Malware Analysis Report

2025-03-15 03:58

Sample ID 240518-z9yjlagd5v
Target 7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d
SHA256 7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d
Tags
amadey c767c0 evasion trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d

Threat Level: Known bad

The file 7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d was found to be: Known bad.

Malicious Activity Summary

amadey c767c0 evasion trojan spyware stealer

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 21:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 21:25

Reported

2024-05-18 21:28

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe

"C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4876-0-0x00000000009B0000-0x0000000000E81000-memory.dmp

memory/4876-1-0x0000000077974000-0x0000000077976000-memory.dmp

memory/4876-2-0x00000000009B1000-0x00000000009DF000-memory.dmp

memory/4876-3-0x00000000009B0000-0x0000000000E81000-memory.dmp

memory/4876-5-0x00000000009B0000-0x0000000000E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 fc40addc1c7501127359a023fbff7d46
SHA1 923a1d921fc5f0c1495fb44ef35c2d325711eca1
SHA256 7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d
SHA512 991a418959b0d5338b3381907fe98a08cfb6a7974ec104acfa1544f9b09fbb0bf339cf4b47b49ffab100db10d78035c699571f9ad1eec7d39e4ba85562c3da70

memory/4876-15-0x00000000009B0000-0x0000000000E81000-memory.dmp

memory/4928-17-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-18-0x0000000000381000-0x00000000003AF000-memory.dmp

memory/4928-19-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-20-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4584-22-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4584-23-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4584-24-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-25-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4584-26-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-27-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-28-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-29-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-30-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-31-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-32-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-33-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-34-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4140-36-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4140-37-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-38-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-39-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-40-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-41-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-42-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-43-0x0000000000380000-0x0000000000851000-memory.dmp

memory/3908-45-0x0000000000380000-0x0000000000851000-memory.dmp

memory/3908-47-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-48-0x0000000000380000-0x0000000000851000-memory.dmp

memory/4928-49-0x0000000000380000-0x0000000000851000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 21:25

Reported

2024-05-18 21:28

Platform

win11-20240426-en

Max time kernel

143s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4928 set thread context of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1228 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1228 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe
PID 4952 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe
PID 4796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe
PID 4796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe
PID 3448 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4928 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4928 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3448 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3448 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3448 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\Component.pif
PID 3448 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\Component.pif
PID 3448 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\Component.pif
PID 3448 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3448 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3448 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe

"C:\Users\Admin\AppData\Local\Temp\7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Official Official.cmd & Official.cmd & exit

C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe

"C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 11988

C:\Windows\SysWOW64\findstr.exe

findstr /V "OutsourcingCatchTheftUniprotkb" Pace

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Pot + Costs + Largely + Conversations 11988\R

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\Component.pif

11988\Component.pif 11988\R

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 172.67.137.239:443 ussrconnect.ru tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 104.21.62.60:443 averageaattractiionsl.shop tcp
US 172.67.141.63:443 femininiespywageg.shop tcp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 197.3.21.104.in-addr.arpa udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp

Files

memory/1228-0-0x0000000000250000-0x0000000000721000-memory.dmp

memory/1228-1-0x0000000076FA6000-0x0000000076FA8000-memory.dmp

memory/1228-2-0x0000000000251000-0x000000000027F000-memory.dmp

memory/1228-3-0x0000000000250000-0x0000000000721000-memory.dmp

memory/1228-5-0x0000000000250000-0x0000000000721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 fc40addc1c7501127359a023fbff7d46
SHA1 923a1d921fc5f0c1495fb44ef35c2d325711eca1
SHA256 7dfde5c31ba90e045fd5a3be2eb5797cf6dbbf56d59f6a49b3c0dc8c60a08e2d
SHA512 991a418959b0d5338b3381907fe98a08cfb6a7974ec104acfa1544f9b09fbb0bf339cf4b47b49ffab100db10d78035c699571f9ad1eec7d39e4ba85562c3da70

memory/1228-17-0x0000000000250000-0x0000000000721000-memory.dmp

memory/4796-18-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-20-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-19-0x00000000006E1000-0x000000000070F000-memory.dmp

memory/4796-21-0x00000000006E0000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe

MD5 9e9cbf47adcd712641f4baba9b1b4944
SHA1 8c75ebde41cddf280ccd2fc6ce990be6f7e08eb3
SHA256 430cff6f0d1b6abb864b941e0cc959fbe03bcbfea9d13a3fd815b346c0c08db0
SHA512 807b11dbeb5380170df107d914de857c7949671115467acf7ab8198d729ffda3b325829d0eb0e4807d23900fba3b2d6dc64e3fb0014bd2c801e440dde69f3d25

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Official

MD5 c82ec45e5f6d6852e86316d3db0891f2
SHA1 320cf9ee345db6efa3e69d6ccbf044836e70d71e
SHA256 518e10efb2b6ef253983d0e04ab425fb9e16e1dcd4746064d7ea92c1b58f8348
SHA512 cf5435b2a7901a08ebaef3481fbd32fb8eac08849f676b1928d83f5d4cafaf3bf094a7c8d3a324aa1a74ded6f861cf04fbcd4c69a48063c6f9cf28c2f04ddd6f

C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe

MD5 b99a7c6c9e6a2eb2945d894b2ce2c63b
SHA1 e09a2fecf1f27cc81a585c1c68d5deb792162118
SHA256 01ffe49f3718dcb41ddd63aadd76a3bd342de6f7549697033325830828bcfdf7
SHA512 f3b5c5699a5af49b1f46b0eada0f04574321723b3e26a86ec09ca1debcee9849e81e04d293e092dcab7e7fb08aa17dc14c8b3c0cec563c45edb89d80742fde57

memory/4928-310-0x0000000001320000-0x0000000001321000-memory.dmp

memory/4928-312-0x0000000001320000-0x0000000001321000-memory.dmp

memory/4524-311-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4524-315-0x0000000005850000-0x0000000005DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pace

MD5 afc5e431815aa7b3a4abcdbd72cf5e90
SHA1 2c031f7023caa1572628ea857a7d0c465f739f0a
SHA256 4ceb64d528a39c03c9d02d49e799fe6bd5a0c03b0eeeffb48573550d2d092a01
SHA512 a13aab0070993b4a575baf0e75b0327f915645bf2d4b0089ae80f6857db86acb1ec32c870ff559fc86ef2423f289e7cdcfad2f11351e77587272ad56bbd4aab5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tier

MD5 3043f60df7580681dada83bd63320de3
SHA1 4f4effd8e4a538ecee5b71cc8e50b414e03107f9
SHA256 74595ac40cfc5175c63acac726c7ddf89f7ad8370ad4691b474ccc5106bb5480
SHA512 1e499805f2f39e0e5020d957c6ddf7c7bed24cba4d7cad03f23ebcc0bdaccb9d5a20b53f84364f486d2a31650eed116a6f0c910fb8dd82980dcf0c3016fb37c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mainland

MD5 5f45ad73589e94032e9e193d97d0ad36
SHA1 fb63facdec79af35e5dc1c817f0cae0a8c2568e0
SHA256 89f41229590f30bb4d2196224c66ea6442a03b6a3d576433fff20c4869f88939
SHA512 b22194cd15d60084db353c64bce67f7318e64f3298068ed4a147b79ecac9b5d568fe2221f2a183293ef90b98ba1c60998cc1d75b86b492b32d1cf232fac8daab

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forums

MD5 603e2a3fb4f63f60e46e6d8009133838
SHA1 1d5270395b9bf87e85b8e7d5f1df694f8e08a9d8
SHA256 98d5a30c4dc88699ad46d7a5d1d68e5fcb57be042499674e45ac6ce827db6659
SHA512 17b19904b5c9a4e0d4444ba58c02b389acf4dcce1671c4c2f25c389d352b7a8db694ad0d134d23529a72eb6e50b25db277d3372d274d6c6866d6b25c88678fa4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Install

MD5 e0ea246b27684082fc52f481f533fa44
SHA1 03d4f736f4184fd5c9ff93c9d447f94524a08c01
SHA256 8e8ddebaa350f784a5f7cf392f51e3fbc487ceae0f2ca56256dbc00551e2325b
SHA512 de195c351020dfcaf8333bd362919eed368d041107ba87adcbd98ee576f4da8bab712073adf0c410ab44d25882b7f521aebe571a6ef0932fbb90aad5e4e72600

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Daughter

MD5 7ac5ffffba6229ffb8b48744fe2eac77
SHA1 832f82c772cd9ee27dd7c346d77bdf40a75412a9
SHA256 0baf94a7de4151a4b430ce527c460eda309b7824ab72fdfe1825dc9557d10e81
SHA512 7b96113cdc3feff4d940f99d868fd755f1fdf55f032037dcb2db006e786585aac5693c7d63c77a7b19aef132d4214fffdcad87147fae567892185bf2f8951e33

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extent

MD5 2597f70296d94050fe9253a61bdd1bdb
SHA1 84371cfc7b78ba86adc9abb9abf50d1a9136b7d1
SHA256 e7271d6ffc739993c4c6d66b22af21e7a667572d2b5c43952a84b51d2772c385
SHA512 245d2cec2ce77c64645195519a5e42d2e888e1c99fbc95fa26d26549e2952d12a6c41efd81b3e8bc24f24d0eaaf84486bf6e933267bcc994b49a6c05e66f75d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emails

MD5 526683ce72baf2133ce851622a5a8c6a
SHA1 08371209ed89b3aeee2e4ea406c3e20592dac70d
SHA256 eb729b91f3535ff5dbbc74819cc3067fb001a9eac62b4ee7eecf24715d576e86
SHA512 8f5a93bc957e57c2fdce48412348ab85353ca04b94ebf7a7667e8773452eb3f8ac0376ac8339ece8f9625f5e28168f85d51fa1411db7819abaa0fcdf1d39cb8a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thereof

MD5 5dcbc046a9dcf986a41d505c1a60c4a9
SHA1 2c0398dbd7f3cd4eaffb435317fe3dfc172ccd63
SHA256 977b1c850c3cda0a456750179f54fc56b7e883795e8f3cdcb9a4a9c5fb3039d7
SHA512 b43f58e6fe6a14e5b5d5e285a462dc16ca83f4adafd0774b8f4bf1ab969909a73299e3f2560de96dd8b9dc8a5f0213e2623b3bd94f0857b6260095e2fcb17a89

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Costs

MD5 c6231404c1cf881878357ec96918b064
SHA1 a25b461aa5042d188c0414a53114c396125b8216
SHA256 4e83e6c94889642b1575fe3b742c9555c8736a17d8509984e08358699d2716e9
SHA512 512ffe8a4f414c48c791a1d391133dd0cdc29448c43ed49dac809165e45ff64f36f9ee1fc512f59860c8dd50900ff2fae6616e1f4d2985765b807ca0392cf4b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\Component.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\11988\R

MD5 e21de4480116384afb878ab0153fbc90
SHA1 4be96484dac02e9c2a1a49e7b73b5f557eefc3f7
SHA256 60463cf57b9f45b2507a41ea349b425a9e37be291fc72bce7a5ca2a4e1eb5ff8
SHA512 0c3183ded17c650e4d84122be08344b8b3a8c75608a06ccad41d1331ed6095a738c6921419b858024c47412e885b4a888f531ade00f254a443d6a80fad41267a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Conversations

MD5 a7783b49d33f80046f54ef698b89fb28
SHA1 9f0a52fd3efbc523b48a8e384fca0a2f0ced8070
SHA256 0a48c9234456b23b91f877c1fb967fb0e6c2d79436666fb13d5e3cec10bea567
SHA512 bb68ed198e482e85e1e91ea79db50a39652c274a754c76a46d9cc2d621443dd566b8c7e6f9730c30ece124635a97e1a660fa1ff9d2cca3ef82526f570fdb1cc5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Largely

MD5 ca7ea48d516b3a62b91e1a119460003f
SHA1 f9a3ecc9653853cee92de9232c0e9cf64e8743a1
SHA256 43f2f34df19968e8193c2fecd970232098c5e9fabede964161bb980504374a06
SHA512 3c10f34b601b74b5ebf8fc243f628b3bf9ec2699b5e1342f958d667f3ff5771577bceee8f1d7c028ec3d46deb69987a090ab292508e127c3c7b9c263add1a9f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pot

MD5 fb0dec477863c09067d0c8e86d774d5c
SHA1 79f44d450a0cdb27818721ef502059a8f2c46c25
SHA256 b0f9ee65147bb8c0a80d8c418a719aecfa38ce6a0493c63e6077f7a21a516aa9
SHA512 58d3e927d0def7916c82decd5ebd6bcabc502c7e5d5d0f8307c251d952af3f7fd292bc5b018c985a91946babb3517fd3d3e7daaa9f7c629af06a8de13a30d1d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sarah

MD5 be5232f42a440d7d66318f9a779033d2
SHA1 ef94e848e06186017e018075e197b3ee585ccaa4
SHA256 30b283951959f7ff81c2a93f7834408c249cda0587fdf58015daa846b62c0485
SHA512 e1ddee1a00060eb4921ee48d5d371899eb02272ee0887693d2284bc3cc2e1dfa03b7f7061f092869434f6adaeb1ee07f74933c80a57236996a09b9bb69dcd6f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Finger

MD5 07398fe71b80bdd3f5cfffe587e392f2
SHA1 d969487c1de01129cce552d081f53c716f4033b4
SHA256 bf041f7e1b3f75d8b6b145047c39a146393ff5617d44369b9f7257bd1f849ffd
SHA512 5c9284b6729b06902cfdc986bb0ad502be3ff20f0584c771d09fc59414c3a72de06c13f70146d40825b6fc07302315e5e22d9d2d56acd5e0ca7972c16f88eb34

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Via

MD5 ef3e387246c76210d5a9535f3c3f8d39
SHA1 5408b207a089ed3bd805b10f2ee3436664d376f1
SHA256 89c859c42902894ed23a07081bc244cc592a414bf23be9e5e3de700b00cebf5a
SHA512 860cac06b1c29fe6b8436c7f126ef61299211ed1a0ff37e8ebb47a073a557fef547f912a9fdb265d273bfcc73e19ff3c1f724b1daf536335e8626bf0e2b3539d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flow

MD5 374bc7194017ba0da99ffbb462fe3ea0
SHA1 0e6a12e62aa9736894d32ed0d68bd9795b37bffb
SHA256 d1c5fea97c0f9fffbda7bcca427230c86338403f3881d0a4f54cc113a285b928
SHA512 7a27574b106f0a9b44b4e90efa0819bc98828a93725085621adc44c6efa08530987e7c3c2f9d089d9928861c5a7170c73580ba2c93f8d91302376617cd6fa279

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Buzz

MD5 1ab756515a11bb76f2bb70b4f45ac225
SHA1 cd8a0ff73532be57f4039885a86dc9fe30e46faf
SHA256 d5eed38939d948c451af834c6519baf33c3da8d4ce0cae7323cb32f443b99b35
SHA512 7d918241aa1488bfdf0d9641c4413dc31f01477e0b51371a7ebe43fd44a06e6b5207c9d0277005ea2ab739362cbc8bed8354ac9d9e651fded44d99d9fa0a2fcc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Being

MD5 876c37e23788c3bc2a844c25b7615b54
SHA1 a2b8079eff36d04d2271f8c0c6dd142a59a86b4e
SHA256 172dc347128603573a2e51aefd5ac21ac3703a4deb6e908115ed9a03ec3eb854
SHA512 2abda731c0cac731ee3e63225459f0f9ae492a37656fae00d542a419ae403e3b2c6d97490815b8069daa527a84c6f587f328e272a6e35673443269a7410e0294

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mobile

MD5 1763deb0757f71ea1d8d890a89dbea83
SHA1 21a79e1087352945d6ab666b6daf976a9c60db1b
SHA256 8addb58d404ca7a1d0c9928b69e6738a0a0564ebe1b58857c9cad30efb7bb431
SHA512 f424c6d44271ffe12b55bc2789c23a5289481bc1ac9e6948b2b57f13a9a0acb240c6daafe5c383d62478f4ae6da7980f898651e6315a0e1b6dcd0907c9835250

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jokes

MD5 6dcf7459b7a186de50f8a45792c68feb
SHA1 38cec6c600c4fee2045e11ffecaf9d6f211f26e7
SHA256 6b3f09310a0a34352622bc73f61554106127681e64f0137d6af58ed0045e8429
SHA512 8573ed75011aee98947581b1c5c53bd25d82da0318451c91c1691abb6990e246da813667e001d4e0a43ece81ddc3475a80dd725178ee209cc38733eb1188360a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Partner

MD5 de1b96fa0c53fca4fefb88c1624a8a3b
SHA1 91a6955ae114874d8ddd616f05553ede912d4b49
SHA256 08d0d34963db4f7127b76b56e07701d5cfdfd43e4888bd3cfe551611d9253acb
SHA512 d5d6ba941f83bd7f1211eadddf57a92c86a5df44e98b667dca744809fed0041333e9b03c6961793f4ca3336689f7c63501b790cce611db81cb367fbdc5ddd3b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Capture

MD5 d29edef2f542ad834f8d1bf4efd9c304
SHA1 234226c025574a7b8506fc265ef2038e183eba3f
SHA256 1b23f1ef66794407edfe248b2c0a19221fea4a120eefb7ac7ba9b69d86262f78
SHA512 fe91c3fb31bbc4f81ab499092d52e5f3cfde49284594a40b42658f348973e2f67cd05bb8ac77757e4164c75ec0d18d105c3b728ac10c79826f354599e5bcbab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dell

MD5 a953e894b120dfa5e7ad45e09cb885b8
SHA1 68a74309e9c1aeee666beee1e62fe4203f660868
SHA256 a0c53cdda3dd311e43ede2c95a211a369ee9d74ae7fc85048724404ada3518b8
SHA512 8871ebab7699ae39c81acb4a699ca6fcb54702a631eee7bc9deef6bd1946d44cba4192e4ad0f84b27f923d06f3a5a8cb60ebf5c99652e91f38ebe40e370c4cba

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Analysis

MD5 02f610c0e8a050b5e8f149f7be440740
SHA1 dcd7a99bb1ccbf6192db027f9f417465836ee7bb
SHA256 a2eed6e99abaf0996864eccd37cb2640a8fe772aa540e70813f17d2fed5da61e
SHA512 9e2c74db758cae79c61ca3a870bc23adbf984a75a86a6a7a60e9426fd2b63cf92fe2ce54279e0729d62baf8ba3f0d55695e9912fbdf51b3ac3d60b4eab2d66d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lender

MD5 de3415a87e2c6c36b309a39695ea86d7
SHA1 1bff0f79ba5d79e0f2444fc53958020f2a7d4d51
SHA256 682cc33f8dfce23fcb86bb1f314bd0e93d2028794e79c4ca6491e58b815969c2
SHA512 07c092f63f2c2bc54c68f5e22a06a37a0eec9150183bbb0a5df23612b728c21de61b9641f5b08ec230ff7b20a992b62f2d80706ab92b99ed5a5ccbd35716aa09

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Methods

MD5 66b72f802d727c248e3bd5f0ee593f99
SHA1 20c4532500ac08a3a03e58e37af9a5dd97f58ebd
SHA256 210b263e7de84c0878fa7176780ddbc12e8cc6d62ef9b71128aba2788d94b613
SHA512 dd701c2e5d299378144d77b0a803bcc65902e9e17c1dbb1b7f65c32e76dfdee978571702f73a6b0cac4258928e6c715cc65c9054c95282d166f1038370cf3e85

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fourth

MD5 5eb6cc09bfe34a95d3e28f0279e7bfdf
SHA1 8b37e12c2e5f85d428deb0f3bdc2bb5026629979
SHA256 a7bda75da12646ccd8540807a5c8ca4c1ffdaa4b2a1b05a8c596c4fccf6db278
SHA512 bdc2d2f3f7eaea6cd8f875ab75f834a7e521ed9994156147f64a65bc18ea9f2a059c6f6cafb4a239d904fd8fc4b41b038ecc0e04a50a3dfd22e7f8d79f99658d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bob

MD5 21da442db04788e5677e2b0461ff4a75
SHA1 3ba8fc469ed35304fd761c6c902b615b6ba0dd08
SHA256 3f887cba5761c2e6bb9650da8bdc3ef0380978b9d28a8f7b152a43c1f3036768
SHA512 50e5532b55dacd8ebb346c1999f341678f9e611d3a117f074aca0123227b2a7f7311599df880a536d5cc88414c33ee693f26cc45e29713391c3174902d6c590e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Efforts

MD5 f631cb867e67149abc65c6933bbae04f
SHA1 27ed6c920a8d5e661b342dbd7e2b5c7d39920144
SHA256 ced6a5f3f040af22fda6129760c8e25de61a805d33e1fa8152f0c184c82b9ae4
SHA512 5c1495ceec23dd0f7dd053c5c837561283c8f37a85e0fbbdd5cd800e82413be5f89c11988f92028a305082d799718a08d4b33f1cb6495f3cc1a21471d81a5674

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Examination

MD5 f179ca76310adc0f25ddc399214ed2d5
SHA1 b642d7d284e36ded710f8dd91cf3a5b508ad984c
SHA256 3080ff25bdade08c0be1632fa27dffba513a359aba9eda9583c4e83c5d575b6a
SHA512 6a91ffcbe92b203fbd3663dac1d63d54f37a9a0c9d97acc4221adfabe39e7fd2140b2ec64c33f90b27e52456dd397409acc5b352018724efa21b5d453368ec19

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grew

MD5 b1f10aaef7f34bfdeb2db2fa31aa9b86
SHA1 ec6652a896cf8f27181c97fed996f8de56ea2655
SHA256 d97bd865b475ca8b242d4da464f0d9ac2e43fe7727598c722e764d72db3e5e13
SHA512 1e57fa7a0eab0a3a7d7bc58ec17abe8a58dff93e258ebda13e0a127f6d82045ccc995f9ea5e6ae08c1647a0455b6f297739eb47bd50407c338ce2e1120ad2c9b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hull

MD5 863ce07057fd5ff41a6af8c7f8c4fc3e
SHA1 3f1e35c38851fc95b8df54230f72dd77a7e6729f
SHA256 e0d13b3633ae2fdd078feac2ae74224ee07be418946556fb1d2bf4760418d3a2
SHA512 192c6876249ea4e66d01cb49339312fc05a454ca7d7f1b8f2e41256b8e07671e63fef576de55255e74d254a4dea2dc468ca2e4eb657c79549a46495c6a96cbfd

memory/4524-413-0x0000000006580000-0x0000000006612000-memory.dmp

memory/4524-414-0x0000000006410000-0x0000000006476000-memory.dmp

memory/4796-415-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/1004-417-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/1004-427-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-429-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-430-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-431-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/1576-432-0x00000000043C0000-0x0000000004416000-memory.dmp

memory/1576-433-0x00000000043C0000-0x0000000004416000-memory.dmp

memory/1576-434-0x00000000043C0000-0x0000000004416000-memory.dmp

memory/1576-436-0x00000000043C0000-0x0000000004416000-memory.dmp

memory/1576-435-0x00000000043C0000-0x0000000004416000-memory.dmp

memory/4796-438-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-439-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-440-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-441-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-442-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/1560-444-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/1560-446-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-447-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-448-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-449-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-450-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-451-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-452-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/2192-454-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/2192-455-0x00000000006E0000-0x0000000000BB1000-memory.dmp

memory/4796-456-0x00000000006E0000-0x0000000000BB1000-memory.dmp