Malware Analysis Report

2024-12-07 22:58

Sample ID 231224-2ktkfsgaf4
Target 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
SHA256 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
Tags
dcrat djvu smokeloader pub1 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan lumma redline sectoprat zgrat logsdiller cloud (tg: @logsdillabot) pirate jack uniq2 paypal evasion phishing themida upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363

Threat Level: Known bad

The file 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader pub1 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan lumma redline sectoprat zgrat logsdiller cloud (tg: @logsdillabot) pirate jack uniq2 paypal evasion phishing themida upx

ZGRat

Lumma Stealer

SectopRAT payload

DcRat

Detected Djvu ransomware

SectopRAT

Detect ZGRat V1

RedLine

Djvu Ransomware

SmokeLoader

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Creates new service(s)

Themida packer

UPX packed file

Drops startup file

Deletes itself

Loads dropped DLL

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Detected potential entity reuse from brand paypal.

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

outlook_win_path

Delays execution with timeout.exe

GoLang User-Agent

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-24 22:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 22:38

Reported

2023-12-24 22:44

Platform

win7-20231215-en

Max time kernel

301s

Max time network

316s

Command Line

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a987ba91-8a81-44fa-8da7-2da7994e720b\\FAE5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rbawrde N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\937D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\937D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a987ba91-8a81-44fa-8da7-2da7994e720b\\FAE5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FAE5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\937D.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3F61.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3F61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3F61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rbawrde N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rbawrde N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rbawrde N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d3000000000020000000000106600000001000020000000707103aef67b232a503412ce388d85378dc2919621f3286840f6dddd5660dac2000000000e8000000002000020000000fa52988335f4e98879a12684c873de219974ff582722d8fb4fcf1a777f070d3120000000eb120429fbca9fe7fbb710beabf6536bdff72c352f276975017112fc04f4f587400000001b0ac679ed8e257bd31d8f9ed4a3e8db2ae153711394ba6d4be0365724f7fc359dffde24832b74fb04f842afc5f93efcc67ff2fabd31aad2e033b30ff2d59c42 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A07CF611-A2AD-11EE-9159-76B33C18F4CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A094C3D1-A2AD-11EE-9159-76B33C18F4CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A07A94B1-A2AD-11EE-9159-76B33C18F4CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DOMStorage\epicgames.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\5C93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 1672 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\rbawrde
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\rbawrde
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\rbawrde
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 2640 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\rbawrde C:\Users\Admin\AppData\Roaming\rbawrde
PID 1264 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1264 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1264 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1264 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1264 wrote to memory of 2156 N/A N/A C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 2156 N/A N/A C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 2156 N/A N/A C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3F61.exe C:\Users\Admin\AppData\Local\Temp\3F61.exe
PID 1264 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe
PID 1264 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe
PID 1264 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe
PID 1264 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\5C93.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1264 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 1264 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 1264 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 1264 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 888 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Users\Admin\AppData\Local\Temp\FAE5.exe
PID 1808 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Windows\SysWOW64\icacls.exe
PID 1808 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Windows\SysWOW64\icacls.exe
PID 1808 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\FAE5.exe C:\Windows\SysWOW64\icacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8CF52860-B480-4C3D-B773-537A0F3E4A37} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\rbawrde

C:\Users\Admin\AppData\Roaming\rbawrde

C:\Users\Admin\AppData\Roaming\rbawrde

C:\Users\Admin\AppData\Roaming\rbawrde

C:\Users\Admin\AppData\Local\Temp\3F61.exe

C:\Users\Admin\AppData\Local\Temp\3F61.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\405B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\3F61.exe

C:\Users\Admin\AppData\Local\Temp\3F61.exe

C:\Users\Admin\AppData\Local\Temp\5C93.exe

C:\Users\Admin\AppData\Local\Temp\5C93.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a987ba91-8a81-44fa-8da7-2da7994e720b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

"C:\Users\Admin\AppData\Local\Temp\FAE5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

"C:\Users\Admin\AppData\Local\Temp\FAE5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe

"C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe"

C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe

"C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe"

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build3.exe

"C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build3.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2492

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 158.160.130.138:80 host-host-file8.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.130.138:80 galandskiyher5.com tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
BG 91.92.254.7:80 tcp
US 8.8.8.8:53 brusuax.com udp
MX 187.204.106.77:80 brusuax.com tcp
BG 91.92.254.7:80 91.92.254.7 tcp
RU 5.42.64.35:80 tcp
RU 158.160.130.138:80 galandskiyher5.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
RU 5.42.64.35:80 tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 elamer-llensha.com udp
US 154.49.138.142:443 elamer-llensha.com tcp
US 154.49.138.142:443 elamer-llensha.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 77.91.68.21:80 77.91.68.21 tcp
MX 187.204.106.77:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
MX 189.232.1.60:80 zexeq.com tcp
MX 189.232.1.60:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 zonealarm.com udp
US 209.87.209.205:443 zonealarm.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 8.8.8.8:53 transfer.digitalmonks.org udp
US 208.99.62.244:443 transfer.digitalmonks.org tcp
US 209.87.209.205:443 zonealarm.com tcp
US 208.99.62.244:443 transfer.digitalmonks.org tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 209.87.209.205:443 zonealarm.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.kaspersky.com udp
DE 185.85.15.46:443 www.kaspersky.com tcp
US 208.99.62.244:443 transfer.digitalmonks.org tcp
US 208.99.62.244:443 transfer.digitalmonks.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 54.236.118.247:443 www.epicgames.com tcp
US 54.236.118.247:443 www.epicgames.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 151.101.1.21:443 www.paypal.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 104.244.42.193:443 twitter.com tcp
US 104.244.42.193:443 twitter.com tcp
DE 185.85.15.46:443 www.kaspersky.com tcp
US 8.8.8.8:53 malwarebytes.com udp
US 192.0.66.233:443 malwarebytes.com tcp
US 193.233.132.74:50500 tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 192.0.66.233:443 malwarebytes.com tcp
FI 95.216.178.71:443 95.216.178.71 tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 store.cloudflare.steamstatic.com udp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 192.0.66.233:443 malwarebytes.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 static.licdn.com udp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 store.cloudflare.steamstatic.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 community.cloudflare.steamstatic.com udp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
FI 95.216.178.71:443 tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
BE 13.225.20.164:80 tcp
FR 216.58.204.78:443 www.youtube.com tcp
FR 216.58.204.78:443 www.youtube.com tcp
BE 13.225.239.46:443 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 52.73.232.140:443 tcp
BE 13.225.17.88:80 tcp
BE 13.225.17.88:80 tcp
BE 13.225.21.174:80 tcp
BE 13.225.21.174:80 tcp
BE 13.225.17.88:80 tcp
BE 13.225.20.96:80 tcp
US 52.73.232.140:443 tcp
FI 95.216.178.71:443 tcp
FI 95.216.178.71:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 udp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.205:80 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
GB 142.250.180.3:443 tcp
GB 88.221.135.104:443 tcp
GB 96.17.178.194:80 tcp
BE 13.225.239.46:443 tcp
BE 13.225.239.46:443 tcp
US 8.8.8.8:53 udp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.244.42.193:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
N/A 96.16.110.114:443 tcp
N/A 96.16.110.114:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.16.110.114:443 tcp
MX 189.232.1.60:80 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 udp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp

Files

memory/2188-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2188-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2188-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1672-3-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2188-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1672-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/2188-9-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1264-8-0x0000000002990000-0x00000000029A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\rbawrde

MD5 70220c50bb4d6b5c323ad3322eef8c80
SHA1 f5ac79382662f6f08512ab6c6d702450dae29c52
SHA256 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
SHA512 f058538a8728a720a34929892fd7abb15d73cab3c97a89bc1780828c78b0532d08f259a1baaf289aba3bb65d46c65eb9bb7b8998f5dfb47e53c7cf4c925a970c

C:\Users\Admin\AppData\Roaming\rbawrde

MD5 400b5a4baf50c91d869d0204097499ed
SHA1 6391ecccf95875c31561cb6be52c961fb83bd99d
SHA256 2dc0e234a472eabe379a484a802eeda8a3713eae1f2258373199d1774fc00920
SHA512 d482b6e56d5a55b2998e2763d26c9fd4694610611deb0ba28872462ad6f59f6dc46387be38b13145c5d22d00b40c851a18dae15dfaf5a3319bd4b70c9d51a9d9

memory/2216-25-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2216-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2640-24-0x00000000008E0000-0x00000000009E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\rbawrde

MD5 eef643d49c5d73088bfcc93d556e5a9e
SHA1 19e050e55cf3e83cf338afbf85794c4b46d06c5b
SHA256 d94de9cd0f35943dbbdb4f00255b8aab49955620ab0046bdc718e87c6dab3139
SHA512 18bb698f98251df0d3545a5b083a2f6afa9670facd5784c7c51f8750725713956f7f0cbfeb95dcd047c5b81b7381a16100703cf933b9f83287a8fe4391e7e7fb

\Users\Admin\AppData\Roaming\rbawrde

MD5 1827c155d2cedc33e3eb81d343158192
SHA1 57680dee20bf86c2c30b0c0035803e172b9fcc3d
SHA256 e3e9721e9f04c60ef27b008a42c664192611b154bed1e6a7e0eb85feb85f4b24
SHA512 afcd2e789d7c1c617f422954a9270b24f128d21fbc6bd134985fcba0d76a592919fc0d356e875710339ef824768ef68ee0592bf86745ec7d57316613ecadfd57

memory/1264-27-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2216-28-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F61.exe

MD5 9e22548b757ed216dfb1f7333c1f4b2e
SHA1 e85a9d49be301b269e8492371efa67350556ae3c
SHA256 f42f2149a57a1ecd8669a1553e4345e70d9bdae016f2b0fc08e50fc6fb578f25
SHA512 dc4810e260d302d63294603294715ccf045ab7edcc8b44b54f0c74931241777979be80a481ee5299cfbbf4e806b26e283fb1c81fc9807dc8d9229b4cb70e5b55

C:\Users\Admin\AppData\Local\Temp\405B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\3F61.exe

MD5 80f9d409a3632b0e2a481003de823c90
SHA1 33a0fc4e1b339df6e7d766dc009f71e6a25bebc7
SHA256 165208dc31837c8280cd5afee80109faa805aa2c4cb1dad049ed3a30b601c879
SHA512 ba9841d4ff5c6146705c3132e8fdf94482d11a24b9fe31cf9752a9ed1e802babd595e1f3ec2a9a63888890df852d0d225614445fab799fd536348a4259319dc5

\Users\Admin\AppData\Local\Temp\3F61.exe

MD5 23d8b03884dddfc5b03544eb5986d744
SHA1 57edd2ae4388d6dfd328a1c6e8d9e54478a3cd7f
SHA256 8e65c1c33db7977a079b036209138721ad4cfc2082cc82b44116cc2e5260e004
SHA512 d32043775e15365414fb2c7c3122c6121bc92bcf463a19e32c4dbcb59349b6e205db5df82ffe5aacee93646391f940b113ae633521f8dfb47196e4b2de3e01fd

memory/1748-52-0x00000000008A0000-0x00000000009A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F61.exe

MD5 d0d9ed8a3a5faec9d8a4f339ca392167
SHA1 3242eeb1866f1af2168db0548a0c2e2f17cb288e
SHA256 8c0e67ab2c139cc13af1d7f3d0a1a5c226765c417c4174317bda6f735f8436ac
SHA512 7f01c16dadfbca6f1eda4fa5a46ba9e4f2973b64794fbf6a393397a2f4877af1a09e5e552c6177038bbc05ffffc210cc0eebbccc41cb973f0018ebed209f7b28

memory/1092-57-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1092-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1264-58-0x0000000003870000-0x0000000003886000-memory.dmp

memory/1092-59-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5C93.exe

MD5 771ee0ba7c8cb7fa5a7930864b739fbc
SHA1 1d2fde2056fcbbf2c7ef17ff1846f1329f2da610
SHA256 5dea4ef381ca920219ca2de7f1da08f0ca86bdeda69d89d8fbba0a4ac094932e
SHA512 e0620353d2c7ebce9cb31ff96deb6894f24be7a12a5a2e60a47d54fb82df182a4be279579792d2cdf50bf1032f313fbe07b960c4912144143ca75897f5653bb5

C:\Users\Admin\AppData\Local\Temp\5C93.exe

MD5 37396df3dd661f920bd1c8fd839cbeef
SHA1 fc2d7a16ced56a65ab46952d6d254519650b67d7
SHA256 9ea09149d5c0f6e93950b82eaf54fc3f513bf1ba56e0da0cb6b3353526b60925
SHA512 3029f1ad3bc273845e1506bc20df1d50d7351a0682cfa9b82028a499166277d15c0d39ad675b3f536fedf40652929da9ae9373d80f878d40815c73b79f64d218

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 2feeaf5ffe59de6f6476a7bd1ed339fc
SHA1 00590ce74519cc11266e830a1e47cfb2f142be4e
SHA256 234fa1d2e0fcae514b93dc1420f83c5f308a38d1a81ac3d0d80bcf7996c4189c
SHA512 1ca78b0f1f706585ed41062962a5451a4660039b5a5a77c0129417ff0c417506ad23de40bca27079d34f2914f69d5bd896c342ce8163ea246cc98d6fd7ebf04d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 13feb5fd29e09e301cabaa778fe4dfe4
SHA1 b95ab0e817b1747f5c9b483373a667e28c402ddb
SHA256 c10bf6eddba07c44139883492ed38f4ac5bef78a3a2016180c3edec75790941a
SHA512 8de42dfac22d64c9c4b43acac78673ce92d417d2a718257b1d31cfcc709996307e56f40d6d182d76f5a7af89ed7f97d9d29074947c9234dcddbf619bb64c9bd9

\Users\Admin\AppData\Local\Temp\nse650C.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/572-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/572-87-0x0000000000400000-0x0000000000965000-memory.dmp

memory/572-90-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 dd803c103e918f98c2d88cb2efd8ab53
SHA1 fc669950aa80e984f076c2841ee9ade83454cf51
SHA256 82268d688b6462c8aae6373a3ca362cd4de78fb63eb13556c0247371cc5f153a
SHA512 7fc576b6c69dda6b72c1561f7ac9107c836bee5d8d5ab4ca105cc8f41067f8830d1361a29a48281e94cf0f32da31c169b31cfc46a6ca2d280502b99fef93078a

memory/888-103-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/888-104-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/888-107-0x0000000000680000-0x000000000079B000-memory.dmp

memory/1808-110-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 83bb47230978c59cd00fb30d7e1b15e1
SHA1 1a671deb53e8a9b5c17eabbe63cb082c64ade12b
SHA256 8f0cc6a8c8df0b4d8227576ed33751b5ff1cf9ca55a12250874405d3229dfde2
SHA512 cddedf7d1f161e8a979f06a8864f2da23819a54600b6cd2cbfa3efb9c2634881a943a42b6e067c1f1eadb652a37f6a1cdecf8676d0fe03f33136a074c23147b5

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 7362b66df210cb06de4f51f3bed133bf
SHA1 bb355916b261791215f76b919aa825c0351c4577
SHA256 7bd2c8f10197d37b3c8c82c0010905fa9f2566d30d51b2c1d93058b2a7f0437f
SHA512 7a18f1f95220eb48a32659be37334aa810d6a41ac036d7c57230e7570d359693124cafd99368373c199cf8d98d2fc3268e84161676e505551999af7365cc67ae

\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 809db676e39978a859340f503c7866ac
SHA1 0d3313bdc5bd86304fad4387e8968e4b81175246
SHA256 1b52a1957381ca254ee66cb6ab0af7793f1075fa36d6a5dbf918c4d889e02de9
SHA512 65f4b0d78a6605ed2fe5edb033cbced1003f2089dd0605fae6042ac0dbb617802c3e971dee4adac11b122e615cd90b4694b0ad8161bc88a0c4e6da3fa57134dd

memory/1808-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1808-114-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a987ba91-8a81-44fa-8da7-2da7994e720b\FAE5.exe

MD5 597b6e8662e825f6331eecbba838549e
SHA1 02d395ff590c4163870dbf86896dacb9435b5b9e
SHA256 d6faa854696005e490962ab55275f6ed216636e8ebda2c8447e5d5d3627b3b0a
SHA512 6362a365a8a6914bdfb5dd7b382cea0f71fa7c781d852ae96007558e9c2d51f8b7c07fdb8a10714f0651d5db924e5b84ed026546710958f002ec412cd78f4bce

\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 218721232159cfb207ddc1ff36c9c040
SHA1 2f266cbca133a318133514a3162a7cea233bee5c
SHA256 f10dfc79f5e0e28b4d43462281eaaad90badf09524df51d90aa1d1b199c630d4
SHA512 0597f5f0a4c90c16d8d31dff623016ba01594bfe7a3c2d4317ea8f1c1ff458815b2c0f3187705165696c3240a3b242b3727cf770a39d374a589fddf26cb2253e

\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 8192d74248e0eda6b57a7c46f0cb608d
SHA1 d591dae51b7dd41e5e10cae04626eea08ca076e4
SHA256 d6d6af49c833e84454debe065bd6ee952f1fb4a71a1c79a2db756a1b479870b3
SHA512 65557507f253f6d5210998430e9fca01db3a8b3420f3b81c3f8a65721a4d7967d5949b8a2bacc526a33534de3d7c190dff559a21ce0c923f11e33e56b95c0fb7

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 b2a0f982d830311a901455a56b3ccbe7
SHA1 1a3ca4738572185867a5f3770627991614bb9b94
SHA256 3f7aec1858cf0dd47f7200963cdd001274e4b7fe50b2854d0d9839f8a7ab481c
SHA512 66143358cbe800dfaa6c039f4867b26501a94ed8a01e2f86f498f373bb99e349f161a67685a18998efd677c59bdd8be445ac27611b2779d467235643dd299cf7

memory/1808-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/784-136-0x00000000004E0000-0x0000000000572000-memory.dmp

memory/784-140-0x00000000004E0000-0x0000000000572000-memory.dmp

memory/2968-146-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAE5.exe

MD5 cdd65f5adb8bf411d94999d7976213ed
SHA1 b80fdbdad08f90aadde522f89643c0799061c87d
SHA256 60aa5511649d9566a8de994981b452fb4a864a98e2d07476ddf158bdbb3c2814
SHA512 dd1d8a0dc5d730adc58efb4f624483033c8b3cc02c3bc622a82c0e62928222ca176510887f43320f4f45eebf1edec1a44770319a9f773989a252d2ebd0b4769c

memory/2968-147-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 267d33ed74838057f7a229ee5c6341ec
SHA1 5aef8ed5821eab63a1db73c3d1c1065ad2d5ab85
SHA256 bc541a095339de5592d26d36bc3941aafae00850b356e5f94056ea081e2049d3
SHA512 7c4135c79b8492fd9c495a5ec24a99a0743048d9f630156a2fb9f0f1d2e251f6cc317a6d914f8018225ffa6b9bda8ead5fc004cbd14dd751447fc8ed39d1fb74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e99c729661d361cfdeccb76fb786aea4
SHA1 f91d515bd1fd8fbe2a4d274f8062af1d0bd23a8d
SHA256 ffab13b85532e329f80d61cef78d604e593cf8d409e5aa117e3b9b3c96926159
SHA512 4317e4bc797f0efca9ce3ab3bc404e35d965a8135e5efc17a5b92c7751c060998339640a0f66d5ad815d7c9ccd06d34cc8f6c22d092d3698fc13cfd283ec3241

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9561a5cfde326e0067bafbd5f9fe311d
SHA1 2138644c498779a82d0c88fe487553e88513b906
SHA256 656865928927aaf7155dd66a0fec6bd7e711240454fd4e69ae2c0312e7eb1b18
SHA512 3ff930c7f55682af5bd5c88c63665a43a9960ba761e3b893459a5ef8b0d64e94c338fa5cae5635040742cce7cd28b32edb48ade82aa34c483d3c14840fd8fa55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 004a86ccae322374fa7d9a7495a49cef
SHA1 0a8146cb579da4ecfdfe02a81e42454968e6e75c
SHA256 b7921dd2915edcd0cf8d49f5161f082af913a3e81e4a041e8550a0142868e987
SHA512 a57f8c578a1fde0fe4529cb12af663c4f9d888d2955f2f820b9ad19446611e0d3d1b22fb0ce901825c45d78a5cc91d76ee2285834aec3aba20ff1ad9c2f9082c

C:\Users\Admin\AppData\Local\Temp\Cab25B9.tmp

MD5 d71dff97ca86ca16c3db8bdb5285fb35
SHA1 271c01246897497d069b81ed37af296cf6c1e498
SHA256 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA512 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

memory/2968-161-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2968-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2968-165-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe

MD5 e23c839edb489081120befe1e44b04db
SHA1 d57fd824ac54082312dcc23d2bca61e4d98f6065
SHA256 f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7
SHA512 8c40e7cc8b538cf33ec650e694f81e50e576dcf9d771c2d6d8d960fbb6fd38b64bc604ba0dba1c9ca3cedabecdc83c789ca515352f3de12c997150df0ed4d0c1

memory/2704-180-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/3012-182-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2704-183-0x0000000000230000-0x000000000025C000-memory.dmp

memory/3012-186-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build2.exe

MD5 a4f2c4882f1f95c67c86c1c88153a646
SHA1 4d369990dce1802f0ba534be09b073ddfd8f57e3
SHA256 5ebda3bee0ec77d60ef6891595e0037a26267c039725889f7e38dba2d6e89f95
SHA512 021cdc788ea6760dc29d22e30109698b0d30d53acfe637b562ae586456d736d91c19629b898bbf549971bf2f1d3f6e3252e055710789ed619976ae4cd1ea1388

memory/3012-187-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar83C5.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\937D.exe

MD5 c3c718510eafaf914a56621da2a12f4f
SHA1 7abf3d2fea34042846cbe2769937f6707bb1dba8
SHA256 7433e74b7a7c58a3060fdeeb51d700f802e81bb71dad6e0072fb691c32149277
SHA512 04594cf884941c6feb332f1f8199ce3dcf5142194405611cf2ff88c1cdb9b21f05206b42ee40f934187ca828bb966b614fed6304ee69e87cd1b66544d03591b0

C:\Users\Admin\AppData\Local\Temp\937D.exe

MD5 7292b986ad9b3dada55859b1f72d05d1
SHA1 91547981e4542beffc081e940f66b5d5b4ef92ce
SHA256 0ff6a60532af8b0997f6cde5bc341a6fb5d3270154749a8c8e1f15b3027cddf2
SHA512 a173ccb5e1b39514924a73afa325393b674e9332c1729804d63ab8fa849eb07fbd33922fb86060915a5ba87dee6e8296423c2073a7656fcf030bcd07e66c966c

\Users\Admin\AppData\Local\Temp\937D.exe

MD5 16306d6b08c35c404a39985e98f9db49
SHA1 8da44c0bf3754a016bc11a3de1d4aa9b7c241028
SHA256 871fab706a30022408fd6432c644543f8919dcf291a95fa88f0073d6138cb561
SHA512 f6fc189ee71dc225756faebae23afe5af248ed1f460f4779a8ffb280eabd5d0ffece268230547e1ccd6883d011852e31b2b47e47ac925dfa6d1599ed46b2f751

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 6cc86ae026e1c06e5e3c00629c6af5f4
SHA1 c1c1bbef14daaca4cb52053c0d6c2477b06db5f3
SHA256 80581696ace76fa1bf18fe0f171c7ce8efea4b7bb032c0a7939fd9080902ca7a
SHA512 0a5ae2cd2d5671f64fe0ae286a619489494ca84969a22903a4569fc620c2dc3c47ce43ce71ac7789ebdc4d3d4f57f6ed30c6c0af782fd28912b123cc91611b0f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 8402c6bcb339faedc6187ead35858b6b
SHA1 4138bca5e12dcffe4dc0b273cee779aef514a6ec
SHA256 11e247368c5c2401d001e02a1ccf9de3928bc05e8be9cf7fd41ad70a9d2ab457
SHA512 69fcd291f4784719b8a871dd9385f2eb8f46bc8eb818a59ef34daee0b781141a91a10421912db86fcd552107890cad1cbcb5c6bc20357e07f4152826fd1a4268

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 83796040a25a37147562331bdaa67b8d
SHA1 f984584c2e6b1864efad4150cd8432081231ae01
SHA256 d7a877ee30a8fde6f29347ccc3538111a5b45ffdae59d25bf3bbb1a646f6855c
SHA512 91cdbfeb915e2e70951aef65f3af7c56d2d381a295394f613f27300ec5a4ed7677deebe74e5ba1972641ac53d5f53d2463f3a3a6ecc8771e5a04d04ca0cc1b0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 80ae053c75233efdf5665515c654e286
SHA1 30e9962eee74af5c421968d7085b66cb26abe200
SHA256 f3dcf24bbb8b2ee748ffcd5e053f3573269c59b0ff2bd7ca365da9dd3fc33158
SHA512 3264c0e089f9dde3c611ebe80e02cc284039709a609840c92ac98cceb3ffd8bfeef109918a216a20ffb426d062c69c72907d66e51e64add8f97cf234b0014565

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 eb67759816276ce133d36566da64d9b9
SHA1 93952c2f44a356c8b0085b996cec72924aa86bb3
SHA256 5d3c9709cfe58507a1400d3470bf481fe030f8ce67c4d0770fd7001a59f307b6
SHA512 4872925ac60e7dd64f7e38bc5491f6d45b1602c0c1f487423a9c63de3cbc24aba00a99c8dadf3060bac1e83a3ff955dc63bab2044aa8e30ecc2ad970b1029ae6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 490b1e9b9930f53094392995aef59e94
SHA1 f2dc112d7ec3209a71cd788fdac811e86e3ff30b
SHA256 dbc3b4fe766d670d2084a21d8c686cc1dfe0e56dc73e01289ad06d0f88009091
SHA512 de087f8467cd2d622d1ab31d53ee1d6f4d8363b4b41fd6208204562e1253a846f0e9a2772847b3874b4c73b101145b834ccb868205a03b01aa50fea8db75f355

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 744d6df650f95b76eb9119f49419651f
SHA1 c0012126001a77f702776caeff42d741af0daa03
SHA256 4765e125d2e9b54f29ba0a18cedf4dfcfc6f3ffb97c05cc20aef822dfbfa98b8
SHA512 5f3df9e3a7af8f5456bc0b3233bac6938d26ee654e88429417361b9e7422061aa40256bd55f51e1e4ef80eeb0f3bfdc1190f777c2cd1a825bafe8e068a64304a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 4706338709c6b91115d44df7ecafc95a
SHA1 7a278b29060ae66f33f9cc93067b0063056fe7a5
SHA256 1beaba93f13a20542acd2c17868b6c2c8a9c36b02a7fe36f59305323df6e157e
SHA512 ff6ffa4bb23cb618314b277980b38cd7413a1889a9efaaf3a257ef1ae6837da8d18aa8de78057a79d588a6dd7486821d0d3744248678654e213576a018ee6d4f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 8a9a9669d79bff10a3581da967785b2e
SHA1 9db123b656b74dbe37ab87baea11a88f91e2fe53
SHA256 827419d89b88073fcc116d835c0ef739d20a7cb73be9e40b27e949a7030574ce
SHA512 ae3cdea22ce949fef2829597f6c30c53b6f70468d66aa89e22b4902436ba5cbe29d59075bb631d13d5f477ab93e824649a58911ab4cb7c15e528cff6dcd71f30

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 936fa03b09e19b7705e2b6dc0b4859af
SHA1 8be0bb1916b89f9e2ff2a328c8d11c3d800fd04c
SHA256 66472eb2ab91cdd31fc74e7cc922e1f3730695834f936d04b0192cb5b49eac59
SHA512 07efe3bc3e53578c52a10c37e2a6961aaa69058b33742a95b9f1fa17f07737ec718662029d302e836df8e4867114069b9dab52693a7e3c18dcc6fb9d5b515d9f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 f593fad17bda57b983ba8973591315f0
SHA1 fe3c93f8a8a938711a1ada468ffe80ea8e5f136a
SHA256 032801edc239dd3086f499fd641b58201ab5a4230e9ba40364ebd39d207d316d
SHA512 425a9972191364f8f9bd8a41332f51871d8eab4df83f205467ba1274a6bd22b7a92023779f7b4f39f5e6f03536c9f253ed0ba328c6e181db545669f5fc96d315

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 fdac797f4645f3eb385a22b7f30e7b2e
SHA1 269b8b79bca16df6664b7226978e4c30042d4dee
SHA256 f64a6dd831fd8610d27d1d1b40deac1bcc825148ba1d52da6ae0503a25fd3ef1
SHA512 815d95379dd46eaf9747a55f403e1b070c6b902385501e635cb002143a7e857270e6256ccdf0f6f49f4ddbf8d5d8fa9ded9dc60908c480c5760cf53dfdb72962

memory/3012-277-0x0000000000400000-0x000000000063F000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 dab2aa82a23eeb2588cf09b5200274a0
SHA1 84f49d067996637e8336162fbd35c086642d0d40
SHA256 56f967d86b26a83e8f914613036161e2a07b114a29a6210eddffcd7758756a04
SHA512 5e5af23c87294bc6f605219843040a127ed73f898094ebcb2ce9160e6c4a87d1d3a16c17738cb335acfa3e0a033f4bc261361522906efecbbe6e76f1fe9d36a6

\Users\Admin\AppData\Local\Temp\nse650C.tmp\INetC.dll

MD5 c2ab02e5975e882ec1bb254e01d0cfb6
SHA1 8496c4cd1d861ccb2ff162745d098ff721fe3f0c
SHA256 4482166d83357ca787f17137ec0d919e19b8b23da0332a4ec6996f83ba0f0f51
SHA512 01a30ec4e8612cd701fea5e687926ac57bc9e07cd2ef1cd3c333bae0bf2599fb317a7797b2c18f7346d1f3fc299c1892c549b42dc8120408c16c2c044e0809f5

memory/876-288-0x0000000000070000-0x000000000013E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 d268ae7fb8fd3dfdf786c9de5cb266c8
SHA1 19b3ac8e67ae1b2f0f266f77b44e14f108bc5236
SHA256 dae83cd6a51908f66f34a1cfcaffa3ce52cb4575c9c1701c4b2692442ebba7af
SHA512 0b94614f8922f31c7f8a4816326fbe3c560d55ec48108b37dba9cf329903e7f5d673e8da4334e869f14bb980ce3aa55a598d86609cd9434bd73fb1b41b74e38e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 cae3086f6b904ad3e6b991082e6b7bff
SHA1 6254aff04cc53a33b06355279bc55f9a9cda73e5
SHA256 8872bdacc0f82c34197ba38c63192a28b99555578ef23a82260ddbd3b35fea8a
SHA512 ec3be616e25621527af3c935cff55922df6256c41b83cb6a44f588303b33324d184539c365351fe4491c57886f65e4db9a906a4520ab0fa60a7b28c5c7e7e85d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 a13915af23309e94bce00cf1ee2cb934
SHA1 95f7bc279c14be77c69a9d0c545ad565c8c647bc
SHA256 1428fa343757968664873018b5ccd8af8dee191f250c17e254834d1d79cbd690
SHA512 e6d14b3a6f93d22434bca21fda9c898d1b36b350c4cc6944545966667fa51a5dc20df255685c8e3f2d599e686a5da9dfb3faf066b08bfba09daf497a26aa7b3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1c71049bf54bf998609b4f44539074a
SHA1 55ce10586e15c991f04aa5157d72274fe28673c2
SHA256 fc919aa42ad6eaca6aee7632e71ac5002976ffe5f21407457d70f820ea7e1eb5
SHA512 e30bc94c8bd814ee7719f6f4aac5c76b3c394d2a99f3a8149161bb5fa2f5d72f5be5df259a83f12968e5e653e77b74b77641d448ea7f7488b583ce50b0b67f4c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A094C3D1-A2AD-11EE-9159-76B33C18F4CF}.dat

MD5 a2147f85fa21b6daf1490c5f8b84c546
SHA1 9088500a6f363ba9e0911fd361950845096a37fb
SHA256 f8e408e3e88c1866d589ad340c2bd25f6dcfb2592bb78d9a23673321e51c15a1
SHA512 5383e8b51abb8a4fa761f30a1dba9623b383b8285dbfbdef19bdd7592ee7336655d0072581a189c8ed387f8e20c3d09336aa476662654e4ab708cdc2db3175b1

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 ee7611482e2dd34d2683d4e6ae6bbe65
SHA1 44114f837220608425eb7a1853956fa00206a229
SHA256 9b05fdc06e56eed6229645172577a325784c4e69fd447b8a1dab277c3e65e06d
SHA512 e23e4d7d59ce1299ee427ae79f1c462970dcb570bc578a3ed8432c813df42daa347f0901766866ced2271173760d46d4bf07bd44abf3584f25dfde564c64bd1e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0841A31-A2AD-11EE-9159-76B33C18F4CF}.dat

MD5 91ff122b8a32ebf46dbe5e11711c3c8d
SHA1 ed8edfc6a78cbb49fe42e5645e5ee9c790df4f8e
SHA256 3bd8a568dec7de66da7dbc09cefbdef53adc9caa7150b20e41dec16abc1d8c8e
SHA512 ee590559b87cd87e9874d93a8f19de3fa2c84f95cbb01c18226c331e0b35192a4449f231d7985de95cf93ce604c29d5ac328215d4d5af2e196558666fe5112af

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 9330696807719b4221ebbdb31fe25c00
SHA1 097f540e6d8227709692ab3e4a2b7779ac3c655f
SHA256 73d31ed3704dfd48699e25e13f51207974b29ff371f5052e9b1f3f8a82d9ad6b
SHA512 7b4c2732f7193cefbd62a06cdd9a86759b50a944bad8f7add08af12cf01fb876364cf0fa236e1ddffe1746773436cee2bd8a6c3c277f0429c3e012d089660827

memory/2968-321-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build3.exe

MD5 d95bd3b9c3965faa1a8440c45cc8aa37
SHA1 135edb96b29bf50a7888b4d1f674374f65bdd64a
SHA256 823a6560032402803658c73f4b2e750cf04fb412ac45e5d26d9f38bab753dabc
SHA512 3d287f1d31148e5fe8ee42d64a1e5c595f7a69862f440128c8efe7eb1b8e733188d5f3ff0b5a8ba4290f101f932b8ed580b6882498b586e9f415afede2c319c1

\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build3.exe

MD5 03b3f6eee4afa6640fa7406190dcf133
SHA1 2af0f426a4896d3bbe85654c7b61d843b8f7bc44
SHA256 e96afa8e4542c128e6bc5aa8c1eeef86af3f9dfb250671e4b212b17e5c7ca2bd
SHA512 44b931890d53b37d7c2718bc25d82a3c629a6bf8bd5e9446c12554030c7885d6b0486682b305caa183318b153d891963d86759da9ebf99e21de2c27ceb3b0c02

\Users\Admin\AppData\Local\f4c88dc6-e9c9-4e0f-93be-1830b1def920\build3.exe

MD5 dd1583f1f62b990f8c7de7d33c7b34b6
SHA1 04a51b068a930d35a403797de7732b883f2cb964
SHA256 70c593a37fcf76e547365d5bd736e941787d568cf7e94e44aa948bc9f2cc245e
SHA512 0f19e7d86ad1948d7265aaee877e44d0218be503bcd0c444f1abfe463848e94e275c7f682ee9949e5e33b52b2b88f61cfee2ed3a0f38d8640da3705f7b5edc69

memory/3012-595-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a6e2e80126ce71bcdb72afb4830701c
SHA1 16301e8f7da890172a194f188586f951ce2099db
SHA256 24e846a4e9b530bb9f466b299efbf8eb1afbcde2f4d37e59ed6f5707a7effca4
SHA512 4fab603934ad3c3dd0c73343795d4ec004b026b76ea1cb8789eb9166cef8ad6fb0b2ef217fcf9a9cd8060ba7530b18d823d2d92278abf9858e26cfd8ba24c0f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e35c6950f9d895edd9fa4cd84cdbee48
SHA1 f5d43a976a0629a3736f6366723ec0a40d39b27e
SHA256 3057590707797f661b395acf26a1e0787cd95ebdbdb796c6a2040a9b43436976
SHA512 8eb6f4941b3eb261447315228a29787d2de71adc989ab678c05e20774323220ef43cfd97dca7fac11a7be208b0151681adc3ee3f342243a51f985b00c4b5d4b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 cc287e57a38c42ffa5887a4396c5d3cf
SHA1 154a3496222c662d52d97ec91fd381041dab57eb
SHA256 08bbcb3a987134d107cf119f29e9e47117f269f02d2ecb432c81650c1054d57c
SHA512 89436e2219757199ad5d2df05bc2b0cb43ad5bafa43e1bc8d7cf63627c949567c723d7601575b39c861f5d3da2f4e89a36510cecb4ada40c77e88d269822bd4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 6469bf207b333acad5a5bf1a8dae112b
SHA1 e109b219e7bfa56382cfba1878c3563addf6ccf7
SHA256 962aad9d8f2ed14ef77abeff219509ac1b22a5b17cb82c3a4c27e6d3a718cb52
SHA512 de7adf7c5b000647fdeb86fb964ae3fe8a2f676ef1183f591f6392afe6c2c06acf213c556883a202244cb1f323bed9d784bbc9e350699fbfee1b9ca7c196c822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 1158747f71a0641238d614ac53abab01
SHA1 58c14301d12fe422838f4b426dc27179c932463f
SHA256 fcca52980a99bf8bc8613f283396671f13e6f3bafc50821a77c6c75b25695b73
SHA512 f1398d1e5f64f7f10b3962676ae109e400c80f6eddcdbd2968d62a9cb630bf89a069f2ad7ccf886ac0f35ab90ed7d56e404a37a6c671b353b646700ad63d7bda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

memory/2704-1771-0x0000000000230000-0x000000000025C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51b1fa3c491029717064490e68c01d4f
SHA1 184f45c336d7b21c1ddfe13d17538e092b9e8b44
SHA256 85e89859e5978b2566ddaf7db0f03623241fd3684a72a874cf22b2a9d16e4400
SHA512 9654ac3f501fd9bd471a7ee67697bb13b1c996c8163203d5ad8375f83919b56d409eee24e2f5295b9650d0d5b368f39041e5108a6c428ec7ca9485d898278ec2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 83d4d28e57a5e18db6cfa9bd5d915066
SHA1 a8077931ff726e09f7c3b337512b335dbdd514de
SHA256 746f6531556654d47a1498a94bb72a8405317b36701a9c4e9ad61a6860d4d1b0
SHA512 1ad337eace041b042419350413b865cba4390fd690f2cbe8bd8034d4928e0c9cf63ca014bfc70a0e9de66dd4d87a27c80e2dbd26d1cb87e187d1b1691bf7cde2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 a3439917990e5cd5314d5a740519aee0
SHA1 f1397e00f11294b832072f8e7fa50f90b5d7e074
SHA256 c080b9412c1bb875cb3e4b4fb963e8d960624fd6b7988475f03a8215e8d2e6fd
SHA512 b826e108ebf553b8d4f2d08a1cc05c4a5d0d2a4dd2723c10edea3381c4f134589535f39e2b2e0db815fe0a63dbe8bda2456be856f7323fb912b03839e9012786

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 aa98e7eacc3ae1bc4489613e6a005a0d
SHA1 c6e8cddf666064d946cf82b63a02910f8e8d57cf
SHA256 0d445462376804f4fcb990a886e24351a1a488284b45ad3c217914e1f610b337
SHA512 7cb7acf5b2bfa0630267f02bc31db876ec1511092a1942214a4709e4d3b13d8415f886638b035c4253aa9e126fdce7e0251bcdcfc9e2522e3149cf386f6e1820

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\shared_global[2].css

MD5 0eb3b3bf159cef745f0173c6c32da9cd
SHA1 e8e8d0989501c538c375ef58957f8864e31ead29
SHA256 f9fef685319ac374a73e0c40a9428c177c3eccf2057bbb860f3c25e06506ef7b
SHA512 473d1662925aee08736425ca949349b819f9c0fe1a46cdc02f12bcd5bb1067d3fdced324ec16c13eea2b8a1974073b3eac92532b7a5df96da91ecf2639b1a2f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 863f58893178b1b1508dfb09ac2e879b
SHA1 71ee7b30d447ecf1a897a968828abe900b0aa807
SHA256 27f994f50c54264f87edfedf8687c0a7d0c31b1bc4cca90e7f1d5636d07d420c
SHA512 4ecf741e12a809138e246bed3fb580e3f78aa634930de1fac780decd1e0c1dd21029468af66e3ea211bdb018a95d10234274a45725876c9ddde3960396b37100

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 ad3a0c5304f1da7b059ab2513ecf194c
SHA1 0c030661ff2505c0eff7fe6009afcd722072b969
SHA256 65dcff93395d4ca8b7dd51f6d46b8fdcf5a7b6b4049319f67984067d8b2beb10
SHA512 add7f2ec79f12e19f626cd889b3f01c0884b5cbd0f9c8520e7229b9f81aea7d6edbc0265f8d91b87c1d170d8b0b33f4a4f3d7c2c323ae982f373e1f7556d2883

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\buttons[1].css

MD5 1abbfee72345b847e0b73a9883886383
SHA1 d1f919987c45f96f8c217927a85ff7e78edf77d6
SHA256 7b456ef87383967d7b709a1facaf1ad2581307f61bfed51eb272ee48f01e9544
SHA512 eddf2714c15e4a3a90aedd84521e527faad792ac5e9a7e9732738fb6a2a613f79e55e70776a1807212363931bda8e5f33ca4414b996ded99d31433e97f722b51

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\shared_responsive[1].css

MD5 3c78b10f81e11ad89896be942eea40fd
SHA1 2439f68c0701eb703eee09f4029d791c570c21ae
SHA256 e4f99afd56369c48e706463b7c6c46dca8d520894ae93f4241a357e176523003
SHA512 72ea47774adc1d02a4e577ec414ccfb6573a4359f1491ed9c2e937a977b24226e060bd9e7bf28e827f3f5fc9a5b620d0e715ba1d3514851876da200aea2e7712

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wz5r4lq\imagestore.dat

MD5 c7138981c6639a12920d5198ffbb02bf
SHA1 5f81d877fae3e04760ca125e52eabdbb8207a66c
SHA256 64821af6320eedeb1482d944dcb2b23794aba83a87a56853aa3bd852ae273855
SHA512 c610685721c9901038ce26f4073ddc15829d61fd80b3edb02e7860c14643b4098a8543df0868a1357408f221796187869bdce65522476aa509c6ea1afb9a399d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\favicon[2].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP6DRJYJ\favicon[1].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bb4aa9e41e443dfb9549074e2a88d66
SHA1 2e15fb1db9a0898345b21ec3d692ab6d17410d04
SHA256 318613cd35daeb968ac3872f8824eca7834ecadbad54023049d9441d966ecd4c
SHA512 4a5f2e883e6277f43b749fc2cedd874c1296b3b4e0ccd12446bfd53108fb8f9f281206f7cf8ac0ab725a2f6c413b99d0abdaf50bb467d45a38b6fc2aeda2ce06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a653642c947f80dd0837ac6b3c537e3
SHA1 6378447aa1aaa3d852e73b58694e348da2a488b4
SHA256 08d4997478e6be1d53d569fc299fbd31caeca0be0c7fcd59949bdaf230884a5d
SHA512 e3cd8bd51b8e63ffb1166aae0af36a8fac87d4e6f052cbe39c1a13da22185e2b73ca9bdecb9b516b32c18ce9a7835ae97f4079596604a2685327ab519622a510

memory/3012-2359-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf53c5c6e80ca7144dca598b2948e465
SHA1 f88f117cf64b9bdf52c9162f92b5147e6025ad4a
SHA256 ce03fcf1dcf37186455b6c70d83e8c0f54e170cd1db1cab6ab3be9d2453d94f8
SHA512 70b227994f07dfcc5a159351e33267bc51401f7a36d5569efd84589a7ee7d8ebe6062e42df8c23dc11cfe9ed8b71507f757fa98491dec8cc850abde91f101947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a5b2a3ab546c32949ccb7f043be5ecc
SHA1 ee4f4a9b4601244d70a3859a44357660ab65161d
SHA256 b607257ee783803bd806ae5d823cf5d9088d751c4c0e2999dc21bef352b4b610
SHA512 c16631e96a19333df664ec58b0c8463b261793af63c8c715210ff485cf9737d5ff60bed51df3b8713270f9967e456f6401f094d4deeb0ebcb1008c85e496e380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97910b1283950921876c3ee8917d20ea
SHA1 ed660a8101875baa5b9433c15a6ff98782d15287
SHA256 f659412d2785c9c62d37da3f39f7db7b20cabc15a674ed8643e9e2768bf9f0b3
SHA512 26c02be1b0adedfa256dfbe92e864d93c2a2e6f0416d29daf6b74f51caefac7ef57f1c214a00a70f09f6784ac5f4eee0c7a458d74dd320795654490a610fa57f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/3012-2673-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP6DRJYJ\tooltip[1].js

MD5 ed7950443967a2de6e42cba602234372
SHA1 d4ba0fc511035f527ae23b5cf8ab88e0b047a190
SHA256 7aab6835483b5659f811a991a46404b74825964ed6ebc521427bad75eacea9b4
SHA512 0cd55ac9176b8f7ce1a6070e828cc8bb4c8dda76fa51f1325b78b70bb6bcb2dcf430dc9ef1b5e2aa65e02c8ccd1f47c38daf628c0047ac28a888175beb31a19d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\shared_global[2].js

MD5 646bc0380296ef1f7303339c95a77264
SHA1 ba43ce99dad18f484e247546e83be6f3721e4bfa
SHA256 3e6f274ac997fc547a5d6929c0f471c85ef35f0109ba7225e6c210d5ee9ead56
SHA512 17c19c4d4e4b820466a6debee1f9fb845a0285608bceeb1c938b9de5155b0b9a7c4b32a277a3db3a0827e5332adc1e5d79c2dc11e991acf338f51c715dedc23a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\shared_responsive_adapter[1].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b45dd5deda1f11ac24931014b157d372
SHA1 5e79aca8d81c1bcf5c1afefd8eb770951edc185b
SHA256 711bcd508a41185cf594b35a826629bce7f18cff197c219e4cf88c57503a3c7f
SHA512 842018a548d63db22f499a2b18f28f86d60ebdd12b0dc895ca3f14c6ecfa6a053246a12977691786c5343edc675cdfc23fbd6f2328267a24b1957b2149c78caa

C:\Users\Admin\AppData\Local\Temp\tempAVSLbKbITS9Mfpo\VUP190NZDykDWeb Data

MD5 f1154d6e6980085cdbb375c61f9ea694
SHA1 20a3fed4afc7e07cda66559944e81e85103b3cdb
SHA256 ec65efa9e216cbaef83badbe3bc33d30f3f374967ce32bb9851de6758084ff96
SHA512 481db231efed4c95d5a502f108d2767e4354e68283267829f11843c6f171ecd7fdbb1ff2c5b2832a613fa93ed569fcc78f8deb7e2bde534e5bca11f4320ed259

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34de176e76f864bcb3fe05f8aa193706
SHA1 52cf51df6843ee3e5751a43b9a8838b0481913c2
SHA256 f8645124c4d19162cc0f158e44f8d01d9f719c99cc67d900a4ca99a34f954919
SHA512 ed32486c065f72b3971c71f37e3b91d24d039c00da6feb9a06bce8401e333ed753b23cbc73b9b26e1d7ca11c323610a6f5bec23d2039643f4403d3d080e4f89d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c0f856bcd7db0437956946104664831
SHA1 6b6bcd52e7e7d7505ac5957a659e3f120f82ccb8
SHA256 de34f71554dad18112ec019660b80110c1ac181ced08c60e9f438b6aba9b5f5b
SHA512 c822b0f5c076aaeb88b56e72ddfa7de17c761e9c3dc32521e6d91892e7ca8af2f102319e57def895754fbe81d37108f8b2dad2b1fb99cd9e363e6f6c94183c8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66dcb33201d19ad5d94bf36ec84a95c9
SHA1 1bc1b48749c42ba0d92ca0b3b0e423ec2617d222
SHA256 5be4b70a2077421298216655c4bf8e2ea133eeb11d35cb80efceada999fe7126
SHA512 e876f10f18b1c939ef00322a10594ffe31592cd6edae9a3fcdf2c54aa4ab3a7af6283bb8b5235e10bdf6945f9b5aeadc130ce4322b999cf2d388b06669d5af50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cfef08e84c6b0abe0980c42f3650cbc
SHA1 9e0c5879802594b0c6b1682b70dfb6addbe0671d
SHA256 6090a3a1e6790464bbdb61ec8ccf20a73150f5c1ff2a1f2406b727b0e8d58a43
SHA512 af4eda8431cb378ae29805d99ac15a11d7b2d13ba50188c41960178096b86fc80239256c92ff220a491b13e30c494bc56ebeb019ef2df238f77a98cb409221fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ce58aab5ed1f26934d62b2aaf0ae885
SHA1 8386936acbb9bdaef70747e5b2a24a7eea25435f
SHA256 6ad080387f7169e7b587a351f5b045752d4c30c98e043085be56a8276885b114
SHA512 5e0232cf6473224c6004cc1669b7359fa43efbe76664d3808456c565813da0771e8cd8984dc8126011654b5ef958513d83abfa1b9a890fdc281ffeca825be00c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb3a478052345cdb5fdd233e464fefcd
SHA1 5d870f619822199a074f93e2fbe0a5c1c24a4309
SHA256 ec1dd33165cbedacace2e00b8f3c096a2bdd42027ca3cae3cee6103ce8f123f3
SHA512 08a55e1c83d6ac26314a0663cebfc325f6b64a0b703a9979cbf660a4ccc5506f9eec6978d649cf20f7fd975ea8490fb384d4c9b9d59587070064cf171015792a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acbe9f8a52b9ab3048fb7ca9d1151001
SHA1 3bc85b4143474922a0c426eeb597a66c5667eec0
SHA256 812732b4ab656a98b21c71c15b290f6277962e81ded745406bdd85b03cbe9075
SHA512 eb74ebc3da0c3b1d736f339d0786cf88bd724afc01c39524788e3699215bbede4491f21e73dad007aa63763a77d9aa01105c714bcfb728c51a8083989b26f35a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\favicon[3].ico

MD5 b2ccd167c908a44e1dd69df79382286a
SHA1 d9349f1bdcf3c1556cd77ae1f0029475596342aa
SHA256 19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec
SHA512 a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4ba8d03c8838ab19e48769fc815d8e6
SHA1 16437f5c6422300d6510cdff8695f4080b951824
SHA256 a68c49c12cf983af5d44d4123d29586de2ab9cd67fb4638d7ce30656b29fab39
SHA512 6fe708d1dace0f998631e8190e933ddbb6bf1b8b28dc89439a98e6e273c29a7b5090eda8b83ab2dbc52f70b2f603dc630bc7cb600dd8cf232871ac8643898d4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ab300e4b02792fe04e1baf98bb37b25
SHA1 0d31c2323397a278a98206bc6afb086ea134ee27
SHA256 164bd79c7c32d119f0f70f54c4c38b222b660671619cc240689f6a10dfd799b2
SHA512 85852d35316bd1571a8121206817776aa6dc954885f1b9289f751a0ca77615ef79cfa52118f719ad7ff4c55c6a23ee447a65032c47b56dce831d560652f37138

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab0039e069c349f2ddb44a9a7b418cfb
SHA1 5d83f0f81215a82c5892cf8042c086db22359c36
SHA256 1e3427c823664362807a813ae7bf2ca3143452b5011419c3f106510b1f224429
SHA512 c6479245f259fb36b24e37b1c9519e3fe4f3f6f2e960b50cff620f25d51e73e09a290b3afe2e822b02ea557c94773c8cda6746c99e008fc7a1bafe2ef91fc350

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10a8526c5ce3175f380bcb6281b66d32
SHA1 87b49d4a061a274cb51815fc0862e326f4583ea0
SHA256 ac74cab9872dbb0d4c0e80cd7ec1b2b6c20bb42d5d9d87b2a723524eaacdf542
SHA512 e6a58b3d293d0dfd198dfef1393656f7ec4e4ca0409f29b422d14d5ee35f95798d2b42577bd9e713930c5becc2d9b5dd458d9601df3167bf09e4fa3977b87eb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a492b4720a9f312e9e00227179635a9
SHA1 766d7516d733ae9924e9df6fd04e7dc7c5087dce
SHA256 af2b459d55e2d8b5bd2612b27832f3ee6e5e54c7f82a615c75a6b033ddd3c458
SHA512 f031a8d99796f2efd3658b528d4efb61bde7b94e6a0c8109470b81193c3f03031924c9c1a5c9232069ef989e8656dce4a51f908e55c3970c0a053bd14ff6b3d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5caca8e5d9e6f74bc1512af03a2a31e6
SHA1 3e8daa87aec35c6ee1cc721d7676560e1a9eb95b
SHA256 b5762b16503b67559d3ebaaf574cc4d78d5c56924e9cb62fd935ebcf4f2784f8
SHA512 cbcbce1fc31b270f4c726846a38dd0ff501ec6aef24835d5cb96d0e2fe5e6149d5955e97175352b056f2efedff174f23973ec8bd08b485f721b79f5eb244415e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7e74d0cf34e9005c76adb3ad732cb5e
SHA1 bbd1b05a0ab281cc6dbadec8af8241e8dfe4374c
SHA256 afabd732d335612c616d2fca51f7a3718747faf7dbffbdcb80b2ba54f669ac0b
SHA512 80d04a2fc0df2918d945946a1151dc1136642fdcaee8136ce039655155d0d1b062c4ace40117cbdf90f84cbf7853cba86703decb82be1907317f8ca209f41b0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eb04b7d025c7d3916abff36efef7901
SHA1 fb3fd73347fafb7cd0d0478920fdf5f5e0ee2139
SHA256 ffea45ff4cf9623c9dc23ea72088f5cd4bf1f4d7e4b47cac43be926f7d2bf552
SHA512 2bd376f5a9ff31749323d2ad2e9f50559aea5dafaeb7ada3e218c66a2a8c76d5786aa4f1258ee6042ded97d50c8ea517aa81e8fe2d1fd10445aa8aa22e7d8dce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05a57377eaed55074dba92dc3d5c98db
SHA1 8698c1020aa7d2428f450a3d88aef5ba59836dfd
SHA256 9af33d6b1246170bcda4644ff9301f156379158eb48aa82c0d3ddb64e05e00a5
SHA512 0ac2d28bec192a536e070eeb082c5be87741a5575fbb9a44b9ee0da9df81435c82b6ecd41da71b5b8d593cc21356fc34a9f1144d49a6daefde00b78700bb3007

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 22:38

Reported

2023-12-24 22:44

Platform

win10-20231215-en

Max time kernel

299s

Max time network

313s

Command Line

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0afc3c65-1059-4061-a60d-59af61ed764c\\9103.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Google\Chrome\updater.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4786.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C3BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F4E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F2E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AE5F.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C64D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6CT4pI4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1762.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0afc3c65-1059-4061-a60d-59af61ed764c\\9103.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7F4E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Google\Chrome\updater.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4048 set thread context of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 2056 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 4692 set thread context of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 1296 set thread context of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 set thread context of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 2156 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4444 set thread context of 2168 N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe
PID 4640 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\C3BD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5108 set thread context of 704 N/A C:\Users\Admin\AppData\Local\Temp\8F2E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 set thread context of 5172 N/A C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe
PID 6068 set thread context of 6224 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 7488 set thread context of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f6a3277fba36da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\recaptcha.net\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a08a0fc6ec36da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\paypalobjects.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\paypal.com\NumberOfSubdomains = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.paypal.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\linkedin.com\NumberOfSubdomai = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\epicgames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\epicgames.com\Total = "15" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.recaptcha.net C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.paypal.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "40" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "24" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\paypalobjects.com\NumberOfSub = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4d11d55eba36da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "248" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\hcaptcha.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0b02bb57ba36da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.paypalobjects.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\epicgames.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\c.paypal.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sfjbfrt N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 4048 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe
PID 3324 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 3324 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 3324 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 3324 wrote to memory of 1924 N/A N/A C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 1924 N/A N/A C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1924 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 2056 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2016.exe C:\Users\Admin\AppData\Local\Temp\2016.exe
PID 3324 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\4786.exe
PID 3324 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\4786.exe
PID 3324 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\4786.exe
PID 4220 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4786.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4220 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4786.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4220 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4786.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 4692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\sfjbfrt C:\Users\Admin\AppData\Roaming\sfjbfrt
PID 3324 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3324 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3324 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 1296 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 2244 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 2244 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 2244 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3604 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\9103.exe C:\Users\Admin\AppData\Local\Temp\9103.exe
PID 3324 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe
PID 3324 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe
PID 3324 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\AA49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe

"C:\Users\Admin\AppData\Local\Temp\931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363.exe"

C:\Users\Admin\AppData\Local\Temp\2016.exe

C:\Users\Admin\AppData\Local\Temp\2016.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2101.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2016.exe

C:\Users\Admin\AppData\Local\Temp\2016.exe

C:\Users\Admin\AppData\Roaming\sfjbfrt

C:\Users\Admin\AppData\Roaming\sfjbfrt

C:\Users\Admin\AppData\Local\Temp\4786.exe

C:\Users\Admin\AppData\Local\Temp\4786.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Roaming\sfjbfrt

C:\Users\Admin\AppData\Roaming\sfjbfrt

C:\Users\Admin\AppData\Local\Temp\9103.exe

C:\Users\Admin\AppData\Local\Temp\9103.exe

C:\Users\Admin\AppData\Local\Temp\9103.exe

C:\Users\Admin\AppData\Local\Temp\9103.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0afc3c65-1059-4061-a60d-59af61ed764c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9103.exe

"C:\Users\Admin\AppData\Local\Temp\9103.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9103.exe

"C:\Users\Admin\AppData\Local\Temp\9103.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AA49.exe

C:\Users\Admin\AppData\Local\Temp\AA49.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 852

C:\Users\Admin\AppData\Local\Temp\C3BD.exe

C:\Users\Admin\AppData\Local\Temp\C3BD.exe

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe

"C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe"

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe

"C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe"

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe

"C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\7F4E.exe

C:\Users\Admin\AppData\Local\Temp\7F4E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

C:\Users\Admin\AppData\Local\Temp\8F2E.exe

C:\Users\Admin\AppData\Local\Temp\8F2E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\AE5F.exe

C:\Users\Admin\AppData\Local\Temp\AE5F.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /Ctimeout 5 && del "C:\Users\Admin\AppData\Local\Temp\AE5F.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\C64D.exe

C:\Users\Admin\AppData\Local\Temp\C64D.exe

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe

"C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\timeout.exe

timeout 5

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 2008

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6CT4pI4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6CT4pI4.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fN6WP23.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\1762.exe

C:\Users\Admin\AppData\Local\Temp\1762.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 158.160.130.138:80 host-host-file8.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.130.138:80 galandskiyher5.com tcp
US 8.8.8.8:53 138.130.160.158.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
US 8.8.8.8:53 brusuax.com udp
BG 91.92.254.7:80 91.92.254.7 tcp
CO 186.147.159.149:80 brusuax.com tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 7.254.92.91.in-addr.arpa udp
RU 5.42.64.35:80 tcp
US 8.8.8.8:53 149.159.147.186.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.8.185.41.in-addr.arpa udp
US 8.8.8.8:53 elamer-llensha.com udp
US 172.67.139.220:443 api.2ip.ua tcp
GB 185.77.97.33:443 elamer-llensha.com tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 iplogger.com udp
CO 186.147.159.149:80 brusuax.com tcp
US 104.21.76.57:443 iplogger.com tcp
BA 185.12.79.25:80 zexeq.com tcp
US 8.8.8.8:53 zonealarm.com udp
US 209.87.209.205:443 zonealarm.com tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 205.209.87.209.in-addr.arpa udp
US 8.8.8.8:53 33.97.77.185.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
RU 77.91.68.21:80 tcp
BA 185.12.79.25:80 zexeq.com tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
N/A 195.20.16.188:20749 tcp
DE 116.203.3.40:3000 116.203.3.40 tcp
US 8.8.8.8:53 21.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.3.203.116.in-addr.arpa udp
N/A 195.20.16.190:38173 tcp
US 8.8.8.8:53 190.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 209.87.209.205:443 zonealarm.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
RU 158.160.130.138:80 galandskiyher5.com tcp
US 8.8.8.8:53 transfer.digitalmonks.org udp
US 208.99.62.244:443 transfer.digitalmonks.org tcp
US 8.8.8.8:53 244.62.99.208.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 94.228.169.207:47379 94.228.169.207 tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 207.169.228.94.in-addr.arpa udp
US 8.8.8.8:53 www.kaspersky.com udp
DE 185.85.15.46:443 www.kaspersky.com tcp
US 8.8.8.8:53 ip-api.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 store.steampowered.com udp
GB 157.240.221.35:443 tcp
GB 157.240.221.35:443 tcp
GB 104.103.202.103:443 tcp
US 34.196.248.146:443 www.epicgames.com tcp
US 34.196.248.146:443 tcp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 146.248.196.34.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
IE 163.70.147.35:443 tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
IE 163.70.147.35:443 tcp
US 104.244.42.193:443 tcp
IE 163.70.147.35:443 tcp
US 8.8.8.8:53 88.17.225.13.in-addr.arpa udp
DE 116.203.3.40:3000 tcp
US 104.244.42.193:443 tcp
US 104.244.42.193:443 tcp
DE 116.203.3.40:3000 tcp
US 8.8.8.8:53 www.youtube.com udp
IE 163.70.147.35:443 fbsbx.com tcp
IE 163.70.147.35:443 tcp
US 152.199.21.141:443 tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
IE 163.70.147.23:443 tcp
US 193.233.132.74:50500 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 104.135.221.88.in-addr.arpa udp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
BE 13.225.21.174:80 ocsp.r2m02.amazontrust.com tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 142.250.179.238:443 tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 3.220.208.29:443 tcp
US 3.220.208.29:443 tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
BE 13.225.239.101:443 tcp
BE 13.225.239.101:443 tcp
GB 142.250.187.246:443 tcp
GB 142.250.187.246:443 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 88.221.135.104:443 tcp
GB 88.221.135.104:443 tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 172.217.16.227:443 www.recaptcha.net tcp
GB 172.217.16.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 soupinterestoe.fun udp
US 172.67.221.65:80 soupinterestoe.fun tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 64.4.245.84:443 tcp
US 64.4.245.84:443 tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
BE 13.225.239.101:443 tcp
BE 13.225.239.101:443 tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 104.26.13.31:443 tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 tcp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 2.17.5.46:443 tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
GB 142.250.187.246:443 tcp
GB 142.250.187.246:443 i.ytimg.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.19.218.90:443 newassets.hcaptcha.com tcp
US 104.19.218.90:443 newassets.hcaptcha.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
GB 104.103.202.103:443 steamcommunity.com tcp
IE 163.70.147.23:443 tcp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.19.219.90:443 api.hcaptcha.com tcp
US 104.19.219.90:443 api.hcaptcha.com tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.35:443 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 116.203.3.40:3000 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.115.225:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 225.115.217.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 92.123.128.161:443 www.bing.com tcp
US 92.123.128.161:443 www.bing.com tcp
US 8.8.8.8:53 161.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 172.203.55.245:666 tcp
N/A 172.203.55.245:666 tcp
N/A 172.203.55.245:666 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BE 64.233.167.84:443 tcp
BE 64.233.167.84:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 142.250.200.35:80 tcp
US 8.8.8.8:53 udp
US 152.199.22.144:443 tcp
US 2.17.5.46:443 tcp
US 2.17.5.46:443 tcp
US 8.8.8.8:53 udp
N/A 104.21.52.129:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 2.17.5.46:443 tcp
US 104.244.42.193:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BE 13.225.20.96:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 172.67.176.11:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 2.19.169.32:80 tcp
US 2.19.169.32:80 tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 152.199.21.141:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BE 13.225.17.88:80 tcp
US 8.8.8.8:53 udp
GB 142.250.179.238:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 151.101.1.35:443 tcp
US 151.101.1.35:443 tcp
BE 64.233.167.84:443 tcp
BE 64.233.167.84:443 tcp
US 8.8.8.8:53 udp
US 152.199.22.144:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BE 13.225.17.88:80 tcp
US 151.101.1.35:443 tcp
US 151.101.1.35:443 tcp
FR 216.58.204.78:443 tcp
FR 216.58.204.78:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 104.103.202.103:443 tcp
US 8.8.8.8:53 udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
N/A 195.20.16.103:18305 tcp

Files

memory/4048-2-0x0000000000890000-0x0000000000990000-memory.dmp

memory/4396-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4048-3-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/4396-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4396-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3324-5-0x0000000001250000-0x0000000001266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2016.exe

MD5 7a6452eb2a063fa9d4705d0d9afda863
SHA1 28e418060ae22da45523431214904a4b443b9946
SHA256 ad508aa9f865664ae628cdcf61ce53c7f2fafc67f7ed7e23a8fece9468f6879e
SHA512 ee94d58c2859266dc1f549727a363a0f3b9d4fdad7af40910f6170d488be97f69eece13588751b58d8fec6d36abc79075fdf5d813da6d6d42bbc23076fa052d3

C:\Users\Admin\AppData\Local\Temp\2016.exe

MD5 d5d1cb24cd18b9b5c09429aa8be0a3d0
SHA1 eb5857fd0e0941d618ab5f50040d4524a9b3f6f3
SHA256 a2fa9fe738b7fea3be527a81e2f4d308d52c31c040208770e3b25efd1b9d7380
SHA512 51d40b984a3997409dd7549ce96382a936def87dd6239941f9bd2c3af8933217bda54acaabfbcc185a3f17647f6358cefd83ecb8a322d7bed6af9e2550dec1b6

C:\Users\Admin\AppData\Local\Temp\2101.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\2016.exe

MD5 93d394f7d2e21dacf73b0aef0e580ed6
SHA1 9a24985edee09f605c18a5faf911fff686af03db
SHA256 221547776a17eb5cfb87873a686bfff8df4d3ce63815b2ebc9ffd85ed06e2a81
SHA512 2d4aa4178c46c50e7f54f1d827085f2ac3d258f55cfcd2f4e8a48d01d7cea8f440c2fb9d6074645227a1113d28bea9f031570c4a5901050d97fab784004c529b

memory/2056-22-0x0000000000470000-0x0000000000570000-memory.dmp

memory/5012-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3324-25-0x0000000002B70000-0x0000000002B86000-memory.dmp

C:\Users\Admin\AppData\Roaming\sfjbfrt

MD5 70220c50bb4d6b5c323ad3322eef8c80
SHA1 f5ac79382662f6f08512ab6c6d702450dae29c52
SHA256 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
SHA512 f058538a8728a720a34929892fd7abb15d73cab3c97a89bc1780828c78b0532d08f259a1baaf289aba3bb65d46c65eb9bb7b8998f5dfb47e53c7cf4c925a970c

C:\Users\Admin\AppData\Local\Temp\4786.exe

MD5 1d7e50766b2be5561df65d1bb075ff84
SHA1 85b5116b96a67a35efcc5ebd83712d96db55bd13
SHA256 cf9fee26e938791717129901c11f6906f73bffaa8be9c833bb3fe88199e34b01
SHA512 76bf76445251a43d7b2f09fa8039bb9240c3e400b1a3c051d2c282e6eb2025a3325cbbd239492e660ded70d3c73bb0150f2cbb440800688050671d66a6765eb7

C:\Users\Admin\AppData\Roaming\sfjbfrt

MD5 28b9f06d7623a81742ec270e86b69df0
SHA1 0208f8150168d3aa9222edaf3cd9f07fd6c43c28
SHA256 b56033388d4686988fe26018a926c3f8a03dea32bfc29979db07dafe6ec8ffb6
SHA512 cb663f053501600a9932596f67198ee6ae0e4a2ac8ee479ad7aabefe06b480381ba6dc5ed30d976f2e643b0951eac12b6b8b3e321b0cb3fd18e27f41de5a6224

C:\Users\Admin\AppData\Local\Temp\4786.exe

MD5 344a018eabc091231c821db4f77a9f88
SHA1 8fb5bc8c0f3880c7e53b8abce922af392c8dd0de
SHA256 f1ad3acaf7c4c43df290e89484536f4621d200120613519704d30c6342ce8fe5
SHA512 401d223c93eef140624d968103b2c969232a7cfe44032d65c45410cfec2d847e51f90c47f98407a5c3b8fed174a7162965df7e805054ad392214116467cf211a

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f25ea6d86052291cd04fafefcbdd1704
SHA1 71d4994cb3b37f19d7e422f3713986129d6257f1
SHA256 d50e6d7654ddc8f41e3346acc1b7a888944498100fc1cda6838fbcca517aa5ca
SHA512 2bc11636c03251a0082c1954e086cf2c4f51167dbd1066c76057c2b7de2833bfa51c5a3822977ba08c9482dfa5e07a1c123b8b4894e04a918a7e03a21f2cb25d

\Users\Admin\AppData\Local\Temp\nsj4F65.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/324-44-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/4692-53-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

memory/3324-61-0x00000000033A0000-0x00000000033B6000-memory.dmp

memory/2144-64-0x0000000000400000-0x0000000000409000-memory.dmp

memory/324-67-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9103.exe

MD5 dd803c103e918f98c2d88cb2efd8ab53
SHA1 fc669950aa80e984f076c2841ee9ade83454cf51
SHA256 82268d688b6462c8aae6373a3ca362cd4de78fb63eb13556c0247371cc5f153a
SHA512 7fc576b6c69dda6b72c1561f7ac9107c836bee5d8d5ab4ca105cc8f41067f8830d1361a29a48281e94cf0f32da31c169b31cfc46a6ca2d280502b99fef93078a

memory/324-73-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/1296-74-0x0000000002140000-0x00000000021DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9103.exe

MD5 35348cc245de5f809f6ff166d74b8f5a
SHA1 396c8695a6a69017b053e7487431c20b55adf1bf
SHA256 907757dffbfcc519f7d381b1a05b66c7f8ee320ff177b42e527e708c08a037ee
SHA512 33410bceebb594e7c644c723e032bcc9ce62cb35bd507be125fd6368a015c1828cba429b347e98fdd1c8e559f5e96247382393b43361de25287895d7d05c6ab5

memory/2244-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-76-0x00000000021E0000-0x00000000022FB000-memory.dmp

memory/2244-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3604-97-0x0000000002130000-0x00000000021CB000-memory.dmp

memory/5016-99-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-101-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d04e753ffb69b81fe50f136e086c176c
SHA1 80f887004508c2e35c04e4dd3e79ca5f6e646c44
SHA256 5dc770e8f84d7f1838951afcd79a4447918492dec72d989f711e9c1b592f8efc
SHA512 1b06d4b8004f2f2c1128b85eca1ad2478648a87d03436b5c1f9fd2a19e11c71e0ea285971430e5dc6af2ad809d23ef657046f7aa3ab9bfde93cb5748fb2814f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e99c729661d361cfdeccb76fb786aea4
SHA1 f91d515bd1fd8fbe2a4d274f8062af1d0bd23a8d
SHA256 ffab13b85532e329f80d61cef78d604e593cf8d409e5aa117e3b9b3c96926159
SHA512 4317e4bc797f0efca9ce3ab3bc404e35d965a8135e5efc17a5b92c7751c060998339640a0f66d5ad815d7c9ccd06d34cc8f6c22d092d3698fc13cfd283ec3241

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 46b098634cf96f48e6232e0ef1ebf19a
SHA1 279df9fbf9963beaa24184236b658cdb7d3751c1
SHA256 dd85fc53aefa618ca668c9c40a8185e3a4a1948ed2b58b3737af3cd4a465dd48
SHA512 f9e781d178e295b19fdef9953e035b1c7ec00b429e89a5125dc1aecc0c4f3c242913ff5a7b4bd1527491d388ba30e1d3978fdb6f10e685e608742c7c345208d2

memory/5016-110-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-122-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AA49.exe

MD5 be7ee6b816a54631a27b2caab3676d84
SHA1 335db082df55535ec97d795a1174f4c33a488099
SHA256 2199cc20c25002e1a883887354571bd5d1a973eab8441a9a0af12301031fa05a
SHA512 f41dd98e23bd199f0a7904756852e69435b1342b5470da959d7f3905e27ad9720154484bd5c13382e6f767f4a3b80543b3fea5cc5d46bf7f872896726ce44f6e

memory/2156-137-0x0000000000450000-0x00000000004D6000-memory.dmp

memory/2156-138-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/2156-139-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2156-142-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4300-141-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2156-140-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4300-145-0x0000000005250000-0x000000000574E000-memory.dmp

memory/4300-144-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/4300-146-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/4300-147-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

memory/5016-148-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3BD.exe

MD5 3fdb3d1feb684e959c2370602daac86c
SHA1 870355a919bf68be1c6780f2267b80cea4d07193
SHA256 4faa543329d74b42047f730a3990857b3b627a8f254f8fdce8b73787e4a6823c
SHA512 f127e8469497549400c3e0d423d1e001cb05dea99534dfdd8f04dc0cf452774f08b3a8a42ea761afb961134d3af397e04f454d35016eb1d557366286a1fc1867

memory/4300-152-0x0000000005D60000-0x0000000006366000-memory.dmp

memory/4300-153-0x0000000005750000-0x000000000585A000-memory.dmp

memory/4300-154-0x00000000050C0000-0x00000000050D2000-memory.dmp

memory/4300-155-0x0000000005120000-0x000000000515E000-memory.dmp

memory/4300-159-0x0000000005160000-0x00000000051AB000-memory.dmp

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe

MD5 0aeb49f42166d07a03da8da19fca20c2
SHA1 9f1815aa6d5b1458da1e35fdc49b394ddb046e01
SHA256 1e11c198974bface4638f14d37400378274cc7c71660eaa002c1310f5d583ba0
SHA512 dca7e30ec414b1517b6a975b42c2320c6a316f50876e8aac767394f3f315a255d788e075c85f0bbcd0183beda597f6a6ec927cafa777434933b54fd9c58e77ba

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe

MD5 9cedaf2e597099ab7a0286ee1b933835
SHA1 fca72c1afe93316bf0719cc538931518872cbc8d
SHA256 3338ddf1d4b0f759bee45f63c212fdbcc8a7dbfc42eb44596f575f68f4f53b4b
SHA512 f2f12e2b895011b42b7b1f831677972212e4cf262bebcc34cb99e1c6e6c7fde1b78ed1c4e0fce87d092bc536a835dc78c05498b73823e00050a425604725898d

memory/324-165-0x0000000000400000-0x0000000000965000-memory.dmp

memory/4444-172-0x00000000009A0000-0x00000000009CC000-memory.dmp

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe

MD5 fa8cb884da7d910abe76b5f3a98b21fc
SHA1 4b02cc1fef36498a3852965ff328772846c89dc4
SHA256 09e7ff9bafdd7bddf9fefffd2ed1529475eb52cc13ed386722967b93364b89a6
SHA512 e39229d9a6562b06f6d6a881a187c9971b89ac7dbdfcbd7981059b63f2fb6c37c41f035a5514f7f65a7ed6b0d9db973e43f024761bd552e5bf4dd2a2460e6fc8

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe

MD5 2bfde13185fdd7095bc8dbb326cbc385
SHA1 d516fffab5d9e7d27b98011b09d6db0f375f267e
SHA256 7890b51e3bf202bf48fd386b6e13752f4f7fe6bc4a2dd5c4d7ba49335aceb213
SHA512 75d39972ee8a27473748d0638b5c05978f4908fa9e0160b83195e0b2a0065a28894f94d8c67cef3d651e109b48a5b48076d226003fffa5dc9c1eddcd5ca2b5a5

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build2.exe

MD5 880ad0585cc3eaed75f4e17a590b7daa
SHA1 8413420e018d45fbd29d43d032f297a4675721cf
SHA256 20d1b1dee742e88ef46473b4b3ba39955c9b28e85dc6b166c104c3deec3c9292
SHA512 7de974e1e2387de6a25df836cddcd93a05584b168841496030c679d4e03c77033fe15790ca8c6eb896322fefd9142d2de6b195af6a334d7f31f95ea36b07c12d

memory/2168-177-0x0000000000400000-0x000000000063F000-memory.dmp

memory/5016-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2168-180-0x0000000000400000-0x000000000063F000-memory.dmp

memory/4444-171-0x0000000000BA0000-0x0000000000CA0000-memory.dmp

memory/2168-181-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2156-182-0x0000000071C30000-0x000000007231E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 1c7c7ebea7c75f2ec3548ce2d6a39ac3
SHA1 c3d99b85cfa27bc454ba99a0df50dd52668a67d9
SHA256 5e64cc685aa38cb30f5fc52967d78ee81bb1ff997ac5ffa721860d3eb88c07da
SHA512 be351a8ccab95c1886ca539af6cb7d9c77eb8f1287e478de7c0d5bbfb132774d04312ab96ebc71c6ac9ab2441f660bd775c4f152d488e30b9b7cd5fa9326f786

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 ebd31ecf0125424d08bb3f46c850031a
SHA1 1788e028fe99eb596f47955bb464577191c2f482
SHA256 06637eccfa61fc658c230a358493f5d7cc2eac5060a47dfa6a0305646fdab2c4
SHA512 566599bdfdaa1de57bc0543686e54ad7bd97a307d1a2332c7a5068dbbf9008e668b022aff93b36c048830bde5fe977afc0d95b079ddb14611d4a9f5799b394c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 edeecc9952f14172d12e4b034882fef5
SHA1 805de581e19e3ba5ac875c725d4c279c205fa52f
SHA256 4a272ea17af957c95f64ef01fa06290464261a50780f4fa0654e09539d29ede4
SHA512 ce0de5f1eca8b90f8b8af74db5481bd81ca8b81e57728e164c7c9802cb434e9fc3b66aadac5eb0b3c167a2c37be51ba5ef13c99614b6ac59530889c21dbe81b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 9feb22cf56e2ada834e05c19fc8d5286
SHA1 e18d22331c1ca45b9e532147bf9dcd760c15d008
SHA256 e6727209e100caa1963295c8012f186c9c01a0d8b81a9ec7c70ecdea64832ce3
SHA512 025e68c3a1c44504ac4112a38b187cb3e28248e190f23aca03a488fe00a5d79bf30f4ba6daa65f8b76b4b6ff161cef816f6080d7c58638018e859abc838ad98d

memory/2156-194-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4300-195-0x0000000005920000-0x0000000005986000-memory.dmp

memory/4300-197-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/4640-200-0x00007FF745700000-0x00007FF745D27000-memory.dmp

memory/2168-201-0x0000000000400000-0x000000000063F000-memory.dmp

memory/4640-203-0x00007FF745700000-0x00007FF745D27000-memory.dmp

memory/1296-202-0x0000000000760000-0x00000000007B2000-memory.dmp

memory/1296-204-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/1296-205-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4300-207-0x00000000071F0000-0x0000000007240000-memory.dmp

memory/4300-208-0x0000000006A00000-0x0000000006BC2000-memory.dmp

memory/4300-209-0x0000000007900000-0x0000000007E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 d00b5757136d79efaae9479f527dee64
SHA1 4aeda06f0d76b7cb335645fa7177efb432a112ec
SHA256 82abb395f2f65d4ac61510b46b91c652a0d273709024c075744eee8578fd7974
SHA512 f325384eef0b9c08a1cfa9f5cb949d9da7168599c0cc8ebb14e977bbf7cd2d36a35012b504f8eb67cb71f36044f76242f4b14ba8db3ec8f702653b8fcced12b3

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 2e0efd159b66fc93b9960954e0d89dd3
SHA1 5cfc11c7c8287cba8cabcd16d89fb76e0573f963
SHA256 8d9296c46ca8c275fc8da20ec8a0bdbdeb37b2b3542c714ad3dd5a96bd1ae54c
SHA512 4967b3c540d22b1ad60f19b9da63d13e381a872710a0d76b0b81ed79f78534ffc4bbdcd4cc71570464393973f437f564440495a144a774026b3172fd5e3c0f76

memory/4300-219-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/3616-218-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/3616-222-0x00007FF8041D0000-0x00007FF8043AB000-memory.dmp

memory/3616-220-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/3616-223-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/3616-224-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/1296-227-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/1296-228-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3616-230-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/1296-234-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/4484-239-0x00007FFFE74A0000-0x00007FFFE7E8C000-memory.dmp

memory/4484-240-0x0000021078E10000-0x0000021078E20000-memory.dmp

memory/4484-241-0x0000021078E10000-0x0000021078E20000-memory.dmp

memory/4484-242-0x0000021078E20000-0x0000021078E42000-memory.dmp

memory/4484-245-0x0000021078FD0000-0x0000021079046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1isixfm.yko.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3616-258-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

memory/4484-259-0x0000021078E10000-0x0000021078E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F4E.exe

MD5 c1ddb3316553c2700fad50249bc1a761
SHA1 35d75826c0823f2e420e1f38aeb42bf8bff7eaf2
SHA256 9fc369f2d5a698326dd3d4881b06ce19173e10c66d3c343a7b3e5b3db39d8deb
SHA512 25d7c2aa9ed1f22b66237c0090f1dcd272d118678b8e99dab01f9d2ded1de5f9214d66ca133b3c9da7718f25a69284414d1d0a560cce4cfc96b0359bc6d392ab

C:\Users\Admin\AppData\Local\Temp\7F4E.exe

MD5 4184b9f5af467c571cd9756a261f7754
SHA1 e9e08fca8dc91d584c43c60e3d00b802b356b19d
SHA256 f57c9e87237c77016e75b76efc3466510c9674199f8dfdad00b678c807b2f117
SHA512 0a0d212715fab46c25625191c0891db8d5367180cdf60a5c61c19ad75306fafe2e0ecc29724ca2d08f1dcdc955f985941c3725db6dd816c644962251333d0879

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 cb839466ee295fa7750da7c894066faf
SHA1 13eac7c1462d9d9f5b56a6475beccdd83f2617ca
SHA256 ae885dc509f7456915bbadbb409132c4c79732a066b5593113347941c3cdd6b4
SHA512 5687e587b6dfe876e4ea3dace7fc21f91a0fb681978ceb2e411f45d42c50772286948f7729ce018d8d6afc3d2334ed8ea895dcf0d1035f2692eb5b4d4ad98edd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu7Bd84.exe

MD5 c8334300c6d727f3277efdb741b21aaa
SHA1 30fb7ade19ea362aa2c47e91009150d885b8ce66
SHA256 6a0792b7ad6115b9b4e42b64ad3abb1d143318fef269b9d57d9c4dd3e40accb5
SHA512 82f93a7ffb92945b63edad220b6afd4120aad535cdcb2f4a8f7568e39ecdba94850ee8433270efaa7e59682871bef5c72ff7def9ddafa4485eefa59098b04095

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 dd134d142cfd3afd71e260787e0b1cc7
SHA1 9af213109b5fa620fc03515ed12ee8c8676d3e01
SHA256 341fc8f8b7a293322f22e4d2dade96022bf452b8a74c32a7a5b81568593b574a
SHA512 178115f7892a86baa74019eac0cf66903c7b3f481255111edb6c7cecf33e8997afc7cb0f2b2e551c775f57a26946dba4a3518753c98aa308c2332566d0fe051f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zK2nZ95.exe

MD5 c9ae05a7743a47140343a388d8f29fd0
SHA1 4d77f812c9a14aa9222ee898747da910fb1355d5
SHA256 b711ef99b3bbd69e1c01bbe331fe9259fe246c2969e082d942e3c47d001adc5b
SHA512 b2553550c07c5be057ead549b1432ae6ce0165e2cf7cf151871ddcee2264b6b96602d867e4b09f58dc44f23b71cc8a35909bf87a1b84a0c81e6f93b6bc1a2418

memory/3616-304-0x00007FF8041D0000-0x00007FF8043AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 de7ae52a68657c8f43eb63a43be3a571
SHA1 dc14c8f507ab6285243d47d144fd2eb41eb8b85c
SHA256 b863ff59c6383dd239c659fd26d0f86a8ec4dfcc89a5f964b2532c775b71e6f4
SHA512 55b325d45931dc5e3ffcdebbc0b9c0e6b146e06a2eecec40b8014ac56159166469f578e62a07e3000000b27ff308f8bd0812bc28570e483519165a218ab5fb80

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vf74UB4.exe

MD5 51e1b2ce1a63e9b300487f6586a81a85
SHA1 d5ac4c9ab4df010e505e902f0f8feba607e5d8c2
SHA256 f29a8a7f30ca311e32c78aa3b8f63beca1b1ffee5bcecadfd06f8057fa568dfc
SHA512 860d2b7659c4acfc664a94be21dff43ea5dfb5cf5538b7f2a426c6054def1a3a7fd21c221e616069a85d97e45861c2c78aade015f99ae90b014d48d4692cdecc

C:\Users\Admin\AppData\Local\Temp\8F2E.exe

MD5 0d993b640cc0d293b6b922e66a7e8b07
SHA1 59838ae3fafb0882470862f1c48e0db5a369ed76
SHA256 97f9f4ea41e388a336f320e5c261613bfe95708fef2177425e2b3b8f206c0ddc
SHA512 3205653cdd0de115473e39726a1daeee4df7c296786539f8b3d75d81e8153381056340a6388a8f6aeb7f28bb23230d6dbf8ebc5821f66107dc9d094a9af02ca2

C:\Users\Admin\AppData\Local\Temp\8F2E.exe

MD5 c39fc45c5f3cd160ebf456430fb4fc11
SHA1 d4a702d71e1eb78dc3dd5c1bca03eb3a7ffdff32
SHA256 bca31568026e0d5947808a4926ac8fe7fcbff33ed6d81bfad10da31d2ad513a8
SHA512 593a72ba00f2f5d045bc37530fe7fd286e9824c8446cd014f4f5fdc01f027c2b1d7fd0de6b9b48b1b32dd1439b51d6e283e4084d4455d15e718fbe05cde8fdb3

memory/5108-317-0x0000000000460000-0x00000000004B4000-memory.dmp

memory/5108-318-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/5108-322-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/5108-319-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/704-326-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 90f2958528f036abcae48d93ede6f8ce
SHA1 e5a6935d1c874d66766b83882e49db9d84be3b8a
SHA256 4a32fff3e568bf2d9ae0f88279de7009f7949d4030a3a0005e56171268b9f74b
SHA512 0c89f2b88e89c9b77a0e4d034513b82c70fa5c57ec976eb418202472eb5ab582e184abfe696927526da0dc687c14e24c9cee1d39432e5f7b4a67b60e0ad25b91

memory/704-328-0x0000000071C30000-0x000000007231E000-memory.dmp

memory/4484-329-0x00007FFFE74A0000-0x00007FFFE7E8C000-memory.dmp

memory/4484-330-0x0000021078E10000-0x0000021078E20000-memory.dmp

memory/704-331-0x0000000005180000-0x00000000051CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj4F65.tmp\INetC.dll

MD5 c7ae096c02849c7eeb07623b18de8a59
SHA1 9f57c75aa9f96121413a793d356d876a09f564ca
SHA256 711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0
SHA512 2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

C:\Users\Admin\AppData\Local\Temp\AE5F.exe

MD5 e87027fda93d68e58659c29f7ec72f01
SHA1 175332b27a02664fd7bc49d3f1b3a2cac97caedb
SHA256 c0ea520bb9c1afe9b26920a2a532e303afa02d266f7ccb93e826966c4896e29d
SHA512 4d49c352007fe24b309ca38b5934f664e4cf06aaadb9e55d1a9e40c95d2f034e261131380445cb17ccd3ea89eb4b66279aabd272041917fec3d6b37230cdf386

memory/4484-379-0x0000021078E10000-0x0000021078E20000-memory.dmp

memory/4508-380-0x00007FF61C780000-0x00007FF61CDF2000-memory.dmp

memory/4484-384-0x00007FFFE74A0000-0x00007FFFE7E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBC1A.tmp

MD5 abc1e85e3523dabdceb58fa805cdf3df
SHA1 316431de41684fae0aa0f471023e1d1c5703eb21
SHA256 2cc8a97fcc9f7ef33c297d74173d6c5b369d484a50b365bd2b54f5523a394eb9
SHA512 8b64c2e6fc5b58a0ea189651bae2af5811c363af52b50fe4ec918468226338bafb185fc7e80a9e63cc575ebe9bc5113e143f7bf75cbda20bb1ca8c22441c5c03

C:\Users\Admin\AppData\Local\Temp\tmpBBF4.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/3616-462-0x00007FF6E3130000-0x00007FF6E3EF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBCF1.tmp

MD5 290556574156497ac0fccc0feb7eacd5
SHA1 ef668f28e71d1f5fbbbd6b267d263a644f060213
SHA256 1343319eb599b247c8663fb798b78c2b17aa0e55e0c6fd1be97d2489a39e14d5
SHA512 ec32c704416f599aefc0e53436d75119f24cea2a35999a560a955a3f9f361e07f9dc2024a674429642dd98fc43535fe4c6f9947756f812f28dde75b11b78923a

C:\ProgramData\Google\Chrome\updater.exe

MD5 3f6074af1b54d39e713b03c8f59962af
SHA1 640e4197658062c6ca84d8e532c9872c84727c13
SHA256 c926f5d4ac522735d48dbd8837f9c515f41df44c968b7d1b0e52891787aa4106
SHA512 b530cc2a529fda1cec3ffc232d32c848e820e410816b4e40d57db17e03caf958fbe7dce54557efd888d69fe206798ca6445e54db04052ccd4420e0e396a0114e

C:\ProgramData\Google\Chrome\updater.exe

MD5 c8f8954b250aa3d0137ad99b39049f31
SHA1 b8b8341dda08c859e6abeadad5e3226a49d33d51
SHA256 5ef19f8556cf2e489434350b8701f152362ebbd618025c68e24433b9e01ee4da
SHA512 fd390e85636fe0bab3943b23393a727cf8423c6d600b6557051f953003ccc103edda69acb04b3edab953c7876404affb2bff61507085e43054b4318b80682356

C:\Users\Admin\AppData\Local\Temp\C64D.exe

MD5 23613a96bfd63b76d6a3f5ea4de0acb4
SHA1 76a56c5e1b256ec50b7f4cfa947475e5c0a6d882
SHA256 ee1630eb90acb11b473b5c61bc04394361bde837d80237375cdd66373d5fe84b
SHA512 7c905863e0f04b65402cc2f484704b41f857e5bf892716b11bbe7f4b587459c9059f1e6fe874a807b3ae70504b2fa9da385106b37cde50d31f0e4e0cd953020b

C:\Users\Admin\AppData\Local\Temp\C64D.exe

MD5 bd8eb4ab879dfd07a9e5626bd7686fb2
SHA1 5af05f479371db1edfe4f931dfb5157299d02919
SHA256 010df38d7ab1317d3cc19cb4845b02e6bf5f98064fad1c989e1505dd8ecd7d92
SHA512 98053058298da8ce3cd06c303b71c02f87c6dd61e29341bdc0665640783f35ad68b08a4ecf1ea7d2f2e4071176d1be54234ed306a7cb6030f00b15ffa232fecf

C:\Users\Admin\AppData\Local\50fa4066-8d3e-4d96-b9a0-0619badfc5dd\build3.exe

MD5 12889d9f30a8fdffcb886f36a99100bc
SHA1 116269a5d61ce5e2878c1fd808a4b7df776ae701
SHA256 85ab7ebf38031d92f450e83ce7017c38d87a6ea66c39af5ce4c2239eeab1daac
SHA512 df6a7ef6d278853fd98c3bb331a9c3f593a89cefd7d3aa62c4b4888ce9dba80259670eaeb6801fc383d28e45d60f108323ce1f2eeb95cd705112c997ad3beb9c

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ddbe52071b0ce409334143e4ffbc289f
SHA1 c2dc4d24fa6bad51cb2a648794ea38789463f9b8
SHA256 cf97c1877ab77baac2f3f5ff35e55dbb429c0f7a49d3a137ba110af6f18512fa
SHA512 4672938b60c2de830c32230a248d8d831520198e8bb7e6a5e2451b17b4617c16ac8d63c56261c7e5d14a29f1e9d3d96ea72df160475bbec6ec28ce3e6f733444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 17191b87a1d45410b710727c70e330d2
SHA1 3f251f9c08cd36a0f2f7b5a93d91cb7e843a02fa
SHA256 7219509a13367f54e51e64fe8260e8cfcdf5c038a021663d4b5eeda37aeae73d
SHA512 57f5e0dfad4cbba633a5f566948541ad053456788e4b31dc042d2bd1a0cfaab3b1d05189c0718182ac51a1b3ecbce97500d3899b5ffd4b3f372e6f5de559a221

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ji157mi.exe

MD5 74f4c81ee68a5cb2cdaf9b0c045f8e20
SHA1 15bb9ab45c3e5b4609c12bdb7526fe03d7449d6f
SHA256 43cd7f4de05e67463aa0c1fcd47d9fa95f6f0fc52c166aab130a2e1da5166477
SHA512 bdbdf809354e035c8334c2da0fc7a1ea9d05fbd95e78d76b0dbd45ac822759309212320f2355c0e299f88775c5211a73fada0424eb2b1fed6711a7c9302af377

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 1e6f2cb03d651af5658c007f79993ac6
SHA1 e04727073e4cc5fa9fc2f86ef70aabf1204bb670
SHA256 bdf20b1e5f49640c9c760cccf22bc61216bae12019b70071b33b66004abcb03d
SHA512 d891ec83066cc6ef80190d3ef36c1a71c225a6cc1d53f4e34b7ca3c4858453d4f791ced5ca96de66db7fdb8245a4aef36ab27ccd1c2c3acf8c63263e41d69570

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 2b04162da3ce0cf8d5300f67eda1fa3c
SHA1 70e0a7ceeb0185252120fd3bb381fda31fbcc258
SHA256 13dc652bb244c75160505a048a6d284d5b4d58507f50b4a162f5cfc4b10afcc2
SHA512 fe85b0dbd54b6fb88097d4c8cc632051ef4f8af35dba9a93f1b7e1e5ac8ec27caf57c9621f483e50c4fdaacffe9dbf7ca1849b0245210bd81c109fec3f121afd

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 8f7794efb5c41448901dd9521a1e3478
SHA1 68a7afc5859f9647dc2d76c50008e75d3846c5d2
SHA256 095e990b7a18f245da696fc943ead6e81511a39f599163972f9f334e39ad8c1b
SHA512 db368f03da09ce51d233e8cab0f7b0ed4c86f6d183dc8dbd5aa908e87d7f8a2077f0d757499882eb698a50963b69f6c74a1a8271e075d29a10e2d373aa6d8dc4

C:\Users\Admin\AppData\Local\Temp\AE5F.exe

MD5 dcb2f640f75f0e49f8128e430e853ac8
SHA1 0cc519c2c44249b7f84df360f53ce91fbd650e63
SHA256 0e2f3676e2e68893fe87bc497673179c58e08e08c3c6a800ba00a45e79122696
SHA512 0afdd8a64d2515f2a1308628c44241356f91a05dc2eabf2c52a520fd9f98d4db3b2244ba833f4d3940eb8d169985180e61ee67ecd3a4ae3848fae8090666c44e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9KWG84HP.cookie

MD5 71057565e68e59d7bf8cd4eccdf14e23
SHA1 0a41cf2b3f9802d8730e867d2204a0b8801b5268
SHA256 98f81cf0b0b94d73ede6585d1079cedf82ffc0f759d3c0b97be1e638dfd932dd
SHA512 d0643be0ed5ffa2fa7e94bb02851f56ecce2632a86f3cf48c3e2e61a3a6e72c8f222c24afd25a854a1ff2ab3d452e2877dc7b0920327532588efd1f603022ed6

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\shared_global[1].css

MD5 8d735ddcca5b5d293ef7ba7b4dde20b4
SHA1 b6a5324a0c1304ed92c2f25146c41c32d3ffb1df
SHA256 1900ed37b2f031f35d3aa5d765b7c71026e7a111bcbdcd1591f8d031c28be739
SHA512 28d8add4d6bea8ff4703c7eeb5b1e2ee391e58d68dcfc7a129caa3d84fda580703fd5c8d26d6017c44e6467fd661aa341bc02623081bad3401b6d43325f6ed9a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\buttons[1].css

MD5 0abae40ee6cfa8b72abfb79829d53400
SHA1 e87d3aa5ebfeac3d486fb3d9913a81be19af3762
SHA256 c54f7e964fabefc31c2df4864777db262e62c3236a293fbd075deaf1d538c2ed
SHA512 a347d51254a5ba555f5cfcffaaeb40f687c549b8e2c76eaf98f4e4522a8f5ae5a358f10119608c2657e30176d4675fd11c2670dd3f923bd788f8d30ca45a5575

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\shared_responsive[1].css

MD5 72e18d3f57737adba0956936bf438916
SHA1 efac889dc41d671ae12a6e0a6c77f803f7ec68ae
SHA256 ea56da3ab70fe84a679dc523b2ec93bb3a01ad55e41a4da0ef79e39c5d9f47ac
SHA512 d90e4dd1732c27edbd0bca44a00ec7352512cd80eaf0c8b044fadf6b2764c1bbad74dcaf91a0d4f00769b314d6fca01445b5161d34c7f147b656fc1dde957533

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\tooltip[1].js

MD5 72938851e7c2ef7b63299eba0c6752cb
SHA1 b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e
SHA256 e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661
SHA512 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\shared_global[1].js

MD5 e27819052d76890fd47c709bc5121c4a
SHA1 2987b31500b80d0186aba50c2cb45f94832e9758
SHA256 c4f8fb552b26a7c6009e6ac8812bace4b6803b9c92eaacfe633b77d1a16ef942
SHA512 32e6e0191ce2f95b0e77922be7342e6c7911288d891d88709acd2e8462c76e99f395843d9278fc36bf7da861cf9492c1454938ed3c5456f0ee0d53216efada52

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FEUWL9QG\shared_responsive_adapter[1].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1Q62BEGJ\favicon[1].ico

MD5 630d203cdeba06df4c0e289c8c8094f6
SHA1 eee14e8a36b0512c12ba26c0516b4553618dea36
SHA256 bbce71345828a27c5572637dbe88a3dd1e065266066600c8a841985588bf2902
SHA512 09f4e204960f4717848bf970ac4305f10201115e45dd5fe0196a6346628f0011e7bc17d73ec946b68731a5e179108fd39958cecf41125f44094f63fe5f2aeb2c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1Q62BEGJ\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\C7Z5LVKV\favicon[2].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TV6VDMAW\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\askrfkr\imagestore.dat

MD5 75cdb14a7609b5ab827b1f7f9005b752
SHA1 6432485365a8ef84ad14fee783efbc16a54a72b5
SHA256 535f5d4a17aa89dc4916d42e7dfa6aede87b088c9e571119450a286fc658a776
SHA512 9864983643ef323579d03229c5808abced2508dacaf01dce938a02f07ed909a45a83b5561f7fd76d6e8efd8e7701809ead5d0fdfc9b34ae5c40d0deddf662e60

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\V04OCNRZ\www.epicgames[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BQZL1I3S\9lb1g1kp916tat669q9r5g2kz[1].ico

MD5 3d0e5c05903cec0bc8e3fe0cda552745
SHA1 1b513503c65572f0787a14cc71018bd34f11b661
SHA256 42a498dc5f62d81801f8e753fc9a50af5bc1aabda8ab8b2960dce48211d7c023
SHA512 3d95663ac130116961f53cdca380ffc34e4814c52f801df59629ec999db79661b1d1f8b2e35d90f1a5f68ce22cc07e03f8069bd6e593c7614f7a8b0b0c09fa9e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\V04OCNRZ\www.epicgames[1].xml

MD5 bffa6d07e7c4d1f4aba974016ad7f7b6
SHA1 c386321eec03f1c2c9244b5fb1a7a858c0b10bf6
SHA256 7d62808a0e48ae79ffd34b946753a0ffd847cf05c6616a3222d7eb80b04375c1
SHA512 e5374ee9706dde646a8edf09e1f6aeb31e263be996a67a41b0c4c9172e6a90f0f7ea52bb1fc83e478f5038b64c8a8efbaf032879b86b745180aa8493a788e366

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0GW4E2WC\recaptcha__en[1].js

MD5 bbea0e0af21ce33f74c53fef2f0e60f0
SHA1 ab2d63517078a87ba68812e8f70e70b4ccb64825
SHA256 7f876327e87c11d947adbbafb154e3d216ddecdc2ab4b14e1eb1e4a1c6f3cdf2
SHA512 33562aaa56abdcca7fd90cc1a3eb32297bf301978224ec5b42bdc9089a57c4175dd737a8e58955b355447a988ab6eb6381412ea3a6332b31c312f23ae857e80e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1Q62BEGJ\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\V04OCNRZ\www.recaptcha[1].xml

MD5 d9497584fb603d201daec8d4ce94aae6
SHA1 935e34e7e4854fb1abb803a15e3a944b96056066
SHA256 7f5dc3aba681588cdfc2aab59cf38dd2e814e72d7a39bbe996c0ac1831e8b9f4
SHA512 77d14c881f770fa640d729bab85171481287e7175d638f716d7e3fa558ea189bc009af9e56d91fab891fb23e5c4b3ddc6367740133f8e38b51d6bb086d3069a3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ESGHQEZL\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BQZL1I3S\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EB27WW08\hcaptcha[1].js

MD5 742b1d4bbbc050d4b270fb2f8a5864da
SHA1 6e99f4d215d19557325a469dcbe929685e5d179e
SHA256 319e5a4819a9b54b551ca09ee13f2e9f7f34cc7c3b53369c9fe5e5493dbb32e7
SHA512 30e55312595d3431aa327bdc11a99ef4e7f77ba79103733f472504c5ccaf8fe322b4df6938496d4d87e6fc0f413a134037852d532e0abc60107b227ead153982