Admin\AppData\Local\Temp\A069.exe

MD5 981bcaa914fac9d781ceb8eea86f9188
SHA1 b2a7c553dbf5c0e896f55c49c82190e17c54760f
SHA256 00ad5379605d565ce09d5a3e3fd1c6a293399d242db695a3037c1591fedaf8f0
SHA512 aa38b866891c6f32faa825047ebb32e0c93b48b79a2bc84b1a4cfc3a7725e6a4cc9b95fd3f346371a74842b4a3d90221f91f67c65f21c8fbc135d025a41329e9

memory/692-124-0x0000000002090000-0x0000000002121000-memory.dmp

memory/2776-126-0x0000000075630000-0x0000000075677000-memory.dmp

memory/1648-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1648-134-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-133-0x0000000075350000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA6BC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9193463173e89cb219a78b96655cbe8f
SHA1 9949c48bda854f4b879ebdc4320a71e296151665
SHA256 08b2c52e8ce7a49de13ec75dd66f25fe3653fca773b293fdd65a422d479e78e9
SHA512 12ee36444e3aa28fe5632ee89d71c56bff668e00c4520f5ba1ae31b399bfc4b06bf095e95478e0288f585f2be5e6421fa37d71cda5da726a678b74dc6ea1fd05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/1648-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1648-147-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 63d92320105d02a8a19e31a363107884
SHA1 db36b543b6a8281e7e7c578fcde3656a101705d5
SHA256 8416b41b8d15021da68057bbc5f951c7027a4a69714ad8a7a14bb7b907efcca3
SHA512 af493a1b02ded0df74b012526627b1036af237be5f5d481f485aabe344be8716dee26ece534b2e830347c9289fc8639e4398ab27e9cf79d0f32fe2ab900aef3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e748e1c227cf5f72a9c6c05f2c63be74
SHA1 094402b2d874840887bda06bf90f724883b08a83
SHA256 a8ce607b83ea90ef4222350361f42178e58a1ccc836a5b333c92521b49a0dc52
SHA512 a18f23094f5640c8a29cba2eccde8dff341b8ced1a1ca22cc03266aa657237bfed0fd2e9f2618ee61216d1ac0da8fe4f1e6ed47a09e272b6d3265d2823f3c58b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 cf6747fae37dffecb91c3c228618c2a0
SHA1 fa961611899e2717942fea8f9bc80db85cc10999
SHA256 834323f3218827b1e69bc393a03e3ea8949c91d44799a5b39704646893c0db14
SHA512 5f708f8b5c66a091eff6be5aeb983a85e310b47c95aa90af2c649cff316e1eb92b71c4996fa3b520f85ae0abe736a4981424cb48777bd86239d518379576de10

memory/2776-132-0x0000000075350000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2776-128-0x0000000075350000-0x0000000075460000-memory.dmp

\Users\Admin\AppData\Local\Temp\A069.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\CabA39F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\A97F.exe

MD5 a307ced8b355e6d5435e30baf9622fd8
SHA1 67b553aa80f5f83174cbfebc24df949b65a2d2ec
SHA256 86d5d40834ea238e32eb9633d0335b1937970c35fe3e0bfb5f239eb8ac0cc15a
SHA512 eca402cef0a76bb518873d78d6f4747844acd7f99fa3316b7cba133f3ec62dd62ae95bf0562f5843baffae370384a5a3a5e55d73c2d20c5c0086730942a1f1eb

C:\Users\Admin\AppData\Local\Temp\A97F.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/2776-155-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2776-157-0x0000000000C50000-0x0000000000C90000-memory.dmp

memory/700-159-0x0000000000B50000-0x0000000000C2E000-memory.dmp

memory/700-160-0x000000001ADF0000-0x000000001AED0000-memory.dmp

memory/700-162-0x000000001B500000-0x000000001B5C8000-memory.dmp

memory/1648-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1648-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/700-168-0x0000000000620000-0x000000000066C000-memory.dmp

memory/1648-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1100-172-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/700-182-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

memory/1100-186-0x000000001AEA0000-0x000000001AF20000-memory.dmp

memory/1100-190-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-202-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-212-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-210-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-208-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-206-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-204-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-200-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-198-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-196-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-194-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-192-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-188-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-187-0x000000001B020000-0x000000001B100000-memory.dmp

memory/1100-185-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 051014b3dac32ca31acc52a176c7dfb2
SHA1 d1d0f4a82fa41a50eb691a57b5a19f1476014e6f
SHA256 7a0a76e92d29f909627048d8d8f6b2fb19a66438362b70e1c85e09f1b1a55950
SHA512 69ef7b2632bbcae152da9ade1574a200651bcd55a5ebdbdd764127672f02c16b152dacdbf11584479c5d8753fc252c94d42e5f72093c4cda20f7f994cdb8beba

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 f6065bb89439992c9078ef54e8f47b71
SHA1 c7a7abbdf2da23a30f3b357f99f2cfaec580edc0
SHA256 5c53de2c5e0d941ede6cd1a1ed51448f6c50c02d4ad12d9168ee9eb6c600182d
SHA512 234924e391a0d76fce4ec25ac531488d755a31cc7aae271d640d80fc11d2a658b44bb0f7c9e9594609270fdde7923747aa7c514bbeef0c6f9bbcbe63864ac65f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 b84731620e5ef7e58adbab49d5b7c08c
SHA1 3a51fd4830241be54a2fdbe651a945bc42275e2f
SHA256 75800c62158daf2c1100baf57e32f3792a3aa4eea98ec8ff0acbd74a8aa54b09
SHA512 045a42e394c7add406151059e330b880534eaea9ea8570c26527fe80409b45082b85414de417917fad7f2f99fe8f7cc2252073f6c8d452fb5da52fd358a98f91

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 b84731620e5ef7e58adbab49d5b7c08c
SHA1 3a51fd4830241be54a2fdbe651a945bc42275e2f
SHA256 75800c62158daf2c1100baf57e32f3792a3aa4eea98ec8ff0acbd74a8aa54b09
SHA512 045a42e394c7add406151059e330b880534eaea9ea8570c26527fe80409b45082b85414de417917fad7f2f99fe8f7cc2252073f6c8d452fb5da52fd358a98f91

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 4cfacda0606da8f33114ebbb1fb23770
SHA1 d6c48617bd1a91fad6bf0dcf05944d81aae46f79
SHA256 6b51d2a77a831cbdf786dd2eb133254634abc6c14007c0086b3104d6f2607d06
SHA512 329b0a4fabc6dfca9d5c172c4a40791c71ad6d23fcb539f08a0727e1b0fe5d46a7c3ea1a7fb9928ab5734ed752ce22ab3358ee920810c42f8c1b996be00af52b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 9571665d1e9a272155fc2960182de898
SHA1 43677ed91667151dfe678ac0ef10603e8705d2ca
SHA256 a01468e9d3977dddacea5da98bbed7b39b8b9750f035a842d54fe4e4fbb31c7d
SHA512 fa20e8a568b4dd6d0fc3b0dfcc762a0deda04ba0eb68c440f4539eec4576a3248725e112503f811c14816f08c67bf2e8ed6e584cb19d7a019f8d2005656ce9fb

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 4042fd06b5de7b37a4583a6a2ece9b18
SHA1 88c7cb2e52cc46fa33c3c8471bcaf54dd572ff64
SHA256 b192e1c5daa8b510779b55e3c4ca66a1248ca3fe26d7113283515d8fe524c934
SHA512 04a1c55a6c9ec133e30053c3deff0bc131f42691407f97fad69e5e72c2d54c1e3bfa3785567b4e53151049012f528c545890ae9c5005a237feed7f477daed983

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 ea0a12d297811d4a3f58e9eea50e263a
SHA1 b67de1de506cb49aad907419b973a96cb45f75bc
SHA256 2772ffa9404912bca8e3751fea47d584ea0246103583a125de85744d91e5f4c1
SHA512 38edfe92389b595228647afbb9e1e955f3a24389fed7892653129e239e85d77405ea9402e4eb3bd9966ec90fbf2c5728c2e5a1f5b20ff950f1fb420eeac696e7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 3e1058d7736831547f18c9f04edb0e6f
SHA1 ba50e347d89221815af426d115701b13109ca23c
SHA256 75ce646665288957049b257064c5e27711ebbe85a7f3aaeca43a3b54ab355d5d
SHA512 1b4fe77a1e3330537de6c1c7156682da70c5fb183678eb35d63f265fd8889e3ab64df9e0a25594a2445489f0d87fc33299eb38e38a47b2f09b5ae5ce0cf1e365

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 fdfd6a519864d38d5ddc8a2de28a059a
SHA1 11e09d1b7e7911b793dcbd7b83b8221df772df19
SHA256 8e6ca2b1f1006363a9a275d08184dcccef1b35b10bcae1c923fd2b4b09376d2a
SHA512 8ac2121176a1b10f19048e1cdbaa1bf7c8735df1db587f3e1776ba18eb137e039abc2c24ee3a9a08d57af14ee0d71db0a92b82279562f0e3bba65b0c9980f934

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 b84731620e5ef7e58adbab49d5b7c08c
SHA1 3a51fd4830241be54a2fdbe651a945bc42275e2f
SHA256 75800c62158daf2c1100baf57e32f3792a3aa4eea98ec8ff0acbd74a8aa54b09
SHA512 045a42e394c7add406151059e330b880534eaea9ea8570c26527fe80409b45082b85414de417917fad7f2f99fe8f7cc2252073f6c8d452fb5da52fd358a98f91

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 d17e18c20d02ccc5da88f7ad000c9720
SHA1 93377e17ce8b119bac3d2d0f8243f7e922c1eb36
SHA256 adabc830453c3cfe86219a9273bbc8ffb8ce389ec44a53594ed78bbf1a70fb67
SHA512 457b6011878b5f70a1b239d6049193cb7916ad6a229dd7394c1fb16a457073a4b6f1cc76ba41b0b0a66eb3cd8afa3331c4441614022ed3ba9be88bd04912156d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 01882752584dde6e4e3148a840989923
SHA1 afe6272e795d9f1aa7feb0294299583abe3f7e76
SHA256 85896935d5ee24d6494bbdaf4ab0b0449c929c634ed4c6d76cf30d391cc64b8b
SHA512 c89967826baa1d5b66e54d5122195ad6b1a6f5df40b7e5da0eeb71f48264d8a20d3aab160d4c7ac3abdf47a7d0cb373de26088c5ad0f7c1a77d20a41cfc510ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 362b4bd06582358c713574f6bc1fbae8
SHA1 afda3bf74f2be0cdb93bbe82470617565f6d2db8
SHA256 8df134f8cab4cfa1234e3f750ae8714a66a0c49c7259fb0fabe4cbc50e6813a8
SHA512 027e5418540b482766328edd2d1eb7ac54a23d372aa94e03807ba59394845d1c45ac5dcf2853a89fcadaa22efcff8fa2f5956fcac88a7a421b4cadadd1c16437

\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 d02a2866a13226e645e9529eb10e9ed9
SHA1 b75569b00fbc7d7e9e3546fe62ddee5590021b2e
SHA256 ff2c4b4fb0c12b99fc247907446c86571b7d5f8319cf8937bfdc38754794a36a
SHA512 285ad77aecf27e1f90f3b6023dcea7b9ee5fb2bdd79399ea6b86a461d25fedf8fbb3d983bb3722ab68b59ef474405e3d052a58f16bdc650d5ddd248695cb106a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 9abce14b30f7c79c3e65eb504277f43a
SHA1 9b2f5d7a80fe53baef9d6025b9bae408659e26f3
SHA256 06c98175ed4305d86f6bf64e1c6a53617d234787dc93cc2a847aeccbaaf5f777
SHA512 77df336a18900e96316a18f417e43489a63631123923b7e49058cd3c0bd9e281d1bd07f4022ea4ea2a0c2d9177ace4204be5d605a7c4ef3776b6704db76b0540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5017dfc088c425e45ca1f9f648884ac2
SHA1 86c24e80c5dace5dbe38d9de159d663cc9ed93b8
SHA256 fa708740d938d1ef4cb82f64ed4aeea5d102632ef7867151de81f4d369e69d3b
SHA512 abcbf24adf3a2712d0d75482e5d089ed0e3b8273e5d25ba0b5b879abf10fff386e51173f8273667617423542faa5448acdde2f921058b16dc07d5c2b511e56a2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5be6e9aba2f45e978355de50f2d6f194
SHA1 2554dfe4636b97bea926d1e76b57b16e2c57b52e
SHA256 b17f90dbc0409808bc2cdc654f1a1328c4dee3f97c7cfb221a8a85e5d80ec95d
SHA512 ce0301e7a52c538cd5ac21a5a1bb83d7a51705db15e25daf59a90e7783050dfd05e36967381e1833daf9edf61b8e0595dd98c9e666beffd50c0692afa3097f58

\Users\Admin\AppData\Local\Temp\AF59.exe

MD5 adf1a5c81b5b269e3f9cb5d0c1119591
SHA1 60b117054758145363c5537586278e4f9930a56e
SHA256 372e365cf3a36d2955079ebe9bebee3f77b4470f474c57e55c21de25a052b11b
SHA512 a9a7df633c350e589b280c060e02be66f7d88691d19ddf6877be6138db413f289486d8fa72ddf8984e00a3837476b486779855e1e894a4ba6bad030778a8e0db

C:\Users\Admin\AppData\Local\Temp\AF59.exe

MD5 b31cae8419ba5e9bd937c4465355498b
SHA1 2be0119f05f96da655aeca1d42ae92ec50560dea
SHA256 477c25702ec3d3e81e54bb0b84e0a66432d268a8cb4a419d7bd549e8dd5a427c
SHA512 c1305d519255d2c32f3f36522b0f7780f8fbc90f93adea5c2ed45573b64c8576b3ca7edae02236e523e588da21dc7326ff887b94b31c0490091f277adf7e9490

C:\Users\Admin\AppData\Local\Temp\AF59.exe

MD5 cf1d5c2a78fe1b1fbee64a3adf675cf8
SHA1 1e0ed5e46ab32b71d620cc8efcd097510ca142b9
SHA256 7a35dcbc57f004cfc06ee6f52c42d526aaf98e4bde6845e9f474d9dcb6a6443a
SHA512 4d6ce26d3bc84ab3494b4ac55c8501e4001f363ffd23cd1b1e3b517616af3369dc7bdb7e1f11ea59abf8aee9ccf9a982b2fbeb1f188bb480afa09be8f051262c

memory/1100-184-0x000000001B020000-0x000000001B104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A97F.exe

MD5 1eb9288ab8b3a98993c6272062070f9d
SHA1 34f6148837b0013f59eec6a43cdcaa230e537fb7
SHA256 a397614150dcef35f1589b48928f6f874fbff1dca6046c1496d2e1f832ed0451
SHA512 c7ec45a9bc29dbcbe0f456a4d728b05d0f262261ee9b6291c168af09673a4aa90a1a8e4f23d9ef01ae4b5c0eb9cd9d185d5b038bdefc2526d76d63f0f1f2c817

\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/1464-645-0x0000000002C30000-0x0000000002D30000-memory.dmp

memory/1464-647-0x0000000000220000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/1660-659-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/1100-179-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1100-177-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/1100-176-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1100-174-0x0000000000400000-0x00000000004AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\A97F.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/700-161-0x000000001B2C0000-0x000000001B388000-memory.dmp

memory/700-158-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/700-156-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

memory/700-154-0x00000000013C0000-0x00000000014A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\A97F.exe

MD5 1eb9288ab8b3a98993c6272062070f9d
SHA1 34f6148837b0013f59eec6a43cdcaa230e537fb7
SHA256 a397614150dcef35f1589b48928f6f874fbff1dca6046c1496d2e1f832ed0451
SHA512 c7ec45a9bc29dbcbe0f456a4d728b05d0f262261ee9b6291c168af09673a4aa90a1a8e4f23d9ef01ae4b5c0eb9cd9d185d5b038bdefc2526d76d63f0f1f2c817

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e96096100c58628c74faaeaa518139a
SHA1 36ce53a6a1d85b4d5c3955a945ac74f569de66a0
SHA256 435c6aebfd7876757af7085bec7afce6a220d738caeaa185f02525f400d537a7
SHA512 8e886bc15dbacbb90164837dd757f5db843e5c9bc5227e8073d7a5d20629bdc436cd92bca57797bf7e94bb95ffda2eecffbb4e022b591ea465bbd291782fabab

\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef8c6bc236f887da8bd64f3a3190c3bf
SHA1 98c753a2d5330d43950ecec1a8bac5ed48b3c41e
SHA256 2624fe05f4d5006ddeacc261fb06b7f548ba6d887a2293e9bb49fd10d4066ae1
SHA512 ca259cc72ef6baea472e6f7f4f2587ee3e224498aff827a9ec5b7494d50cb8ddf608406795e7d3824f81c71ebf7f52e20d4fc0bc163c2ce5193876b01bcc8b55

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\grandUIAGtWETsId0Gd8J\information.txt

MD5 fc1bc43023911e1b9eb026a74716b04b
SHA1 9455cf1b4657560ba01c7e2ebc64757818771898
SHA256 a035f7a73a63802503471659ddb9b3c2b7b3210c92da58f7e800d065cd2a4360
SHA512 6784785cf6962b8dec48eff9a3bc32502d5c4fb7aa2b5bad5f43ce11c2b8b4db00ee1b6e2ade538494f7ab3297b52ece18c0de32690b44c2838072e24307f759

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2232-779-0x0000000000292000-0x00000000002A3000-memory.dmp

memory/2232-781-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/2968-784-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\7188345c-4b6b-4c35-a381-be30039c016e\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

memory/1648-855-0x0000000000400000-0x0000000000537000-memory.dmp

memory/360-857-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2596-858-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2596-859-0x0000000000030000-0x000000000003B000-memory.dmp

memory/360-856-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

memory/2776-916-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-920-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2776-919-0x0000000075350000-0x0000000075460000-memory.dmp

memory/2776-918-0x0000000075630000-0x0000000075677000-memory.dmp

memory/2776-917-0x0000000000C90000-0x0000000001614000-memory.dmp

memory/1100-915-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 dc8c3725ec78f8403448a69a8ffdf177
SHA1 0806ca25f0b0b91319a7c5b6007606394ed4a9cf
SHA256 3cfc0bbedb81e2233f887aa68de6656965741cbe24d7c3f1b5e3b82a7c8f05ab
SHA512 32e4fa39fb14ca6ab12ea9fac21ecd7037492efcf72a68333ec7d4b89d17de4251dff4851624ed24c2c43b9b30f69b1ffbd74d7db56c2b22c89a04539d67fc7f

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 19:46

Reported

2023-12-07 19:50

Platform

win10v2004-20231130-en

Max time kernel

25s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97DD.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 4040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe
PID 3264 wrote to memory of 3256 N/A N/A C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 3256 N/A N/A C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3256 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3264 wrote to memory of 3908 N/A N/A C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 3908 N/A N/A C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3908 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3264 wrote to memory of 2044 N/A N/A C:\Users\Admin\AppData\Local\Temp\97DD.exe
PID 3264 wrote to memory of 2044 N/A N/A C:\Users\Admin\AppData\Local\Temp\97DD.exe
PID 3264 wrote to memory of 2044 N/A N/A C:\Users\Admin\AppData\Local\Temp\97DD.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe

"C:\Users\Admin\AppData\Local\Temp\f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542exe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BE4.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F8F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\97DD.exe

C:\Users\Admin\AppData\Local\Temp\97DD.exe

C:\Users\Admin\AppData\Local\Temp\BC00.exe

C:\Users\Admin\AppData\Local\Temp\BC00.exe

C:\Users\Admin\AppData\Local\Temp\BC00.exe

C:\Users\Admin\AppData\Local\Temp\BC00.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b779d437-d4e4-4b48-ab5e-910d5c4d019c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BC00.exe

"C:\Users\Admin\AppData\Local\Temp\BC00.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BC00.exe

"C:\Users\Admin\AppData\Local\Temp\BC00.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 876 -ip 876

C:\Users\Admin\AppData\Local\Temp\CAF6.exe

C:\Users\Admin\AppData\Local\Temp\CAF6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1760

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4520 -ip 4520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x124,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,2190185853252446412,15801556401638004274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,6585153329889349720,2074160551465273617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17670776083966134993,6455698701582431982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9144609934629082464,3093026708983998694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9144609934629082464,3093026708983998694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd1ae46f8,0x7fffd1ae4708,0x7fffd1ae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9703858407468805127,10734532372674626350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 45.222.143.85.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
RU 85.143.222.45:80 tcp
US 8.8.8.8:53 udp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp

Files

memory/4040-2-0x00000000009C0000-0x00000000009C9000-memory.dmp

memory/2516-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2516-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4040-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/3264-5-0x0000000002660000-0x0000000002676000-memory.dmp

memory/2516-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8BE4.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\8F8F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\8F8F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\97DD.exe

MD5 c980cb323d407a7a060dcd9db7b31d83
SHA1 a9f5926f4fe237b353e7246d34c3371d2ab3de32
SHA256 cce2230ab8198c2f19fcc48d49f460de86b3ce6fba48c18c4f42b7baa696155a
SHA512 a9d40b953d36633c5582467461535a1c44b3a12929b0ad4cd9276612849b3b691281dd4c3574b39446051d4ff155942c453d89ed4251cba3e69cc940b235b8d3

C:\Users\Admin\AppData\Local\Temp\97DD.exe

MD5 28a03ffb7f5385f94383714cd3d1145a
SHA1 c202572f66f87befd9c217a830c77e6b76ad310e
SHA256 2b98c4ac9875305d97d722cf881f8c44dd4d701edd6008067e012f046d1e1c23
SHA512 9dc7853976c68a054f9e424d8e16e1fd4e77c7b5711085bdfeef2151f57906dae1bf192d91ca579a9b3c241a0b862ab38c264dd1d94dd4a4358bd85a603552a2

memory/2044-27-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-30-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-29-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-28-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-26-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-31-0x0000000077264000-0x0000000077266000-memory.dmp

memory/2044-25-0x00000000002E0000-0x0000000000DAA000-memory.dmp

memory/2044-34-0x00000000002E0000-0x0000000000DAA000-memory.dmp

memory/2044-35-0x00000000082D0000-0x0000000008874000-memory.dmp

memory/2044-36-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/2044-37-0x0000000002E60000-0x0000000002E6A000-memory.dmp

memory/2044-38-0x0000000008EA0000-0x00000000094B8000-memory.dmp

memory/2044-41-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

memory/2044-42-0x0000000007EE0000-0x0000000007F2C000-memory.dmp

memory/2044-40-0x0000000007E30000-0x0000000007E42000-memory.dmp

memory/2044-39-0x0000000007FB0000-0x00000000080BA000-memory.dmp

memory/2044-43-0x0000000008190000-0x00000000081F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2548-50-0x0000000000B90000-0x0000000000C2C000-memory.dmp

memory/2004-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-53-0x0000000002700000-0x000000000281B000-memory.dmp

memory/2004-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2044-56-0x00000000096B0000-0x0000000009872000-memory.dmp

memory/2044-57-0x0000000009DB0000-0x000000000A2DC000-memory.dmp

C:\Users\Admin\AppData\Local\b779d437-d4e4-4b48-ab5e-910d5c4d019c\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2004-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2044-74-0x00000000002E0000-0x0000000000DAA000-memory.dmp

memory/2044-78-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-81-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-79-0x0000000076140000-0x0000000076230000-memory.dmp

memory/876-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1112-76-0x0000000002520000-0x00000000025B6000-memory.dmp

memory/876-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC00.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

MD5 f883db48c116df77877ccccbd5ba5702
SHA1 90eea3df445bb1128f36b797d928e2128a1bf0ea
SHA256 5c29bffcbdde5f9ed55021d54c1b50c0916b361f39a3ab31b5543d77aa8d4bac
SHA512 d0e9fb2c166ab38d126d729180729dc310377f7afd324cf890dd1b71068ec6096e6cecad9c2a4a6009316deec07e03044b160c620d94bda0ee4a4fb408a89438

memory/1644-88-0x0000025A97C90000-0x0000025A97D78000-memory.dmp

memory/1644-92-0x0000025A99B80000-0x0000025A99C60000-memory.dmp

memory/1644-96-0x0000025AB2440000-0x0000025AB2508000-memory.dmp

memory/1644-97-0x0000025AB2510000-0x0000025AB255C000-memory.dmp

memory/1644-95-0x0000025AB2330000-0x0000025AB23F8000-memory.dmp

memory/1644-94-0x0000025A99B70000-0x0000025A99B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C4FA.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

memory/2152-104-0x00007FFFD0A90000-0x00007FFFD1551000-memory.dmp

memory/2152-105-0x000002C46C290000-0x000002C46C2A0000-memory.dmp

memory/2152-113-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-125-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-135-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-143-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-149-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-147-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-145-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-141-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-139-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-137-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-133-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-131-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-129-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-127-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-123-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-121-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-119-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-117-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-115-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-111-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-109-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAF6.exe

MD5 e7490f38464a6539285cf10c2b90b52d
SHA1 d90c2d7d562b6da2587dc196236d73293e14e3c4
SHA256 5f0c8f1cb9bd10feb955d25b1a87edd3478734d0cbf6b9838f5ba4b7642e5c6e
SHA512 2ba5d7cfd4d54ea719a64ef6820ff1365e15b17044773a4070d44e68a35ded2a01693350c6040ea03512b0128599e3f8a14ebcfd3d15c1a7982d85b0bffbed8a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5017dfc088c425e45ca1f9f648884ac2
SHA1 86c24e80c5dace5dbe38d9de159d663cc9ed93b8
SHA256 fa708740d938d1ef4cb82f64ed4aeea5d102632ef7867151de81f4d369e69d3b
SHA512 abcbf24adf3a2712d0d75482e5d089ed0e3b8273e5d25ba0b5b879abf10fff386e51173f8273667617423542faa5448acdde2f921058b16dc07d5c2b511e56a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 eed346e0a59938f723872e2004f21b7c
SHA1 c2ebfc95339193ea10f97239baccf327ec904aa3
SHA256 17eaa06573348197a1e1fb606f18c112ce78c3a0c2b3714f689dc1f3c2d553ed
SHA512 3514711e4c04a9625e2565318ba57b0ae8c81fd46f1600c388a69abd2e75a0fcf4bc1304305ef10df6823acb77b80cab3c9594fbe5540e1f9bcf8c49944c9c44

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 ea0a12d297811d4a3f58e9eea50e263a
SHA1 b67de1de506cb49aad907419b973a96cb45f75bc
SHA256 2772ffa9404912bca8e3751fea47d584ea0246103583a125de85744d91e5f4c1
SHA512 38edfe92389b595228647afbb9e1e955f3a24389fed7892653129e239e85d77405ea9402e4eb3bd9966ec90fbf2c5728c2e5a1f5b20ff950f1fb420eeac696e7

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 a10f3f52f43f54be92b2fb59dd10c963
SHA1 93297f3da4e90cc737afdc48eeb22fea94e63dfe
SHA256 836fe2f87c2772aaade3420f6479212bba47530ccf1b3a87f9d164994c27ebd5
SHA512 3140a917fed24e80b20384fe67868a9ad25132dce960a40e96505c2fd56fe2bc1800c97f9c58719bca6897269534caee57c232fce2a150a751e2e31825935ebf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 a10f3f52f43f54be92b2fb59dd10c963
SHA1 93297f3da4e90cc737afdc48eeb22fea94e63dfe
SHA256 836fe2f87c2772aaade3420f6479212bba47530ccf1b3a87f9d164994c27ebd5
SHA512 3140a917fed24e80b20384fe67868a9ad25132dce960a40e96505c2fd56fe2bc1800c97f9c58719bca6897269534caee57c232fce2a150a751e2e31825935ebf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 01882752584dde6e4e3148a840989923
SHA1 afe6272e795d9f1aa7feb0294299583abe3f7e76
SHA256 85896935d5ee24d6494bbdaf4ab0b0449c929c634ed4c6d76cf30d391cc64b8b
SHA512 c89967826baa1d5b66e54d5122195ad6b1a6f5df40b7e5da0eeb71f48264d8a20d3aab160d4c7ac3abdf47a7d0cb373de26088c5ad0f7c1a77d20a41cfc510ea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5017dfc088c425e45ca1f9f648884ac2
SHA1 86c24e80c5dace5dbe38d9de159d663cc9ed93b8
SHA256 fa708740d938d1ef4cb82f64ed4aeea5d102632ef7867151de81f4d369e69d3b
SHA512 abcbf24adf3a2712d0d75482e5d089ed0e3b8273e5d25ba0b5b879abf10fff386e51173f8273667617423542faa5448acdde2f921058b16dc07d5c2b511e56a2

C:\Users\Admin\AppData\Local\Temp\CAF6.exe

MD5 e7490f38464a6539285cf10c2b90b52d
SHA1 d90c2d7d562b6da2587dc196236d73293e14e3c4
SHA256 5f0c8f1cb9bd10feb955d25b1a87edd3478734d0cbf6b9838f5ba4b7642e5c6e
SHA512 2ba5d7cfd4d54ea719a64ef6820ff1365e15b17044773a4070d44e68a35ded2a01693350c6040ea03512b0128599e3f8a14ebcfd3d15c1a7982d85b0bffbed8a

memory/2152-107-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/2152-106-0x000002C46C2A0000-0x000002C46C380000-memory.dmp

memory/1644-103-0x00007FFFD0A90000-0x00007FFFD1551000-memory.dmp

memory/2152-102-0x000002C46C2A0000-0x000002C46C384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

MD5 1eb9288ab8b3a98993c6272062070f9d
SHA1 34f6148837b0013f59eec6a43cdcaa230e537fb7
SHA256 a397614150dcef35f1589b48928f6f874fbff1dca6046c1496d2e1f832ed0451
SHA512 c7ec45a9bc29dbcbe0f456a4d728b05d0f262261ee9b6291c168af09673a4aa90a1a8e4f23d9ef01ae4b5c0eb9cd9d185d5b038bdefc2526d76d63f0f1f2c817

memory/2152-98-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/2044-93-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-91-0x0000000076140000-0x0000000076230000-memory.dmp

memory/1644-90-0x00007FFFD0A90000-0x00007FFFD1551000-memory.dmp

memory/1644-89-0x0000025A99A90000-0x0000025A99B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C4FA.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

C:\Users\Admin\AppData\Local\Temp\grandUIA7BzkRt62rvg2L\information.txt

MD5 b20362ae64abd72ac5741e8b05e35238
SHA1 f435f9cfeb3903e992538ac47a192a1a32815897
SHA256 817084d75a003905ec970b880183dabf038d1616e3114477cad85dbad6b21c11
SHA512 751339ed372dc4b9f0ecd92debff135d2af78f76b4bb0cc0d70474ca467ea0501cdb5bdcb4de53131fcdd61ab0cbf9b90561f0ba3362401162af482a2fb42133

memory/2044-2097-0x00000000067D0000-0x0000000006820000-memory.dmp

memory/2152-2414-0x000002C46C480000-0x000002C46C4D6000-memory.dmp

memory/2152-2413-0x000002C46A1E0000-0x000002C46A1E8000-memory.dmp

memory/4940-2419-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

memory/2152-2420-0x000002C46C7E0000-0x000002C46C834000-memory.dmp

memory/2152-2422-0x00007FFFD0A90000-0x00007FFFD1551000-memory.dmp

memory/2044-2425-0x0000000076140000-0x0000000076230000-memory.dmp

memory/2044-2426-0x00000000002E0000-0x0000000000DAA000-memory.dmp

memory/1112-2427-0x0000000002520000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 d4cd48587bea388f95df7c191bb2eb2a
SHA1 79edc17153b5b550b444001790493049a336de51
SHA256 4b60ad942bc0c3b8f90badc36aabfff9e576432fc28e4744678cb2751df9fca3
SHA512 45652c8586637d912258341516c69e06af1fb78d0b1f6cc2db4f07c921a63a3720fba5c22e8d495e2b4cd648722386b0c657078111b65f2d3b8731c24f4883bd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 dc8c3725ec78f8403448a69a8ffdf177
SHA1 0806ca25f0b0b91319a7c5b6007606394ed4a9cf
SHA256 3cfc0bbedb81e2233f887aa68de6656965741cbe24d7c3f1b5e3b82a7c8f05ab
SHA512 32e4fa39fb14ca6ab12ea9fac21ecd7037492efcf72a68333ec7d4b89d17de4251dff4851624ed24c2c43b9b30f69b1ffbd74d7db56c2b22c89a04539d67fc7f

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 5dcc59f3381b9e290ece2fc293251419
SHA1 a4f7014bbf7f16151f0657b83364e057148cb608
SHA256 5f56efd1bb9f339f65d6d05848294c576086f35e550ea39597213907e610bf1c
SHA512 91f8a8276f6b2f80b6c76380d2d873daa1d77cd2e321290f4907c15ab8708923d71119c9d2aef6b5fd2266bbaea27273de12ce8f1455b33c1830dbe59eba7a73

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 6f9b84ca4c6c7cc98fbb98c39a397ca5
SHA1 4173e7a74850d1ee271456cb07e9ee0d7ec76ac7
SHA256 06c1f4499e787d4e5c373342896112fdee9a4ce10aea7a921e660b64ee20808d
SHA512 225c7943bf53fa5f0ddd33821830d05fa0ee8afa1bd4be1eac9f7ad0a0d98be26f05e7cdf3053749a6e8498a6903af8aeb4f9818c476f8eb760afbf88b11b8da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 15c5ec4da784918d95118dcb7df07741
SHA1 01e51e619b68a8b7ef49fa6a8f6ff851e658655e
SHA256 ded94494bcafb1a0ae173d9effb154b72aef6ae8aa80ff46ae61c363afab1d61
SHA512 d1ebb8080d5f1024c4dcfd77948d8928dcc827a15f78b91ce1c7e1b58c34321ee84b3bc31a6ec4abf212471a8f129468c469d08cc806d6ee6777edb2d836dc71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

MD5 8a11debf8b9c533fb1197661eb7df2a2
SHA1 68c4e1d4c379bc78892daab39fedb4b130eb183c
SHA256 d4621edd9d153d9029b6c24b83c7e5cb9420de80d48e7bb8633cc0a6a3fb6ae1
SHA512 df76bdfa7083b045c1895773d555c1bc509cb15345f942bdedd5795f010c09a4dd1c9462c1c73b17821600a3df2fac101933f20b56e195bcd6922f7d7a25a7b8

memory/3420-2458-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

MD5 458e0a8c94f93b8385e3ad11969623a2
SHA1 e5ef27cdea41cd4450b029cf7bd03773547d9d5e
SHA256 444d0fe2bbc706eacc9f45f56176da9485d02813b110a977c270428dcfadd777
SHA512 46ac934fa394b7d88c0171395941a828721438b5b71d69a47f519fa21edc3afe6951854872050edc11cfcc2cbd7e3bb4ca5a44ff539c35d7f10e8acdc4857963

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

MD5 3f6e6347b60abcb8719b690ccaa68f02
SHA1 a9934df6294f58936a78030154c285255186781b
SHA256 3e754f8ec6c337ca5c2d5c0f1c91fdc7219bc170f773c32507a966e59d14e924
SHA512 5ec62c2ee73d952be7448cba7de6324cac3d26cb22efcf3f4a7e042586722e4b3e3d496e9f6b212900475174566ef57958d81d35de475128e965a4261026394f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f510336186066693c0e50dbdca8058c
SHA1 fec19f94c6a3b48fa5bd44a4ca5679a51677edc0
SHA256 e7a12a690182a12ff80f125e75a4367e9d2b95423e757336162eb58776426529
SHA512 e404a926f72c4c81c0e7ab566efc39b02c8bd0c1c5315dc092d4243b95474ddd0cf49e38ac16a1ba94e8be2a01d95a1da7643eebf40c12fe61fa47a1ec1d0886

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7ec1a35a33377e2af25a51e7e9b979b3
SHA1 7fb6dfba270ee6bb44640acfee7d39fcedfc1d40
SHA256 a1ec9d904e6fa321d6d3a64763ac04fc26f9bcd4b26c8c98bbe0bd29ca3fdb81
SHA512 205d0d4484b733f4f3572c1c6e6f5364ec862f1c6bf2f339f1327ae1465ba9aeda793f16d499c4bcbcbcc677ad849a2f743bb216371f956a387ee7f35056b341

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 90f087e917e2e5a7505394dbad36403c
SHA1 391b53369aaa6af67371b8afb839f6c6b02d90b1
SHA256 3eb6a73bb62916b5b79bbb51361fcbdfb34313b0ac074a8466ef99e9af463fd3
SHA512 f7c2411d5318aad5f970eb28193aba4c4e0048c906a3af2c8d09bbbe1da7118c8ff8218f84892aed3d3a36cf4ef366eecda9f64bb23a5eca88425514400a5f88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e37d1ce1f50cc6b57d3afd3c98c67422
SHA1 04d7b1c586b9feb7ce42feb4b2b1413e20905e66
SHA256 8d3e883c8e16aa06c2e8381986ca466ea0cd7784c3ac4fc5f70d0a0442408d00
SHA512 c81e03b2d9b0076f3aa87d30ab04be4665d6bc5be020740b3004e39e146bb230e4d4ce113b78d48bba8e8c8e1f1113fe6bba28ef4b5a861cd6acd24dbbeb20ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9d7a4f803c499ead2f7bae8e2b25de42
SHA1 b1f7c1501d1c9c6d6033d0ef1d23837ff6401c4b
SHA256 f615e892c75cc5da43cbcd9c64506b279dc693b18a2cb67057197d2b0c2a7772
SHA512 a6e330e3b6ecb3b8a9ac6832b74ca0a658cf7610855639cc750bcabf4e9aee958dda78e4eaeafa0b95f62da35356498f82242261f350e0d5132e1fb5bd87cff3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a06eca9a6e6c60c250846c1f406536d7
SHA1 8591c13fd8736c10df09e2d56347821d730d8822
SHA256 4c6bdd1875b8db7f18c8a7cbbb0284301360d9bc19f76967bb2427448612f221
SHA512 feec7252e7e4065513b81c02b03d5f3ca7c4170e518dca58c04c74189b365c981ddf53273ea70d0f024c6bc0567a27ea7c37aec6948f426fd8fc14bf3b075cd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7ec1a35a33377e2af25a51e7e9b979b3
SHA1 7fb6dfba270ee6bb44640acfee7d39fcedfc1d40
SHA256 a1ec9d904e6fa321d6d3a64763ac04fc26f9bcd4b26c8c98bbe0bd29ca3fdb81
SHA512 205d0d4484b733f4f3572c1c6e6f5364ec862f1c6bf2f339f1327ae1465ba9aeda793f16d499c4bcbcbcc677ad849a2f743bb216371f956a387ee7f35056b341

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

\??\pipe\LOCAL\crashpad_4444_ISACUVWDGIIASRCY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 90f087e917e2e5a7505394dbad36403c
SHA1 391b53369aaa6af67371b8afb839f6c6b02d90b1
SHA256 3eb6a73bb62916b5b79bbb51361fcbdfb34313b0ac074a8466ef99e9af463fd3
SHA512 f7c2411d5318aad5f970eb28193aba4c4e0048c906a3af2c8d09bbbe1da7118c8ff8218f84892aed3d3a36cf4ef366eecda9f64bb23a5eca88425514400a5f88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

\??\pipe\LOCAL\crashpad_208_BQJATHKOIMXTZUCL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f510336186066693c0e50dbdca8058c
SHA1 fec19f94c6a3b48fa5bd44a4ca5679a51677edc0
SHA256 e7a12a690182a12ff80f125e75a4367e9d2b95423e757336162eb58776426529
SHA512 e404a926f72c4c81c0e7ab566efc39b02c8bd0c1c5315dc092d4243b95474ddd0cf49e38ac16a1ba94e8be2a01d95a1da7643eebf40c12fe61fa47a1ec1d0886

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

MD5 969736a2859b5befb253396072685821
SHA1 242be256fd168c5014ebde23823b686c78869460
SHA256 de598e8c2c4fcbcc66fbab7c9852fcbd37cfe3ba3736b9fb39eaf7075d73cf78
SHA512 54f5674accdb4c603348e719739736978adf280ecdaaa1b1f4af218b245d1d7922216fe8b5817143a5cf8cdc0664abcc7d2d423fcd7053d24ad8ebae4c9499db

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 5b42690e798baa737654051d1d474a7e
SHA1 924aa835b6ccd0686d5df90bc7f880ee042757d7
SHA256 d39c5e2de8014c938ff8e0245b0fc795b2a3ab6366d86dd6c5a44051bea6c011
SHA512 1d96f9d5cd264f90a1558f7e39016f713871b5ec0d8285e847ea1f64203a4043f6a41dac5d733e47467b03a3aafa036c54e9fe5af4f2ae5fccc416fdf383ae95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 fdfd6a519864d38d5ddc8a2de28a059a
SHA1 11e09d1b7e7911b793dcbd7b83b8221df772df19
SHA256 8e6ca2b1f1006363a9a275d08184dcccef1b35b10bcae1c923fd2b4b09376d2a
SHA512 8ac2121176a1b10f19048e1cdbaa1bf7c8735df1db587f3e1776ba18eb137e039abc2c24ee3a9a08d57af14ee0d71db0a92b82279562f0e3bba65b0c9980f934

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

memory/4940-2429-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3420-2831-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

MD5 9f61d7b1098e9a21920cf7abd68ca471
SHA1 c2a75ba9d5e426f34290ebda3e7b3874a4c26a50
SHA256 2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71
SHA512 3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 3d40f55e33d779af477691972beee3dd
SHA1 c0656553968f0d53f9d07ab63d06cfc94188e2cc
SHA256 84dfd25a4cb8c46bf6216df4a3540361bc606e65cf102982a878e0c333c46092
SHA512 3d54f7b2eef4d2a8b9b04b6068d8e8cd2a3798a6f2c6ebfc3680d3918d78c091b0963cbee7880158a58386dad3146ba19c6d9d4741938abf5f7c485e203eeef6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe581846.TMP

MD5 012c1beb10f7d8fbac0e8c006bfef351
SHA1 c62e5f99631a6bcb61a9944c18d4df0a3d09d7cf
SHA256 2d3a6d95b9e218d8a1505ea48dd49b595619ac58bbf5c3ac6ba927568327b7f0
SHA512 8923f5edb1d5085e748b1f0d753b83493af9018086c5ba6d11a907b71d5ea03c1cba15e688bc533562936726335a24f2e6e60fb947ed6445155660620ebdcd66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 57173a41266234a567c818d608361e9f
SHA1 cfd6d69223e2bccf4db6041f42424238aa623f41
SHA256 d9301819e91dab2679d2122f68b786b810449d616b4a89e62397961f12b102af
SHA512 163a1f433f8b856ca885b4a5d3a5a50a2db4fc503cf428ac90911a72a6c1ed5c788ec4b650906af68f8ffbdcbf92dd666f48037a6faa475ad42c33cbd2df8efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 59719c1bb4d0d09edac992449baf06eb
SHA1 2fffe3d0c9233c5815d37087445575151b5aa050
SHA256 4f4b8470aaea5ea9f0ecf2f39d5400b652b0e45d56e47027c0551802e8c52317
SHA512 eba87f1c3b496ddafae52f85657d25fc780feab3a35abd6006f681ba4e8faaaf3a370ae8e474e6c797285b37b75c5350fdeefd60c9a04e8b17742ca0fcd0e0f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 50c7b70691b39a8670725a664aa75165
SHA1 0ddb2c21587d92b8baae279dabb66e5a71b918bb
SHA256 05ef8ad9e4ec2fa5cf7a89776e82ca9e05d0733d50a67a38f006f6ade7b8d542
SHA512 b221fd154fd263ae1a53491f599692997d6d4434b90567b33d827a8296334433619b69b2b71c42449bafecf04844793fe463bc7a8a841dcae288950a65c7b3e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\85b17272-569c-45ba-ae6f-40b9256ac660\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c3952dc565e0d9f5a28d5082e68d8f3c
SHA1 3324a62066c866458755254926bf5e66bbfef7f3
SHA256 24ccc283e32a0522b9470ef3e13df00627abfd15395caa89576de29d876db98e
SHA512 cea291c134fcc70f995ebd77e0fb8e891e6d10d90647d5f05d11bec0d0c22f84f998e2cc1072bde43981bfd94d7601218b4a8cbcaacdc3305242b750d4d5fd19

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3ca81bee905a8369c1eb80988e9ea7a4
SHA1 4c874c0b088790c121beaf13dbac00a914df0ab8
SHA256 616f08b92b300e784a082914d3863b35fe7a30eacb16d63626327e41b50f5179
SHA512 55e494bffde5e20ae1e8d2a580c9ba7cf55f5fb1da8f63df351d666a642088a04b1095729ce6130fc1572e194312b3ba55c031af4552c47562d3b8400e844f66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 79ee199d139b247c1cbb9f6c4e7c70a3
SHA1 006dc05421727f7f7bb54fafeb2aa1ecfc118d07
SHA256 105fca020c6e738b89e1df16c225a1dee15a35e8a2f51880f8ed70862fb8633e
SHA512 fc24fd31b596306e42b8a89452c3449ae14a3b71427fb5a8c47664bdba5b5a161083d9da41c1e18f67b254ebef519702b5717feaaccd3ea95cfa1af80fc3a522

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d