Malware Analysis Report

2025-08-05 09:54

Sample ID 231207-yhplyagd8t
Target b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
SHA256 b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28
Tags
dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28

Threat Level: Known bad

The file b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan

PrivateLoader

Detect ZGRat V1

Djvu Ransomware

RisePro

ZGRat

Detected Djvu ransomware

DcRat

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Checks BIOS information in registry

Drops startup file

Checks computer location settings

Deletes itself

Reads user/profile data of local email clients

Themida packer

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

outlook_win_path

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 19:47

Reported

2023-12-07 19:49

Platform

win7-20231201-en

Max time kernel

68s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3154495e-771c-468f-894a-52d18cb7f1dc\\7F11.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\934E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\934E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\934E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3154495e-771c-468f-894a-52d18cb7f1dc\\7F11.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7F11.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1076 wrote to memory of 2844 N/A N/A C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2844 N/A N/A C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2844 N/A N/A C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1076 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe
PID 1076 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe
PID 1076 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe
PID 1076 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\67D8.exe
PID 1076 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1076 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1076 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1076 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1816 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 2900 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Windows\SysWOW64\icacls.exe
PID 2900 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Windows\SysWOW64\icacls.exe
PID 2900 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Windows\SysWOW64\icacls.exe
PID 2900 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Windows\SysWOW64\icacls.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\7F11.exe C:\Users\Admin\AppData\Local\Temp\7F11.exe
PID 1076 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 1076 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 1076 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 932 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8CE7.exe C:\Users\Admin\AppData\Local\Temp\8CE7.exe
PID 1076 wrote to memory of 384 N/A N/A C:\Users\Admin\AppData\Local\Temp\934E.exe
PID 1076 wrote to memory of 384 N/A N/A C:\Users\Admin\AppData\Local\Temp\934E.exe
PID 1076 wrote to memory of 384 N/A N/A C:\Users\Admin\AppData\Local\Temp\934E.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5A40.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\67D8.exe

C:\Users\Admin\AppData\Local\Temp\67D8.exe

C:\Users\Admin\AppData\Local\Temp\7F11.exe

C:\Users\Admin\AppData\Local\Temp\7F11.exe

C:\Users\Admin\AppData\Local\Temp\7F11.exe

C:\Users\Admin\AppData\Local\Temp\7F11.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3154495e-771c-468f-894a-52d18cb7f1dc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7F11.exe

"C:\Users\Admin\AppData\Local\Temp\7F11.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7F11.exe

"C:\Users\Admin\AppData\Local\Temp\7F11.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

C:\Users\Admin\AppData\Local\Temp\934E.exe

C:\Users\Admin\AppData\Local\Temp\934E.exe

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

"C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

"C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

"C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe"

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

"C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 276

C:\Windows\system32\taskeng.exe

taskeng.exe {9C7F5A83-426A-479D-B438-7230529C2749} S-1-5-21-1502336823-1680518048-858510903-1000:XARGEIVJ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
HK 38.47.221.193:34368 tcp
KR 211.53.230.67:80 brusuax.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 185.196.8.238:80 185.196.8.238 tcp
KR 211.53.230.67:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
MX 187.156.96.226:80 zexeq.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
MX 187.156.96.226:80 zexeq.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 193.233.132.51:50500 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
FI 95.217.240.71:443 95.217.240.71 tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
FI 95.217.240.71:443 95.217.240.71 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 172.67.75.166:443 db-ip.com tcp
US 104.18.145.235:80 www.maxmind.com tcp

Files

memory/2484-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1912-3-0x0000000002B70000-0x0000000002C70000-memory.dmp

memory/1912-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2484-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2484-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1076-7-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/2484-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A40.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\5A40.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\67D8.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/2616-28-0x0000000000240000-0x0000000000D0A000-memory.dmp

memory/2616-29-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-30-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-31-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-32-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-33-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-34-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-38-0x0000000075240000-0x0000000075287000-memory.dmp

memory/2616-39-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-40-0x0000000075240000-0x0000000075287000-memory.dmp

memory/2616-43-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-42-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-41-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-44-0x0000000077740000-0x0000000077742000-memory.dmp

memory/2616-45-0x0000000000240000-0x0000000000D0A000-memory.dmp

memory/2616-46-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2616-47-0x0000000002B30000-0x0000000002B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1816-54-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1816-57-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1816-60-0x0000000002140000-0x000000000225B000-memory.dmp

memory/2900-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2900-64-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2900-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3154495e-771c-468f-894a-52d18cb7f1dc\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2900-86-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1228-88-0x00000000002B0000-0x0000000000341000-memory.dmp

\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2616-91-0x0000000000240000-0x0000000000D0A000-memory.dmp

memory/1228-93-0x00000000002B0000-0x0000000000341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F11.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1040-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1040-98-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\Cab867E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abbab306bd7c4d3053f1041317e6e5e4
SHA1 af9ddeecaebbe54f703909bb8ad407c569a2f94c
SHA256 151186b004113f5cd2ef45ff77f4f4c2831010a716abcaabe7cc3141a39efb7c
SHA512 28fd176c4a80e90dd93185d35d92c072fdd10137fb9c57aa86ddc6ebdde531d797e419c80a4e0ad83c626738ccd661a2a140de78494b945b70f38b5c59f78311

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6e2d35413041b00ae77beb14cbb8f034
SHA1 9b2fba1ad8f24accfee5c450eccaacf2b914f787
SHA256 2e60584abfd131efb4e461fd2f6db4de462b80b8d2d4fff955abb06e3182a009
SHA512 4fb535605a67474961ae97dbedb9ebd8f248a1fbb70bfa3cebc92db376807c5bdb066124b64ddf96b97cd8e8c8b2560a78385a4c8ec1265afd7093ba80ea5dea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e748e1c227cf5f72a9c6c05f2c63be74
SHA1 094402b2d874840887bda06bf90f724883b08a83
SHA256 a8ce607b83ea90ef4222350361f42178e58a1ccc836a5b333c92521b49a0dc52
SHA512 a18f23094f5640c8a29cba2eccde8dff341b8ced1a1ca22cc03266aa657237bfed0fd2e9f2618ee61216d1ac0da8fe4f1e6ed47a09e272b6d3265d2823f3c58b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 21b34ddc434695869dabe442fb5b8cbd
SHA1 fcd7c85b45a2dd9b29a68d904ce5908031e0968c
SHA256 66a144ec5d0edc390ca931e56b3e48a06db6a9158b3f4825f81dfa5487ebfde5
SHA512 f918556116b5e1ee0f93dac92de7807069cb1babcce319f2d40a7d1622b7506bf6adfc7611339247a460b4ce0d4fc1f4d4d72d70fc4439fa92fa558b4bcabe5f

memory/1040-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1040-112-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1040-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1040-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1040-119-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

\Users\Admin\AppData\Local\Temp\8CE7.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/2616-125-0x0000000077220000-0x0000000077330000-memory.dmp

memory/932-127-0x0000000000E60000-0x0000000000F48000-memory.dmp

memory/2616-126-0x0000000075240000-0x0000000075287000-memory.dmp

memory/932-129-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/932-128-0x000000001B070000-0x000000001B14E000-memory.dmp

memory/932-131-0x000000001A7F0000-0x000000001A870000-memory.dmp

memory/932-130-0x000000001B150000-0x000000001B230000-memory.dmp

memory/932-132-0x000000001B3B0000-0x000000001B478000-memory.dmp

memory/932-133-0x000000001B480000-0x000000001B548000-memory.dmp

memory/932-134-0x00000000005B0000-0x00000000005FC000-memory.dmp

memory/844-138-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/844-136-0x0000000000400000-0x00000000004AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\8CE7.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/844-140-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/844-143-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/844-142-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CE7.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/932-147-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/844-149-0x000000001AF20000-0x000000001B004000-memory.dmp

memory/2616-150-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/844-151-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/844-152-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/844-154-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/2616-155-0x0000000002B30000-0x0000000002B70000-memory.dmp

memory/844-153-0x0000000000D70000-0x0000000000DF0000-memory.dmp

memory/844-157-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/844-159-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/844-161-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/844-163-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/844-165-0x000000001AF20000-0x000000001B000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\934E.exe

MD5 6d1e0165321f407dce306141046cf0c2
SHA1 21b2ef6da585407e981520dd3857dccdd498188f
SHA256 fb9b767f4088c6c16944e080195eb9a3ba98d516cb08150705f6596a146846ca
SHA512 6b13870278aa039e9fa69d2cc3afd9dbd6bb6a07af3b55b0beb9d975e2159f671b66786653b3e4b8e6f081210aefc6197d068cd387b0b88edb13d8ff28199df3

C:\Users\Admin\AppData\Local\Temp\934E.exe

MD5 6d1e0165321f407dce306141046cf0c2
SHA1 21b2ef6da585407e981520dd3857dccdd498188f
SHA256 fb9b767f4088c6c16944e080195eb9a3ba98d516cb08150705f6596a146846ca
SHA512 6b13870278aa039e9fa69d2cc3afd9dbd6bb6a07af3b55b0beb9d975e2159f671b66786653b3e4b8e6f081210aefc6197d068cd387b0b88edb13d8ff28199df3

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\Temp\934E.exe

MD5 6d1e0165321f407dce306141046cf0c2
SHA1 21b2ef6da585407e981520dd3857dccdd498188f
SHA256 fb9b767f4088c6c16944e080195eb9a3ba98d516cb08150705f6596a146846ca
SHA512 6b13870278aa039e9fa69d2cc3afd9dbd6bb6a07af3b55b0beb9d975e2159f671b66786653b3e4b8e6f081210aefc6197d068cd387b0b88edb13d8ff28199df3

memory/844-191-0x000000001AF20000-0x000000001B000000-memory.dmp

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/844-194-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/1136-193-0x0000000002B90000-0x0000000002C90000-memory.dmp

memory/844-197-0x000000001AF20000-0x000000001B000000-memory.dmp

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/3024-203-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

memory/1040-222-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

memory/3024-229-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/844-202-0x000000001AF20000-0x000000001B000000-memory.dmp

memory/1136-195-0x0000000000220000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/844-171-0x000000001AF20000-0x000000001B000000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 b5367324501369cb58e9bb17b026133c
SHA1 521e8d6c7f1f03f1819f93bd97da07e2a2928932
SHA256 7f75f54f8cfb9daf42eab1c5df56dc2b340abb64818b3c7c88e9e0a645db72d7
SHA512 c16d6034670f45f5a909f5e457245f957e1aa3561059806656436ce502a264afb2e723bbff69a7befc7a2070c7afecbbc5bb1d970beb79209c2ed543ae47099c

C:\Users\Admin\AppData\Local\Temp\Tar9C31.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb37f50676e8f2294fe36494939f69b2
SHA1 3dadbffad2f6c6b162a15815b8ffbf52b89fe796
SHA256 45a2b72e3cce30ee0df1e01f294056e43016d26adac6793224e3cfa69ec49890
SHA512 f6d9d0806e86a3e88892e74b31f01fcd575f3c290f4626943b0bbe8f191173d1b88325504f1ad6c91f0e79adee5f7c2d99b1bdec43fb1a8c417d456814e89480

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 524403f3adbe59d90aeb9fd061b3d7ee
SHA1 0c896a0c0d423886ef3259e04f6cd59f3ccdf643
SHA256 776a115acc328a9a9d63da81d9bbe52a0e0f7bf0c7f97acad12fdc287dced904
SHA512 11302d08a46d7737a50fe845f68b744c9cce6c27f473145811fb9941d142ea81b83a91933c2dd95946106529f6da758ce8c5eb67ba5369d8d9f206ce8e296cf9

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/320-388-0x0000000000880000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/320-390-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1040-430-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2944-431-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAv87xMur9gCdVf\information.txt

MD5 ca141f3c6d0eb056cc6d6135a8d0d2a0
SHA1 a569c8f48ccc6dffe61a52cd76620de6e2ad9aa2
SHA256 2a7ca7def25119e19457c1f98718c11194dc6c2cb5a0a1e325120b20f1511f9c
SHA512 900c0b5d612439ae32eca885b6f5241e2044b2aee985624ed7e4074813d39cfb2fbb78de034a59471b01f0821647c0322e42c1ebe3a78b886424417a893316e5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

memory/1632-534-0x0000000000180000-0x000000000018B000-memory.dmp

memory/1632-535-0x0000000000180000-0x000000000018B000-memory.dmp

memory/1668-536-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1668-537-0x0000000000020000-0x000000000002B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\20a3016a-c7d5-4a55-b349-1e411d842458\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/844-543-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2616-546-0x0000000000240000-0x0000000000D0A000-memory.dmp

memory/2616-545-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-550-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-552-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2616-553-0x0000000077220000-0x0000000077330000-memory.dmp

memory/2616-551-0x0000000077220000-0x0000000077330000-memory.dmp

memory/844-549-0x0000000000D70000-0x0000000000DF0000-memory.dmp

memory/2616-548-0x0000000075240000-0x0000000075287000-memory.dmp

memory/1668-555-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 aa60ee3638c26b2068b901309245d998
SHA1 c77ca9938bc38a68e942f4cbb50d17efe839af7d
SHA256 ad91695fcda8f4dc9e1958c92855427b06dcc90afa5aa4386541249517da3e24
SHA512 d62ab63bc9850a321ecdc065c7d4b46cb325eaa07bf34f5c60144c6aff8a30765fa1a1162649bf6e98bef693349b128f3789a230c84b82daebce514d5518a9e1

memory/3024-583-0x0000000000400000-0x0000000000644000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 19:47

Reported

2023-12-07 19:49

Platform

win10v2004-20231130-en

Max time kernel

67s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8ef0dc42-a19e-4fa5-98a4-08fdd060ff03\\BD95.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BD95.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\A605.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\A605.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\A605.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BD95.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A605.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8ef0dc42-a19e-4fa5-98a4-08fdd060ff03\\BD95.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BD95.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CD56.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A605.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A605.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A605.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 1256 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe
PID 3348 wrote to memory of 4164 N/A N/A C:\Windows\system32\cmd.exe
PID 3348 wrote to memory of 4164 N/A N/A C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3348 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\A605.exe
PID 3348 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\A605.exe
PID 3348 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\A605.exe
PID 3348 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 3348 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 3348 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4976 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4976 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4976 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 4280 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\BD95.exe C:\Users\Admin\AppData\Local\Temp\BD95.exe
PID 3348 wrote to memory of 1204 N/A N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 3348 wrote to memory of 1204 N/A N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 1204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\C67F.exe C:\Users\Admin\AppData\Local\Temp\C67F.exe
PID 3348 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe
PID 3348 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe
PID 3348 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe
PID 4300 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe
PID 4300 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe
PID 4300 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\CD56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe
PID 1264 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe
PID 1264 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe
PID 1264 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe
PID 3900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe
PID 3900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe
PID 3900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe
PID 4588 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe
PID 4588 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe

"C:\Users\Admin\AppData\Local\Temp\b8abb5bc1900792f7c93c0322f1d43ab6125496e2c1ea27b2a91eab4e9197e28exe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96B2.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A605.exe

C:\Users\Admin\AppData\Local\Temp\A605.exe

C:\Users\Admin\AppData\Local\Temp\BD95.exe

C:\Users\Admin\AppData\Local\Temp\BD95.exe

C:\Users\Admin\AppData\Local\Temp\BD95.exe

C:\Users\Admin\AppData\Local\Temp\BD95.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8ef0dc42-a19e-4fa5-98a4-08fdd060ff03" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BD95.exe

"C:\Users\Admin\AppData\Local\Temp\BD95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BD95.exe

"C:\Users\Admin\AppData\Local\Temp\BD95.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 568

C:\Users\Admin\AppData\Local\Temp\C67F.exe

C:\Users\Admin\AppData\Local\Temp\C67F.exe

C:\Users\Admin\AppData\Local\Temp\C67F.exe

C:\Users\Admin\AppData\Local\Temp\C67F.exe

C:\Users\Admin\AppData\Local\Temp\CD56.exe

C:\Users\Admin\AppData\Local\Temp\CD56.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 936 -ip 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,82189612636387082,12273552510415673826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,82189612636387082,12273552510415673826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,12906581009248976358,12639789136993099274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,1400476303036920398,1773823380361650545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,6724088314461892965,8351758294354246093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2563930632121893039,16399888892615881642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ef046f8,0x7ffd3ef04708,0x7ffd3ef04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13978301347754535299,9364522456343684886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4815.exe

C:\Users\Admin\AppData\Local\Temp\4815.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.252.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 45.222.143.85.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 224.42.21.104.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.171.233.126:80 brusuax.com tcp
HK 38.47.221.193:34368 tcp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
US 193.233.132.51:50500 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
BE 64.233.166.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 157.240.214.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 44.209.168.134:443 www.epicgames.com tcp
US 8.8.8.8:53 twitter.com udp
GB 173.222.13.119:443 store.steampowered.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
BE 64.233.166.84:443 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 35.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 119.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 134.168.209.44.in-addr.arpa udp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 113.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 3.212.160.146:443 tracking.epicgames.com tcp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
GB 142.250.178.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 216.58.212.246:443 i.ytimg.com tcp
IE 163.70.128.23:443 static.xx.fbcdn.net tcp
IE 163.70.128.23:443 static.xx.fbcdn.net tcp
IE 163.70.128.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 146.160.212.3.in-addr.arpa udp
US 8.8.8.8:53 23.128.70.163.in-addr.arpa udp
US 8.8.8.8:53 246.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp

Files

memory/1256-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/1256-2-0x0000000002D50000-0x0000000002D59000-memory.dmp

memory/4388-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4388-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3348-5-0x00000000034F0000-0x0000000003506000-memory.dmp

memory/4388-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96B2.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A605.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

C:\Users\Admin\AppData\Local\Temp\A605.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/4876-21-0x0000000000A60000-0x000000000152A000-memory.dmp

memory/4876-22-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-23-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-24-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-25-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-26-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-27-0x0000000077D84000-0x0000000077D86000-memory.dmp

memory/4876-30-0x0000000000A60000-0x000000000152A000-memory.dmp

memory/4876-31-0x0000000008460000-0x0000000008A04000-memory.dmp

memory/4876-32-0x0000000007F50000-0x0000000007FE2000-memory.dmp

memory/4876-33-0x0000000001A70000-0x0000000001A7A000-memory.dmp

memory/4876-34-0x0000000009030000-0x0000000009648000-memory.dmp

memory/4876-35-0x00000000081F0000-0x00000000082FA000-memory.dmp

memory/4876-36-0x0000000007EE0000-0x0000000007EF2000-memory.dmp

memory/4876-37-0x0000000008120000-0x000000000815C000-memory.dmp

memory/4876-38-0x0000000008160000-0x00000000081AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1040-44-0x0000000000A60000-0x0000000000AFD000-memory.dmp

memory/1040-45-0x00000000026D0000-0x00000000027EB000-memory.dmp

memory/4976-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/4976-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8ef0dc42-a19e-4fa5-98a4-08fdd060ff03\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/4976-60-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/4280-64-0x0000000002550000-0x00000000025E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD95.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/4996-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4996-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4996-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4876-70-0x00000000083F0000-0x0000000008456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C67F.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

C:\Users\Admin\AppData\Local\Temp\C67F.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/1204-75-0x000001F892420000-0x000001F892508000-memory.dmp

memory/4876-77-0x0000000000A60000-0x000000000152A000-memory.dmp

memory/1204-79-0x000001F8ACB40000-0x000001F8ACC20000-memory.dmp

memory/4876-78-0x0000000077440000-0x0000000077530000-memory.dmp

memory/1204-76-0x000001F8940F0000-0x000001F8941CE000-memory.dmp

memory/4876-80-0x0000000077440000-0x0000000077530000-memory.dmp

memory/1204-81-0x000001F8ACC20000-0x000001F8ACCE8000-memory.dmp

memory/1204-82-0x000001F8ACCF0000-0x000001F8ACDB8000-memory.dmp

memory/1204-84-0x000001F8928F0000-0x000001F89293C000-memory.dmp

memory/1204-86-0x00007FFD3E840000-0x00007FFD3F301000-memory.dmp

memory/1204-87-0x000001F8ACB30000-0x000001F8ACB40000-memory.dmp

memory/4876-89-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-88-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4736-90-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C67F.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/1204-94-0x00007FFD3E840000-0x00007FFD3F301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C67F.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

memory/4736-96-0x00007FFD3E840000-0x00007FFD3F301000-memory.dmp

memory/4736-95-0x000001B870E90000-0x000001B870F74000-memory.dmp

memory/4876-97-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4736-98-0x000001B870F90000-0x000001B870FA0000-memory.dmp

memory/4736-100-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-99-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-102-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-104-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-106-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-108-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-110-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-112-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-114-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-116-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-118-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-120-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-122-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-126-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD56.exe

MD5 6d1e0165321f407dce306141046cf0c2
SHA1 21b2ef6da585407e981520dd3857dccdd498188f
SHA256 fb9b767f4088c6c16944e080195eb9a3ba98d516cb08150705f6596a146846ca
SHA512 6b13870278aa039e9fa69d2cc3afd9dbd6bb6a07af3b55b0beb9d975e2159f671b66786653b3e4b8e6f081210aefc6197d068cd387b0b88edb13d8ff28199df3

C:\Users\Admin\AppData\Local\Temp\CD56.exe

MD5 6d1e0165321f407dce306141046cf0c2
SHA1 21b2ef6da585407e981520dd3857dccdd498188f
SHA256 fb9b767f4088c6c16944e080195eb9a3ba98d516cb08150705f6596a146846ca
SHA512 6b13870278aa039e9fa69d2cc3afd9dbd6bb6a07af3b55b0beb9d975e2159f671b66786653b3e4b8e6f081210aefc6197d068cd387b0b88edb13d8ff28199df3

memory/4736-132-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

memory/4736-145-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

memory/4736-163-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-165-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zp0Yd85.exe

MD5 4b2a7c1167f349230bb3e3b851c2a2f9
SHA1 d0c4da8b69004e5b5508d25057c47804d6958870
SHA256 79ffe94d9a49f23c487525a9e6ed23551b988386fc9624395ef4f190a34fe588
SHA512 ad2896ecc759c44aefaeaf88b0d07db4695cc560a86fbcd82754e3afa91f93ffad7d85ae46f17bcb46f6c3d053d49a2252d499a519bb1dd3843115858fa916bd

memory/4736-168-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

memory/4736-172-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jZ37sZ5.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

memory/4736-174-0x000001B870E90000-0x000001B870F70000-memory.dmp

memory/4736-154-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uQ2Hw25.exe

MD5 3cc3f718b5756543370c2d72456e46ed
SHA1 40674b2f68d0c0338f5259a4439211162d712bbf
SHA256 8ea7659b23e22e2aa6b00664c97d3a6b1026e5043717b9a6b990dcab6768dc30
SHA512 8f6802995497943fbd11a34beb5b1104b3da50b89ae1b801d74cb13830cda1e83819ddac656fe6611c0c06c20fe9e81a10b4b8f8372d32ac48c7686237e71a8d

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK6NN07.exe

MD5 5de919efba1e89f373cc4289bb3a2eb7
SHA1 ac71d5b9857a9dcd0b3389be4382d5f11fb60cf0
SHA256 b6f7690bc89072fb454c1c194f73d2e834f500b4ddc95cbe05547923e0358b52
SHA512 03de1e7e3ce811893b1622d2c7141539b9a186a3ce253fdbc4991f3fbce423978868651eac7584106dd7bb982ff2fe9a96dd9c33a6d6270790ff3746ca407ee4

memory/4736-137-0x000001B870E90000-0x000001B870F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAzbfnxDFglcHCx\information.txt

MD5 8c7b878cca6909076485e5d1726d3c26
SHA1 9ab24defeb27274999dfbd773765fe625d16be1f
SHA256 974c8ad900e797b34ea160bd6a0562c34247b82fd63b9bc5f67c09c5996af886
SHA512 56a22a33555a1726508739aa22f632b1fc0802f1859779cb1815d4c1e189f43fcac3bd01889d17c9b952b0b7e34f81b34ad63094ada89ee07935ab6596a292bb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK15mj.exe

MD5 41ae99d1bdcbd6c01e05d311c9670137
SHA1 9940a1eedea4cb869e85fb06e490a0f3e5b93260
SHA256 cdaf1a35e011280c3eb2de9e657fd3a9a8cee92fc66542114b4f20e0a0b207a5
SHA512 0b801595dad2da2fb6afd077c550041c6cd6f98311a3e61a0ffd55ce01b78c0524e17037debd15efd8ab6d9a2192c92a2ade1d1e00808f571bf9c6be316bd042

memory/4272-1487-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4736-2411-0x000001B8705F0000-0x000001B8705F8000-memory.dmp

memory/4736-2412-0x000001B870650000-0x000001B8706A6000-memory.dmp

memory/4736-2413-0x000001B871410000-0x000001B871464000-memory.dmp

memory/4736-2415-0x00007FFD3E840000-0x00007FFD3F301000-memory.dmp

memory/4272-2417-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 aa60ee3638c26b2068b901309245d998
SHA1 c77ca9938bc38a68e942f4cbb50d17efe839af7d
SHA256 ad91695fcda8f4dc9e1958c92855427b06dcc90afa5aa4386541249517da3e24
SHA512 d62ab63bc9850a321ecdc065c7d4b46cb325eaa07bf34f5c60144c6aff8a30765fa1a1162649bf6e98bef693349b128f3789a230c84b82daebce514d5518a9e1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YR653TP.exe

MD5 aa60ee3638c26b2068b901309245d998
SHA1 c77ca9938bc38a68e942f4cbb50d17efe839af7d
SHA256 ad91695fcda8f4dc9e1958c92855427b06dcc90afa5aa4386541249517da3e24
SHA512 d62ab63bc9850a321ecdc065c7d4b46cb325eaa07bf34f5c60144c6aff8a30765fa1a1162649bf6e98bef693349b128f3789a230c84b82daebce514d5518a9e1

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 b1228ad5381ae275b02b5d5a87191db8
SHA1 d02aa21e32e20649e2f8cb7cdc775fd4a98bbf8a
SHA256 c3a85e234556ffaae21f62d0bd4a76c5bebbf6b854ff4c987c95d933ee534804
SHA512 a546e52467215e506e61b2b6c34634dceb9c0946fc01abe21150bb99b64f771e0f198b2172d99b4b8d35eebe78a20011b20cd01fac0d360b2633ac798801d219

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 3905a179e2f728885238e14edfd3474f
SHA1 d9ec80f3e264a59e9bf9abe9f3a6bf1052c805a1
SHA256 e9b7d9076e336f757e7d1e73864c17ffdcd321409822a1aef76635a49863b3c7
SHA512 5103c9514607904cb929e350191997bd23a50d6eb10ca3eb9a7a70c3d1141353eda7ebec087314f2dcf6578c1af95545ae0b286b8b54dd39d7f0ea0e18e62d45

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 39e2ad3c0fc3563d1f8e0a09922f2655
SHA1 a7539d377a9e67ac68cf4bda734221586ce945e7
SHA256 e52541b419fef5436c6d5b70c43bcd9575852c68ce8da0cd02ddada2b37eaf4d
SHA512 1b06af05775cc08494dce57f292e77cb542d17e3397a39b2a0336705c081e005ff9f1007403d4cb6ed083914d9a82c723fcf9d25ebd7ac30d39322b4431f4706

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO6sA6.exe

MD5 deaf4958ef4e77055f6094ee16b01217
SHA1 8160022b985581fe15fd5e43ca29ab9449fb0e70
SHA256 34df5f91efd4585ffc71c8b4cc8adb162e262f5c55b58175d044b53e91eb2fa5
SHA512 d431318cbf2a9b149003378a24f7bb90692a1f8e3e30a70a3d34c6e424ae65ba305d614871505733e40a271bfcd4e63a25ee9a6e05782c5137f8c69b03f465b9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

MD5 58965f6557c7f3e2ec3532738159d27c
SHA1 efd176f8d8fa13dd5ada8aa8558f2c8c88dfa2e7
SHA256 30b7d7f777a82fe925439264804123cb650a8d43c9f0959d0ea466a287fa9e42
SHA512 ff33293ed243c513d06e46b27e08f7acde130424fa735232f0a0ffdc03c4a2c8922e49cdbde8edb768ebdb3b462191b4d4852f81a8e86172de24e0b4ac0ebc4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eK8Bg1.exe

MD5 58965f6557c7f3e2ec3532738159d27c
SHA1 efd176f8d8fa13dd5ada8aa8558f2c8c88dfa2e7
SHA256 30b7d7f777a82fe925439264804123cb650a8d43c9f0959d0ea466a287fa9e42
SHA512 ff33293ed243c513d06e46b27e08f7acde130424fa735232f0a0ffdc03c4a2c8922e49cdbde8edb768ebdb3b462191b4d4852f81a8e86172de24e0b4ac0ebc4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1364b05c498754b0765b6ced5ee76bef
SHA1 5d682e34d2eccf67321028a63d59eb5e224a16f8
SHA256 3bf4387200c6f674fcea3b8737015af1fe130c5674ea2e04b120c8f124cd51fc
SHA512 3deb0b9290138c5f31e6411ff141aa75ae54ca9f5c581fb3d5877c23e48b86a4adb0f4e3d8d309405eeac8231f5d70897deb1299c4410ed3a4b2de34cad3f24e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1364b05c498754b0765b6ced5ee76bef
SHA1 5d682e34d2eccf67321028a63d59eb5e224a16f8
SHA256 3bf4387200c6f674fcea3b8737015af1fe130c5674ea2e04b120c8f124cd51fc
SHA512 3deb0b9290138c5f31e6411ff141aa75ae54ca9f5c581fb3d5877c23e48b86a4adb0f4e3d8d309405eeac8231f5d70897deb1299c4410ed3a4b2de34cad3f24e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

\??\pipe\LOCAL\crashpad_4996_TABIMAXLUBJLGLBU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 14902b9f0bb601a8a32fad4d4aedfc9f
SHA1 d9a0d41fff36177106794072637bacc5d716d30e
SHA256 71372070db23dc9dbd95d89cd4cc60bf747ad31f71e5eeab20fecfef5903a995
SHA512 8a7b1a0ace013ed2c2c64a6ed5485b57ea6ae7e7a09a00ff983840d2072d0a1be191cb88c83757ab3c101d2051c00e7cb35af4730fa1cf2d184fa7df70e8cb66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

\??\pipe\LOCAL\crashpad_2260_FMFJGEWTJZCCTJBT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e7823c15eab68f71452234b7135595c4
SHA1 04892ef690125c952010df3ef173c8efa0d58bfb
SHA256 36cc0543a72bb7a6f296d5f80c412dffa087f0454e2dd8cb25155fb1be8e6216
SHA512 699afcb39838a6a30d90befc05e56c32ef037ab0ba2cfd802675f5827a9eca2309311310b5c0e7c3d15188d1d0cb00ddb46f4d2cf7a99433d9ec94c8dcd2e637

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 14902b9f0bb601a8a32fad4d4aedfc9f
SHA1 d9a0d41fff36177106794072637bacc5d716d30e
SHA256 71372070db23dc9dbd95d89cd4cc60bf747ad31f71e5eeab20fecfef5903a995
SHA512 8a7b1a0ace013ed2c2c64a6ed5485b57ea6ae7e7a09a00ff983840d2072d0a1be191cb88c83757ab3c101d2051c00e7cb35af4730fa1cf2d184fa7df70e8cb66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\30c6ca2a-bce1-4937-9294-49001d56df84.tmp

MD5 9e364bb65cbdd8dd9c8de08e9cad2822
SHA1 0f20b626fb85772a33217baf6a41e94c2744d29d
SHA256 3f4466bdb4d48cc96cc1c2a2e76ec37dafff6e5973ffcbf94ff38ec4bde84ef5
SHA512 4da2ba1889da69a84b0c71714659d15a42492a3fed92b1afb2ec98ea99d469a98f44d2e7f2c18c61b4a888df5074366228e537cd144fbc476a6060f8f0b51253

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e7823c15eab68f71452234b7135595c4
SHA1 04892ef690125c952010df3ef173c8efa0d58bfb
SHA256 36cc0543a72bb7a6f296d5f80c412dffa087f0454e2dd8cb25155fb1be8e6216
SHA512 699afcb39838a6a30d90befc05e56c32ef037ab0ba2cfd802675f5827a9eca2309311310b5c0e7c3d15188d1d0cb00ddb46f4d2cf7a99433d9ec94c8dcd2e637

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58a9ee207caef8b6881b10e37b4cbc97
SHA1 fa5f0c8626915f39161abb48df2212a79c9c6abb
SHA256 fa60e147e18bd39cb6ce21d725ef37a2072d1d682547d9f7393d3f99e63711f4
SHA512 dd20d10299a8c628c74adb51239c3869a01a731e42946f0039c9138c03524d8c8a940716226f10aab0b0c7aa230195a27e91aea54eed611c6e5dc9f02fa90355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9747a984f24640174a3ae135da2cc63c
SHA1 ad8867f35021d57731c5c1ca7613b832a91e9201
SHA256 355b8f95a44bbecd673b3689253801d97b09fe5ba003e7d5f5da5a9d16ee4baf
SHA512 523258dacd540119e88123bf119bb921c7fe850ed0aea9a2dd78e2006ac6e88c70be9ec97b436a774a5152561bd06a9556cfa495ae197ad44ec14bd77f23277a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c7a12de12cd9151741ec6dc525adca32
SHA1 f8ae3507815a4ff600cfed7d8285e30d259e340a
SHA256 06fb2b012cf071d68f96eb76a3c3a7fe12b0f30614333303cc0279405af5932f
SHA512 5eb160f09641cffdcac46f94b0ce7ed8082f4037a19e632a990391e66679043c5b373bc182b1d69dfc81c8439f1ee7deda90ba5e3702bf24ce30f8973b9f6b31

memory/4876-2667-0x0000000007040000-0x0000000007202000-memory.dmp

memory/4876-2670-0x0000000009DB0000-0x000000000A2DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3c7fc2f203dbf031abf487addd7a954c
SHA1 02db79402cc0dbf857248ae3f46c90dd776ff4c1
SHA256 d2ead18eef952f5e3ff681ca998051c6a7bee58c976e6a5763c9fd349dc868ed
SHA512 69459ba4509ee8315c0bbd3e5c1a25230e6ace8e7e31b3296eb09950612f8957ee5bb87c02f3e71086a57d7f3f0f122577dbf6824613c08151482d37cff5ffa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d674d866121428c7a34e0061f0ff6055
SHA1 b1fbf739fd22f6342fd237ab178fb0ae29b626f4
SHA256 e1aaf940df8d6b93924c97991b9782310e25f49b30678eb54ba0f064754475d1
SHA512 627cf84a608760d3692216e36b1f5f531c91453d9ef426bdcc2adcb8d55eaeba907a244ceb6023f9cca5e6b909315271df8612bceea524e664b16a4e3dcd31e4

memory/4876-2721-0x00000000075C0000-0x0000000007610000-memory.dmp

memory/4876-2727-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4876-2728-0x0000000000A60000-0x000000000152A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2e7a5c8f1e4b9f461d3537d42907af8f
SHA1 36952476a63db814b4d2178f7222278e61ef75a3
SHA256 90e5a448e54ffd68d7e9ad350c476812b29d432921c8c771c18bc9494bc68347
SHA512 13b3e0a28f10305aa46c56858eacd2126e894d098608745ed9628087f1a7ee37607a8e34a2405ff77c7b4c9327c8f01ada28aa20175da92afd6ea98ae0fdfe8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60651ce724cdcdf511dace3c877efb13
SHA1 5dab21a19f895bd2099c07f69498f53667427ffc
SHA256 e14440649d655c5d89c2c5dc0e84e20239fabf666ac9104bfdd23ceceb5d721d
SHA512 2d9b2a8552d49cf09b729b9e963dc4689f1435b4db2a476cf006b9fa8d1579d520c1e5abcf6a4d132419974672b1edad9de5d8b454f6e0719e18d6e4c5e50082

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 7be049d7c959fde1e41f35b7a720efe9
SHA1 52ad63c6660922da4e8f6adeb3ffc02c4680b5f6
SHA256 3e0f584c3f5eed5d694d28d0341dbeccd25f72ffc95dd44082cd087a8e7dddb3
SHA512 4d46689ec5be60bc5e4de95f0547bde8670a99c483fe9395f2df77e78a4f1f438d5865a024a6daecce3c0e7314d006b3e84682bc7e201e521f7c33b3343590da