Malware Analysis Report

2024-11-16 13:41

Sample ID 240531-vlkklseg5x
Target проверка.exe
SHA256 c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

Threat Level: Known bad

The file проверка.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Xworm family

Sets file execution options in registry

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Enumerates system info in registry

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 17:04

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 17:04

Reported

2024-05-31 17:22

Platform

win7-20240221-en

Max time kernel

837s

Max time network

836s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled" C:\Windows\regedit.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a13a021673c7f847aff4852443131d9e000000000200000000001066000000010000200000007ae846e4d7a073bc896d60f742eb7f5c6fbb6a26bcf1da9bceea218e816d16e6000000000e8000000002000020000000b53e31b54d1c5ac0cbd7174833ef2627c86c591f9ebc9eba274ab6b1f0ba453090000000861892dbffa368842839dd14b38267b9aac86b02949b7e63cde3560b1ac34f1514b7ce9fd4e7b57fba0362053f4bafde5c2bcf6f78dd906f72167f323a06de285adeac9627ca2269d785101dd94ae791911993e042495b0dd2b2106c07edb25e25db5832b340ecbc588d45b5d761a9457140e84fde578ac0ff1c8b30c7f4ed24c71297904b8725727374fbcdb8a74007400000001f77e5f8e4c32178a9ec6c0a9009fbd1226fa7edbf360eb23850c7bc1a1e743264485e42963e547a8723a0403293e02018a0d41f2f7d50a63ce22a51003b3f19 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a13a021673c7f847aff4852443131d9e00000000020000000000106600000001000020000000837272909d9a046d2129cde60fc3dfb1d225c6ae6a012bbba510cc8d537ecbb0000000000e80000000020000200000005aa0a955193fa85893df5eae9faba9db2479cd4a7bcea8d83c324f2f336fb0da20000000cad0325138b11b309b3dcf97f929cd79a8db5730d9fb323889972ecc52988edc400000008cbd8ac9dd4ffa1cc3af8a96eecc9ae0b504b035f5138762376bb0f759ec722438817697d3fd595debc376deaba99b90904bddb1592072280beb5f84d5feeb64 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04d7e087db3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38DAD371-1F70-11EF-A30C-E60682B688C9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\bing.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2652 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2168 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\regedit.exe
PID 2168 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\regedit.exe
PID 2168 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\regedit.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 1616 wrote to memory of 2348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2652 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 856 wrote to memory of 1236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 1236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 1236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 856 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {264BE37B-D881-42EF-B92D-99C535E440B9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\wrodnw.reg"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ExitSplit.vbs"

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1c49758,0x7fef1c49768,0x7fef1c49778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1660 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1244 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f4f7688,0x13f4f7698,0x13f4f76a8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3728 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2472 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3712 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2764 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3988 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1240 --field-trial-handle=1380,i,10838861718162279237,11641384004053569654,131072 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE032.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 speed-wheat.gl.at.ply.gg udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp
US 8.8.8.8:53 api.bing.com udp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
NL 23.62.61.75:80 www.bing.com tcp
NL 23.62.61.75:80 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 23.62.61.75:80 r.bing.com tcp
NL 23.62.61.75:80 r.bing.com tcp
NL 23.62.61.75:80 r.bing.com tcp
NL 23.62.61.75:80 r.bing.com tcp
NL 23.62.61.75:443 r.bing.com tcp
NL 23.62.61.75:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 a4.bing.com udp
NL 23.62.61.75:80 a4.bing.com tcp
NL 40.126.32.136:443 login.microsoftonline.com tcp
NL 40.126.32.136:443 login.microsoftonline.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
US 8.8.8.8:53 tse4.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse2.mm.bing.net udp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 204.79.197.200:80 tse2.mm.bing.net tcp
US 8.8.8.8:53 tse3.mm.bing.net udp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
US 204.79.197.200:80 tse3.mm.bing.net tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:80 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
NL 23.62.61.75:443 a4.bing.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.187.214:443 i.ytimg.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.214:443 i.ytimg.com udp
GB 142.250.178.14:443 www.youtube.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.200.42:443 jnn-pa.googleapis.com udp
GB 172.217.16.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 lh5.googleusercontent.com udp
GB 172.217.16.225:443 lh5.googleusercontent.com tcp
GB 172.217.16.225:443 lh5.googleusercontent.com udp
US 8.8.8.8:53 simpleunlocker.com udp
US 104.21.47.123:443 simpleunlocker.com tcp
US 104.21.47.123:443 simpleunlocker.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 104.21.47.123:443 simpleunlocker.com udp
US 8.8.8.8:53 cdn.datatables.net udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 js.nicedit.com udp
GB 142.250.187.234:443 ajax.googleapis.com tcp
GB 142.250.187.234:443 ajax.googleapis.com tcp
US 172.67.75.33:443 cdn.datatables.net tcp
US 172.67.75.33:443 cdn.datatables.net tcp
US 172.67.75.33:443 cdn.datatables.net tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.21.74.155:443 js.nicedit.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/2168-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

memory/2168-1-0x0000000001370000-0x0000000001390000-memory.dmp

memory/2516-6-0x0000000002B50000-0x0000000002BD0000-memory.dmp

memory/2516-7-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2516-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 008f10e19aa209748be13b60bdc4fbef
SHA1 c2ccb4724ba104ba55a5ef6dc4cc0530e765b458
SHA256 5d55b2546acaba6727193544fe68d2879c890de5dde28db5356f6ae8fcd3fa92
SHA512 8dcfcd49f82d3ea312f3d3f6dc95aa50a6a1acb77020a5facd374e5287b7a1d13afc7b92a60dc3c4d58ba48429b24727ae4462dbeaff6150ebd67b9f048546bb

memory/2540-14-0x000000001B460000-0x000000001B742000-memory.dmp

memory/2540-15-0x00000000021A0000-0x00000000021A8000-memory.dmp

memory/2168-30-0x000000001B2E0000-0x000000001B360000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 69c00aa1f2cecc09093eec932c788209
SHA1 2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c
SHA256 c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
SHA512 8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

memory/1484-34-0x00000000011F0000-0x0000000001210000-memory.dmp

memory/2168-35-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

memory/2168-36-0x0000000001330000-0x000000000133C000-memory.dmp

memory/2168-37-0x000000001B2E0000-0x000000001B360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wrodnw.reg

MD5 ac6d546b9e8fd0cc8205ec3de3b531b3
SHA1 e7ad048b8a5b997bc8fd8171664026856e587453
SHA256 b7187ba265fc9e363c2d4565657294603f0258ff035dc7b3da8ff702472b9a1b
SHA512 ac5c28799e160b3c8b619b2484a00aee35d2421d195ad4ab5cb46ab0f59fd7a1a624917fd9e2ac154bb72bd53059ad140e390ca12faf736ce2eeb97bfb7fa2dd

memory/1772-43-0x0000000001300000-0x0000000001320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab800C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab8184.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar81A8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f28d6744ad339890c527993a5a1b7cb
SHA1 a9ea57b270260933717a54dc01a0a0cd0d13d66c
SHA256 d90b603e511cae92f967d7d33b8548f1c60df3cd7a6986a2b2a4ddd51e61300a
SHA512 18bf0efe24d80dda3c8c8b35eb5a717651dbe053ecce161e05893680e1e3ad916cbe4156c5d2b2c3ea6192dfb3fdb5a99eb76382d9d0554c9ad24ebc6a3591de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1e023b39d6df0796982cef6e84ee8d4
SHA1 67a93fdbed00a85a937a5d884dd222ae0737b4df
SHA256 4fee963aeacb3d7321e1f079f286aca753144ecfc3d7d8b63907eb56cf1d081c
SHA512 79bc69e48c05c0361b9f825d6d3860037ed8fa8c7c12c15e211c69a8f80dd00e223485295369ae37dabbf1d93336c994dad1ed45ca4f58db02766f85d93cbb78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aa63834f260123f7afc1cd05e52129b
SHA1 fc9b357d70da9458405eab0dcf45396f34b36fee
SHA256 6929efd534b92940a46a34f7b3d042fff64cdc04f9030936ec0b9e6fbe12a3eb
SHA512 0a72e96cff9960ecc45f478a7071439cd2d719a6947abca9e0f95aa000e628a6bd073ada47db21a56403351a4c132206998ed8c0279dd7859f6d9a96880b5dee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ed23e7a28d2ff4bafe27bd92d7f8ef7
SHA1 f7da2fb3fd0f7991904a22646112d6bc874520a5
SHA256 82232c665cc0cbcd59c01d0ed1f7c3f0f9fc9160aaba8d45236175dc2fc6c16b
SHA512 a4d16233fc4188340d514a30b3141ff5da486b257e68c26d8732629e5132c23cbee46b78e3ec508b05bc57f5fcfa98172b38de07425f95461ef1b35036ff3f28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c129123b800f7e8c9e5134a1b5c8c1ac
SHA1 2a0d301a4680e5aba80c4a6a86288cc5e33132b1
SHA256 85f3a1fdca92b3b17f94025db26e80a6b9ddb7502343e2ebad1c5aecde760821
SHA512 fec2d7c2a718ee7bf3817bd1a17a8574b9c0524c58cc2475d7d0c3dc3033180531b3c226cef86d7467defee1310af5df9713edeab8636898d5593db667aadd41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b8e4000461deec726da71ce02c5aa59
SHA1 35d4607c8c55411e4de6978a7d217d5cc1ca68ce
SHA256 5a6bbc3d34cb5365c8c740607d2ca666541b366e8123d6187477c237ac5103f5
SHA512 75e2ff55026fcf15da3fdc3f301544a9aad2220dab7f20c3c530309d5d2e878d0478eb44b2ac44bd810231f4e7448e01d01196643a66052bc956c3a50387133d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cf8e42d1976e34a1e02b43bb6b3de66
SHA1 f5c389f1adb2481c9a57bb3484f01e05555e85ed
SHA256 879b1420125caee7aa1746314cbdc19fd7d9e4d0aa71dd0fd245f9562ec77fce
SHA512 8f3424211c0b52e2db0aa33bfccb244b9a31204f2525bad8aa4106663e5078fd6041b167caf366c0fb64a559f21851ac4fb1b92fe354024964ec69ed77355bca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e1151390c0e97f93aaf472ace4487a9
SHA1 98dc6de811a26e498396f6d4f7cc242fbe2cf581
SHA256 4126a5c9f103a9e118227b562a628d5f4c5e39126dadd7f8850da3c5fc0ac6a7
SHA512 0217d66f9356be6e6b9a8d75b5dd17c21a6ca3931947dcca6b997d51346a330d9944c7123fd33227b33edf34895fc45619e436c225641a51182cb7c71c28bb89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a162f0f0da4ed4313fbb3220c35d3107
SHA1 cc1cc58c069df1a49b8214464cf2f76db7e18d34
SHA256 bd3c70a518fd1e65c4ac76ed361421815f3ba4ebf1b06f1951496dcd45cbe183
SHA512 1b4a738e263026b521802383008aa10707e23949747bf3b7bd36ac1221cd71e5ce2871457f5c5b343f9dee65aab743c7e483d6415262bd2c009835c6ac3af4c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b4ba0df163f359a5b0aa7f1460409f1
SHA1 68e3ffb5f2cd16cf341deb79203f2ff31d6e5583
SHA256 04b819ea1a31cfa6223d9e44b06233c9c24ae3efe9f5242febf23bc2718435f3
SHA512 283d0cd616f94aca126ebf9942ba8077e5ff2a2748d151970382eb924c6d4f030f359f8f01951322bce50321c7ac05ea3c025d4e33fda341c8edfe90ec377366

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e94b1fb65a7653b1930db194653f98c
SHA1 f4e36dc629ca310eead50ceba4d19ad729395710
SHA256 d0e254d7a44de92fff1f8c843d5ee88900cc8fcd20d1e67937795b0e0b776eb9
SHA512 273acce342d95025b64ab28192a8640957e06ef1c1b014bb545663f28761b7ee6afd716fc98e277c6d837ff8b9821c662875abd9d386972b70633f69f3dd4443

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\qsml[1].xml

MD5 8b1b4a1cd994cc41c35580c6ac0ae724
SHA1 e8d39aac330cc37d2829ac3ee57fa23ab781f0fd
SHA256 e83617c708ef493abcd1b1b02ffd1fc3f47bb0d5f459c55ef527f408d32e5a48
SHA512 9b469c602fed0d0f168d0eacb9c2aeec6041eec1274b65185ba0f34666d8e918b3a50bf34ed89ea7e64aea77441c8dd493e4c71eedcd5a9e7d20ef5f5829e081

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\favicon-trans-bg-blue-mg[1].ico

MD5 30967b1b52cb6df18a8af8fcc04f83c9
SHA1 aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588
SHA256 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e
SHA512 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 11d9b71e960ee47e6c0307f4b54e98e5
SHA1 efbcda14562d441dc28c4a061cc3f4c3ef4de659
SHA256 79b10b101de90b1157b63208174efd81b6d76230ad9a0271c81304b5456b49e1
SHA512 53847214c9681e9ce63240ac878e85167e0a4361d931e22614b39f81831f212d1baa4c3a712983eca50c84f8214097914f567902be780e6c3537ca1515acedf4

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 9854e99233b3ff334f55d368cfa46229
SHA1 160034f54344454915d59345a52aaf6d2a6a2ae5
SHA256 4267d4cce251a240244509553f5f9408b4d5908dc180a40c4000ae6e7e644914
SHA512 10fbf87336e2127f9a4763c3fffa0641cefaf5a638227bb26e0362648f870712249df17b16e5a693e876615f991acaf56c667d8ea9233ea0c4f8f0242750bcf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f09b221db96ee3d0591c98c25c5bc1cc
SHA1 3b6a81815ce7a8f2e389ea8774ab69259a77b109
SHA256 601da1bd5ab523e9598d76828a18370e1878fcc8b044c41b776cd637c21ef67e
SHA512 c41d4f07b1e7752f74d1b580539015dd695fce0039e276cfe9fd9f05ed7e8fbf527a44daf16dc12701604db59424d5c4946ccc8dcf624935ba59b7274b05a02a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26fb3fd0d78bf9b0823768b7eb0339c0
SHA1 8899591a5c62528700bd9d1135fadccefef6bcf8
SHA256 64a13367c618458d9642250d9e90085198e9ac2bbbd1f7362380338c349f444d
SHA512 f8b6033609f272efdb65ee62cf94ebec99627f302547a71a9d513ce303d6fec7c0f9536b50431c92c20779aaae649ef8e91b18cbaa776587b062a82ebb7b9c92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2526a443a81ea25772100cfb085fdde8
SHA1 bf00ed1c8e4b68a9e7e37a865d02631260634355
SHA256 8d983cd050e59f0d239cd6aa5fbdf8ba61a761eb08678aef4358759ee76073c1
SHA512 04f9a96799504368c668a35fc6cbd758c58135cdf18fbae34321d5b3b2d8362a54cbc68dbfe0bff2b59b8ac1f0bdc9d552e562d6a109e3d0f24cdd75d392beda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 a395e3c79b0ea3cd65abf76dcb087f8b
SHA1 598d0e83acf4633416996a63e6bf1ba8bfbf3502
SHA256 b77c44e7bec95e5dcf93f35638e80c6e6772a7a9e5f0e63b60bd01417f0ea2de
SHA512 74c50579bfbde8ac0d6399eb88e429ed918675cbb3b00d3421c62a8fbb7824b8dfb0b9acca8fd433f48275f240940b92f3fb2a538862d9b92e51d37cc5fba212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c85b783d39c58953a2007d6d9277d4d4
SHA1 ff928438fe060dad4530b83a254934b1ecdcaa07
SHA256 4de18c2ae24ffabcd6947cbb3c7d59960e22044354b636b48a453b1dd9eaf17b
SHA512 5271a47ffe26a12037d9277a7668dbaa0b9ef3a1e2d923a14c139a2832d722688309b88706ad70535ed2bd3672c2c5e4dc1c6a259ebff801da72ba4a75731f12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c49f9365be2c5dcf2e85ca77292bc486
SHA1 260cbb42c9e55f1c5b49e935b55901510dcd2470
SHA256 a192502599371c388908603fe25e47d52d0ac255ecda612837d7f2df938373ea
SHA512 07af64b04bbfe5235387c0f7dcfec915776e409f241951c7abe0cc7ad516e883f965083997bafbc6d53312b8587e48b50b4f73b92504b215bd62bdf2a9f197be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95b22fd0d62cd921c309098d031dcbb4
SHA1 7f11791915368b704f53acbd7f30e37fdbd99546
SHA256 3bc56c75df54731624661cdf2f6bc09c03e4912359c49a89cb5374712a1bcaca
SHA512 5a39eaf8e6ff6536d4fa25a88c0b58816d5b78be182f32a2e7637d3be3d50b5641b5440473d082de857bee5df7f62bbde6794587dd6f9dabae51dd1219194e30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22aa76d3eb0d3722a4fa823f1216eb60
SHA1 0273e06c731e2af30ce0bfde365aced11c45863f
SHA256 e65cb2f552881218a686e2152a5e3994a6a76c3b086beefe617c93f853aab9a4
SHA512 8bf9fce29afce890a373b3256ad9e3e512a2554e621d6ce4b606f15def0c274afd033baf363d8bde612471f21af59096e3f0f516ae1d2b1175469d69526fefa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b70ec63ca1513e2ad0725a061488bce2
SHA1 73e3a1ff5f9b89a6bb09fefeaeb5911e9d92f538
SHA256 c75a6c950a45b59ce8470c0f55c4365137aa633a024675c80ccbe82124e718d6
SHA512 aa2e76f7b61d1a0cdcb5a0d3aa5965146dad31f4f0b57e49c2b77f24a7fdaf2ce2d09f65786284c9e93b81b1debb460987be301d32dd4639d20d3bc23374b6d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 111ad9e3a837ec081edb633a7df2ac74
SHA1 d3f484ad6c4038e820e177f34860d87653ab8fbb
SHA256 f5f997cf42a04d0797242007b20b2e44dd31feef5dfc66b961d3d179fbd7ddff
SHA512 ab6ebbd6fe1e5487a61e527006dc10569484a4370b595ce5caa3f84aa80657b276868cf9888ac1cd7f4e5e6e14c2b22e6b3f2cacc7c871bd130d18326266e2ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5897d19451a1ea89b015d5b0f605e377
SHA1 cce074087893eb373fa88a765f3df7da7223b6bc
SHA256 6a7e73191e358f193f3b8a95cd39148bddc89c6c2a1d6b625cd3922cc4fc9975
SHA512 c71e3bd80e82af137eca169b286f46f34b97f71d17aa969e6a75a4f72b9b9b947d7415d920ab83402c7d74eb4c9c61543b60be8c2b9ef240a15cd11ab73d169c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bf02448c18bf2718f4eba5cc5130599
SHA1 49df2f82e58e42bc77442bb395732edb6133dc14
SHA256 b434faab16ef3eeb2e87130cab8df6cd5166aa94bdeec6c740eb77d2d15e1dff
SHA512 49b63561a0607f93fdb3059c53b9a8dea1118e210380a56a01d5f09af4946795fa11f3e48f8bcad95d4393d10f088bfff7acea3e5d013ab4d681b2f1aeb3ad32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5a9463136185a4f04b9b1e9915afb0f
SHA1 67de22d48a7f7cdb752821919215029638acd656
SHA256 e1100bab235f18d2a1f2c86054b3323113189c1f98400b0302f2ac57a90beaed
SHA512 c91d859573958a607e22b8ef446511927ad7fa24de6defcace6e90807910b2a18d48a20bf3b3822ad76a790bb97d2fbe51ab958fea8bb2fa27fcff594ea74e58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffc172865d85aba7d3bbcd74b9ba410c
SHA1 216051d9a2589d4aec8d82fad293fb39b90c2579
SHA256 1d56101ddbeefb442f6ff2f0b1d3116570be7f084fef26092e24baa2932f3c79
SHA512 4cf2ac5a07792e5033777094821f73fae5df4f90d61eda01ae9ffe7a706a3ad1c434be29cbcd8604cdb3e87335f3dc205d03e20b2e26c19bbcb94382377dd636

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b4f75d8156274093de9cdaa418bf0ad
SHA1 cceb64ac3554bd03eee3b385893a5e2cd75ef9d7
SHA256 0e7ad1e18a1c1fc24c394df3744fef0644f8ac21fd92255780f52bf9b4e0d3c4
SHA512 1a23b3b64cb11d4d0a555922ffbb02eadcce7fd718f4b778211b96bef07acfe9da4ae93a3fc15d284da9f655ad10add943b9a78f697cbf50769448f240666728

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17bde5099a80e7c1f648b0510e9d8eab
SHA1 97859cbede65268ded4671992763eea320f0a2e8
SHA256 b8747e62dc87227ebd3672f6abe06b0bbc62247ea49a283f221acd9abe4f624f
SHA512 d1f80cbd1f5fdbaaa5c1ebc457636ff48971886b84d55f807abc1631e8a676e51293dd28728990f5d3851d4b3d14a1f2dc2a17501fbcc3f20343fa03a9aa7ff1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76b03d46f2f13ea5fcf746c529a87883
SHA1 b7ea97d5dd2c3075ad07eb2b5e6f164df66a4935
SHA256 157ac0adf66215e5fb3d4a54270c3e99d7cf19ee9c31597ed201c7ab56781ebe
SHA512 d17790dfdda93a9579be6ccd2a258080c9ce80638512b5eade8e50d8aedae9d9be19820218ebd78963e725cdbf90184e61c1e016109f709ff78198b76e74b2f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c54c6fffc7d8e1a65ee019a89568c271
SHA1 edd147c6233754ddf3fac414f69f7dc1b82b9139
SHA256 999fc684e86b6b553dd78af84e1eb975e917ee475376ae066132200c742d94e0
SHA512 fb347f192d69d08afe299364c4ba09bce7acf05be5e48191c0bb978927ed478e8eacbe929f448648efb2482da4d36fb6f6f64e20930e804130e4385aafa64dfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86ce2c580880d98dfa3751c8bf275dee
SHA1 2d828a147de8e8503f3fc9aa6ac2ccc4c3433c61
SHA256 2272094e9b8d60970d76931a581d23d55eab2ba04cdbe693a240de11fbd364b5
SHA512 bc17db82ac547ad2cce27e8e15835c6db14c19bdfdbd8fcb1da92de1ed46d62f258541851e7139be72ebbee133bde3c8e2f442fc7bed43f6e40b42c6562f2f2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3a9391c6444f6ca54a5da1b8ec40238
SHA1 3bbb04d12de209ee49200cdbd7a43cf88e1d2a85
SHA256 93f1243e01b59b544b22d36ae9de0e1b95e2fdd711be90d3c8f13eebfd5db77c
SHA512 ea9f1fb48b147d6861a96b6744c05feb9aec2cb6379cf171c4151fbacb70d4e95b5d28269e1fe261b0493c3b869deb16560bc17395beaf4dbc3fc5d344ac244c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd6420baf2501a081175b624ccc19705
SHA1 8188a33e52f4613a0865f7d4c45e3849165db8b2
SHA256 ea3de6b271bea028341f16d821e254ea85763d77651fd61f61cdf6ffa0c5d2ed
SHA512 89b77071fcf8586be28de2a55407fee86436ed8eda5d3839bb621c714d0feb462b1efa6eee9ce62984796e73cbb459783657423f4e6d53e76d99180ad10ebfaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faac952c015cd49d23b52050240dd3b7
SHA1 838b5279b9515b6dc3651cffffae824d98bf98b4
SHA256 669fe80b89b1c5e6d89917fca2ad454045816cee3c63a4731359f059fc5ceb7b
SHA512 2bd6288453d040020e1e6862bd2dabd484bcb4003d37fad43f0bc50e4fd82e288bb39da6034d469f8056369fb92e46af6e01634b76b77dee705ed31e48aaed32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f63c4b56dca92f66cdf32239795f4b09
SHA1 3ab713039ccbc39fca99ce66be2d3d510a6d50f8
SHA256 c8210ed035f52d9aecf64d01fd62b337f4e0d048f980240c3119b1a1a15b15c2
SHA512 b0499f7a916531aedbceb49f69d8610faa8cc5f5f828f8f58455260a269a0d593b8db069710c3379724409af43659f569024244d94b9ad2f3805a00103a0e971

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b474a7734ece5f0b7b1709b727005268
SHA1 1cc735b062111becf766e61208670c9586f04d7f
SHA256 e6daa98844437e428ee458a7c9e56980cf52c292a90342914ee3178389013e1c
SHA512 b84c8887e46b8e81722d361b2b40f58ec09b19a0cf2fd989afb682c110c78042efbf6d96adf18a5293335c97917b343fb018bb852c7b9f017d1753b7da97fdf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e95caae0f31f7c2333d5919ae07bb68
SHA1 e02ba01cc631cbd2bd887255f0e5daa46d3c0b64
SHA256 0cce0fa0aadc0cce5155ff772c98e585c90f952b8146fc3b4d8405a65bd0ac32
SHA512 764276353bbde5ba97a2a3796911db34045c290f70a6494d9079ae26ee36006a69339ae68f7457de056da54a534fcc965cf7acbe7ab4a29ecf0efec43ddf2363

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17bc8e3e7efc5c36a127f887420766fa
SHA1 de9c8251cb7a4669c7e9d3bf1551af7d20cc2ad7
SHA256 8053a2c25aa5f975957215fd02d797afcd76494e045b5641625457eb45766a46
SHA512 e758859697f1ef7e00814440b155e516629d5dbe2d3bfdbacf3eb70510b422fd59a7eb62851951314cedb5de9767b035d6ef3a559bda52b41f804a67652ebc99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 743b59aba9f70894712ad94cff3997e5
SHA1 bfb8ceb53f13b78989a1f875d9dbe2246ad19651
SHA256 d79fa22b7972d648549f31b81b80140726d30c3916714c0b00d21b4a9e98117c
SHA512 d3c2889051aed512c101bb3094789ca74bbe31be040d9ecb177e4abecd6fa6adcf7adee8ed0c182762d47b77d57d8b216ae80e013d803ef663ba006b094ff9b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 850e0f5d4fb1831b29737e5cb573aacc
SHA1 87b768e496ffce121083e0d9c0600f82e685b86f
SHA256 d5318dd6a0fb75a9b561260f891cac219728e0028f1d4e1e78d3ac534fbcbce8
SHA512 776bc2127edf9659f1aba31dab843824f22f71c867f885aa177b8db68db5c1e3ba9abfb1d5170740bb87307e4830cb3581e68acafab334603ecf8792d756370e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\8RNHsEn8PtM0uA2DR30F9jXIMgk.gz[1].css

MD5 6c83f0e4ba7abca299d40444dce9b020
SHA1 7a5a164256e71d45a481c0be1daf9a2549356bdd
SHA256 422038aecf1fc5d114831cff703aed576698d30d325bd98ad63a7a9e60a7cb67
SHA512 895aeaa0b98d16fe098ec627344d865e2ccb15e34df44adba100b3f3b61169a2e2f95ef8cd40c7e8b354bf6ecf243fc633c868ab84638f9daaf394fc6aebc6b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\HIUKsCeaN-mao3NEG1eNCz8IPpU.gz[1].css

MD5 31973beaaa1be347f2a4eb32913935b1
SHA1 8d9414b636ef04d4c55618ee73523a291b286054
SHA256 f70e039723ff41ce78120118a77937c44ff88ea11de744f130162b4e74565821
SHA512 9197a7601ebba38f1510d08b9d38159d7c410d7463a08a1587918ea2851bd8a02780f0c727b5ff7843e1ab753a8730bc18c3ca1a7f6c114e181164f5b26f7bba

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\qZ298743N3D_xWFpBHmgHj0y2TE.gz[1].css

MD5 f5717d277f4a053d7a42a1ce1ec9c727
SHA1 d5c6501d6d80aa916e9ced800f31a477c20e5530
SHA256 1640d501656f8863280db383b702835b9fc1953ecd2e7c532b0ff7bbd8697035
SHA512 0e64fa655c4bf0c34cae905d1dd4c47fab9dea042d4d3ad8819e6c7a85298b366c50e5b8b2ffa1ceb9acf09ff9123718162cc02c9fd8be98d9648a94eded3031

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\SUdqIrfG_F6_tX4gi0Aa0u136eQ.gz[1].css

MD5 37c2583ab7ed431184dec57ff31c9013
SHA1 2b5945c35326f9f184e6826b67849b7f8e23fb9e
SHA256 fa50c1f6938bb666927b47dcb488b740b3afc64479dece22ff1fd73a3298f27c
SHA512 c8db8e294f72ec703a317477eef02730ff75207a901eead06b657d15e4699b354179c0cbd4991c379bcab8eb07537b3fc0dfa123aab76506fd78f9791804accd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\Fx6zICq1fUNBGEZHcpJf6cPFHsU.gz[1].css

MD5 4e6acd95a1796699b236b3f7bb46d5c8
SHA1 820a992c49d0c0524b3a448aec982f702d732147
SHA256 893c3e91d912a170f30cb01ed6bf085cb3e8e32bf89ad72905658ce13423c5f6
SHA512 0b510f98a86a78da4e85a2df241a969f639a332beda4bc53a29cf9facbc5be5512df179ce98783de5f8b76e51a46637072def77a0e0d6a0f13610a8d6ea0657c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\2JqOMDxdqk__8gNul5XX01xs60w.gz[1].css

MD5 31c0b8065ccc8d59ffc648e066da13b5
SHA1 468ffffefee6853edad9149923f1ffa565a8a3dd
SHA256 8eb6d5de6967cfd1431117cae5fd6c42eaa8618eea6aa27be8b1e621f680c672
SHA512 dc4218a566635072766752bb2f1f216192c9c07e45fc08fe88b2fbd850aed9062eb2cd8ca9fc961cfeb26681bdb392a519f391e785e403f02a8096d8b840e2f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\1Uv80ttAPORmu5NCkcfNdrf8uhs.gz[1].css

MD5 5fb807a5b19da69cba33401ec10caa69
SHA1 6e6399f5cdfea5564cb40a5c3bdeb2c0e5cea555
SHA256 37d2fa01a2807b0a9fe07f11ad6390e64db2efa1f87de75f9c457ea89076dda0
SHA512 1cb32701bf72b1f2960b7c455877028068f8332bf1c70f1ac69e69139b945d83da4483a14e1fdec4ad0204f5d36606d73a5bb0e7402556acb582b5c1ca650809

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\6LohI2cpN0iIbSZNkT2e_TO1JTI.gz[1].js

MD5 2166c09ea15ba88e843d4e84df2c48a3
SHA1 cbff10ff66823d5ef13309a7913c600eeaeba187
SHA256 02f6e697a3aab3be32f5fb28488862bf9ed344b4d60ccdf85cd1e244ff285c62
SHA512 5ad51b625e96afb5e3452df6214b1bc63676e46490bfc15efb3fe00c27adc35d4336a85d00f9d37a840e3d98b61fd90ded6c5a18452f03033be9ac4c05ad24b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\i0wxzrtGXj9gDg7AFXtAVGo5iBQ.gz[1].js

MD5 f0ac784117c592865c4fdb6a8a0442fd
SHA1 4eb5d47678f5154fadf64043e86c1536eb85535b
SHA256 0a9f2de02b7ac8c776cbfab77e455c2d81cf1d923c1a793b4a9a8fbaa5b9177d
SHA512 6112db2ebed8d242be5eb59d9176f22e5c3c0ca591bf9ee2552bbba96af168702077c4a7b06855b7f81312b13f52540050d9b1a98f28cc63d0c826a02c4a03fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\z1Hy1yd3cxI3TYn8iQgE2tFUdd8.gz[1].js

MD5 0274dc112056eb1aae736e4ba35d5c40
SHA1 393f05e4daea77e689dc5b03e7ef7f22052cd47f
SHA256 1724e6a1f2f1e413a47da230392914440da3b3e77271b97f70ec173de720726c
SHA512 9f9944a4015cc007819e1ca4a25735d7a2873c9f92e07a00a1b5861157f1d6e8a1c5b0216932b98eaeedccda8bb2211393a6e7ff5d2cf5539251cac756bdd78b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\-io-xMNCwasGqLymZ_-Hy1lHlTU.gz[1].js

MD5 fbf143b664d512d1fa7aeeeba787129c
SHA1 f827b539ae2992d7667162dc619cc967985166d9
SHA256 e162ccd10a34933d736008eb0bc6b880c4e783cf81f944bca7311bf5f3cd4aff
SHA512 109ec6433329f001c9239c3298a10e414522f21be2a3d7b8a9eb0b0767322eaad1fdf8f5b11edb1f42882b4e75ae71bef7fe786716407c8efad4feacb3dcf348

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\DQQTu0f9ldw9QQHZ9i-TAYjSeD0.gz[1].js

MD5 30280c218d3caaf6b04ec8c6f906e190
SHA1 653d368efdd498caf65677e1d54f03dd18b026b5
SHA256 d313c6fff97701cc24db9d84c8b0643ca7a82a01c0868517e6e543779985c46e
SHA512 1f329898fa0e68f65095b813ca20351acfeaa5f74db886508fd4f1fa85811a8cc683c6fab9d9f094f596c8957219f8e29a6307ea0b2d470bdc809a4b9c9d34dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\LI6CzlNYU7PeZ9WzomWpS4lm-BI.gz[1].js

MD5 56afa9b2c4ead188d1dd95650816419b
SHA1 c1e4d984c4f85b9c7fb60b66b039c541bf3d94f6
SHA256 e830aeb6bc4602a3d61e678b1c22a8c5e01b9fb9a66406051d56493cc3087b4b
SHA512 d97432e68afdaa2cfaeff497c2ff70208bd328713f169380d5afb5d5eecd29e183a79bec99664dbee13fd19fe21ebae7396315ac77a196bfb0ab855507f3dacf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\Y806JrL6RagU8tqNI_iN1M1S1mA.gz[1].js

MD5 02b0b245d09dc56bbe4f1a9f1425ac35
SHA1 868259c7dc5175a9cc1e2ec835f3d9b4bd3f5673
SHA256 62991181637343332d7b105a605ab69d70d1256092355cfc4359bee7bdbfb9c6
SHA512 cbb43000a142807ff1bb3bfac715cef1240233117c728f357c824ce65b06be493df2306c7b03598817f09b02e9e36ec52314f88467679c5bef3ee1504a10c7e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\yjXVFOxf6UdoTA2BOwEH6n4ClfI.gz[1].js

MD5 a969230a51dba5ab5adf5877bcc28cfa
SHA1 7c4cdc6b86ca3b8a51ba585594ea1ab7b78b8265
SHA256 8e572950cbda0558f7b9563ce4f5017e06bc9c262cf487e33927a948f8d78f7f
SHA512 f45b08818a54c5fd54712c28eb2ac3417eea971c653049108e8809d078f6dd0560c873ceb09c8816ecd08112a007c13d850e2791f62c01d68518b3c3d0accceb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\ihC7RhTVhw2ULO_1rMUWydIu_rA.gz[1].js

MD5 cb027ba6eb6dd3f033c02183b9423995
SHA1 368e7121931587d29d988e1b8cb0fda785e5d18b
SHA256 04a007926a68bb33e36202eb27f53882af7fd009c1ec3ad7177fba380a5fb96f
SHA512 6a575205c83b1fc3bfac164828fbdb3a25ead355a6071b7d443c0f8ab5796fe2601c48946c2e4c9915e08ad14106b4a01d2fcd534d50ea51c4bc88879d8bec8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\cJksCHwhB_Z32I0ytWPMUDsybak.gz[1].js

MD5 a5363c37b617d36dfd6d25bfb89ca56b
SHA1 31682afce628850b8cb31faa8e9c4c5ec9ebb957
SHA256 8b4d85985e62c264c03c88b31e68dbabdcc9bd42f40032a43800902261ff373f
SHA512 e70f996b09e9fa94ba32f83b7aa348dc3a912146f21f9f7a7b5deea0f68cf81723ab4fedf1ba12b46aa4591758339f752a4eba11539beb16e0e34ad7ec946763

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\PgVOrYqTvqK49IEnVEVlZVYfA1U.gz[1].js

MD5 f5712e664873fde8ee9044f693cd2db7
SHA1 2a30817f3b99e3be735f4f85bb66dd5edf6a89f4
SHA256 1562669ad323019cda49a6cf3bddece1672282e7275f9d963031b30ea845ffb2
SHA512 ca0eb961e52d37caa75f0f22012c045876a8b1a69db583fe3232ea6a7787a85beabc282f104c9fd236da9a500ba15fdf7bd83c1639bfd73ef8eb6a910b75290d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\BmRJAuTc8UgOeXgJh_NIObAa5HE.gz[1].js

MD5 55ec2297c0cf262c5fa9332f97c1b77a
SHA1 92640e3d0a7cbe5d47bc8f0f7cc9362e82489d23
SHA256 342c3dd52a8a456f53093671d8d91f7af5b3299d72d60edb28e4f506368c6467
SHA512 d070b9c415298a0f25234d1d7eafb8bae0d709590d3c806fceaec6631fda37dffca40f785c86c4655aa075522e804b79a7843c647f1e98d97cce599336dd9d59

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\pXVzgohStRjQefcwyp3z6bhIArA.gz[1].js

MD5 47442e8d5838baaa640a856f98e40dc6
SHA1 54c60cad77926723975b92d09fe79d7beff58d99
SHA256 15ed1579bccf1571a7d8b888226e9fe455aca5628684419d1a18f7cda68af89e
SHA512 87c849283248baf779faab7bde1077a39274da88bea3a6f8e1513cb8dcd24a8c465bf431aee9d655b4e4802e62564d020f0bb1271fb331074d2ec62fc8d08f63

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\kzHfYwAwahpHm-ZU7kDOHkFbADU.gz[1].js

MD5 fabb77c7ae3fd2271f5909155fb490e5
SHA1 cde0b1304b558b6de7503d559c92014644736f88
SHA256 e482bf4baaa167335f326b9b4f4b83e806cc21fb428b988a4932c806d918771c
SHA512 cabb38f7961ab11449a6e895657d39c947d422f0b3e1da976494c53203e0e91adfc514b6100e632939c4335c119165d2330512caa7d836a6c863087775edaa9f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\GK9SuRKiu0QbKYnVgoAlgmuWrNU.gz[1].js

MD5 17cdab99027114dbcbd9d573c5b7a8a9
SHA1 42d65caae34eba7a051342b24972665e61fa6ae2
SHA256 5ff6b0f0620aa14559d5d869dbeb96febc4014051fa7d5df20223b10b35312de
SHA512 1fe83b7ec455840a8ddb4eedbbcd017f4b6183772a9643d40117a96d5fff70e8083e424d64deba209e0ef2e54368acd58e16e47a6810d6595e1d89d90bca149a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\5g-N9K-X1ykUl3QHEadPjpOM0Tc.gz[1].js

MD5 f4da106e481b3e221792289864c2d02a
SHA1 d8ba5c1615a4a8ed8ee93c5c8e2ea0fb490a0994
SHA256 47cb84d180c1d6ba7578c379bdc396102043b31233544e25a5a6f738bb425ac9
SHA512 66518ee1b6c0df613074e500a393e973844529ca81437c4bafe6bf111cba4d697af4fe36b8d1b2aa9b25f3eb93cd76df63abfc3269ac7e9f87c5f28a3764008e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9141e38dd7ed4ea8f008ac2c236706d7
SHA1 4fdb13d5dd4fbd0bcce47807bd6adff3746332cb
SHA256 f687f9d1038980b4bdedbd8592b8f33d84a95054ae938d098224675e9bfc4cb6
SHA512 350e5f74dbf6da4b5897fba557e129ac7722103b07f8ff8fe3424702ffd1507cd5fe8736ca62b592d6b781f4e14442d6ce49033009f640f721c7bf23b0b1799e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\43BJuM7qM_8Wd1WfIZM2_oK9zrw.gz[1].js

MD5 b743465bb18a1be636f4cbbbbd2c8080
SHA1 7327bb36105925bd51b62f0297afd0f579a0203d
SHA256 fee47f1645bc40fbc0f98e05e8a53c4211f8081629ffda2f785107c1f3f05235
SHA512 5592def225e34995f2f4e781f02cc2b489c66a7698d2feff9ac9a71f09e5284b6bbdb065e1df9c06adfb1f467d5627fbd06e647abf4e6ab70cf34501232126ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\2IeqNnpxuobNf8w1fP2Oy2HEFfk.gz[1].js

MD5 22bbef96386de58676450eea893229ba
SHA1 dd79dcd726dc1f674bfdd6cca1774b41894ee834
SHA256 a27ce87030a23782d13d27cb296137bb2c79cdfee2fd225778da7362865eb214
SHA512 587d5b5e46b235cdcdf41e1f9258c1733baee40b8a22a18602a5c88cba1a14edf1f6596c0ab3c09f09b58f40709ac8cf7e1bb33b57293aa88eaf62d0ab13fbf4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29b20a39fe1c8d3ade3c1b8f3cd94b86
SHA1 08b049be5c1e1443b38e3efb0c876138fda45307
SHA256 d22d669dad84a9573de873cf66469de9133b57fe4914f83b28d40939c986de0f
SHA512 44832623eb6e07742cd7e3f03657823248f0e44184993ad5740e57957067724d613a1b339541b9e6d39e596751c920fa396c45a94f81a263a580b7d311fd12e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83f8c84c78bb88bbdaa1d6cbc93fb77f
SHA1 135ae6090dd9f25c0ff4c6c380a8147462c9e38a
SHA256 53c74894a5377cce101b5d05995249ef3322e3a224b6d7d776c8b91ec97a8923
SHA512 7ce7ea1e7f74f55ea8ae2bef190cda9a5ae2bb2c51458ee92e42927dc5a2f11bcd97b61d3c093c7ab5841542272fb4470bdf077dc8d99e7c83d8b552cc83e0ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23959e5b24d859b0939218333fdfa1ad
SHA1 250c8f2de891f68c45dad2f84a2bcced8ed17e8d
SHA256 bd29952d5c1aa6999317fc1120109c14d3f30b1e82b344a71d0d80b95c7adfec
SHA512 09090537af2e58ca33d2a40aa67fff1ce43f1e2528abbda02b3a29056db38b132056c384b482fd497cf94b06a6a542eda4a2f0e403eec71df340569a7ee88a96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8a695e75799587697db5bb4be67e197
SHA1 e152f1eec6654bbd929b5195e8abdfa30be68615
SHA256 17e35619f65e3be272c784df51ffdd3181d8abad030610c2dcd97c479c6d7d56
SHA512 9b0313687637803756463d9a89ca9a3313bf217099bce4a1d845b4ddf9def2a979567dfec5fc48c9a40a49d94a5118bbd6938276a3e372a514b3b00c57a86c50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1193a84b4a7dd1fd6ee85c9a4aca8c93
SHA1 e5cb0aa5d933a5b8e4d3f15811722d070e259a9d
SHA256 ca73fcb104325b1d9bed08aae23ed5a3c8eb3ae19b500a72cb673cb9e6e29270
SHA512 4719cb6d3e0dd926db81d50fcaf697283dbeb83386a43746dceb14e1f55fd2e13f954a0d3a29525fb97dd7868bea062a922edee8534dbacf81c90935416a2857

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60dbc9cafea7661e660a1d44ac99a3df
SHA1 81728dbe2173b06b8a9cd1b8b94c1fb6193c7230
SHA256 c3eb17035c78f36948f1be5dec8179f13944a69dad98616ede665c7747fed7f8
SHA512 a83ceb149ab971107aeef41b53787693724fa5203227c27d63feaf8e13d7428bc4d9c25a7740d7a20435e991b83a2efd695973fe91f402c81b11c610c32b9a73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 604f067d056191e0d36a4ee46e60ec5c
SHA1 8555af0e0375c668fdfe751fa64602a325ddf9b3
SHA256 460b7d5d5978d311be723af3a6c01042f260e8f247e1c95457ee5186130f0dad
SHA512 43b27529cca72e0553414f867bfa84d700854747af26041dcfc3a2cc295efc4a43303e32f9de58e87a34782006bc05cd9e4008cda7faf1acdd1c7010cf93a78c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3562bb3a21aded06c2295f466aeb392c
SHA1 4416fd988f684ef6e2194f381f9323f9d721cdd2
SHA256 667d250f47af021272575a8e3d5c1c34e4949ee369f0db26e9777412eaf36dd9
SHA512 6e1d134e0b5219cf70a05801c85fb3be3396bf5a22ddad08f59e5ae4d2eaace091e5f60f88adaaf8dfc6bec050a7b19e03f657e031b678c0a24700e12805c93d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1156e3ecd512454ae08ce82aa445496f
SHA1 ae7f20979716b154ef4c912e646ea99b0805f691
SHA256 0ef866edcbe5d7d2f52cb0f71449debb8198106c3137b6dd3e54e9953b6a3456
SHA512 15d54e0d4514f39ed5c89731312ecb947e86700ea14c3d47acdc9a69c3ffe25e4a2750875a4e007c3083d6a07fcc4c38d74f85c42880622c374fff6005e49eaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b6fa43bbd4f8d7b585ee11d9760c680
SHA1 58379b93d0f0534ba64a019d5ca0ad1cea4f7c48
SHA256 b61bf8cf51f3bc5a7c60cbfe22972c3257b087f70bb5443e93afb1d27dcc7457
SHA512 0afc15c266f83e0bc2a74c3c0a17c46c81e62d7efde0be8b7ac4a15e0a0c0192fbc96128112c10bb1ada70ca88bcbb40a54d6c7874d7ac61b7f5149810d4df53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 477f9c463ef2e26574a748e8d90e8663
SHA1 d70bc155ff4ec1d98aca0143722574e748e6105e
SHA256 7684a9ada75e3e65cffcae6f7df97d5f76ae61cb6b6253f306edbcc3b36b1070
SHA512 62b00ae3cc1f88c8424b266ba49baecc7a02938571644411259cb9274485629995451a3156a8e22748ec0435c7d38bac0df67eff8a2dc1214ae61aa7c0ebe9ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 411830cf2102fc65568e38815b79e8c2
SHA1 b0247506e059f5f90df5cbcfc12410e2681dbcf7
SHA256 67d4b995834e30f0580f583bd80082f901c40b3e5b88d34178e91ca0b7464a26
SHA512 aaf7c41b34ed001497dabb7a83a4d2b5d717d313089e4f8fdbc9fa8b8b850a898487dc7d54eaf5965b9826f71062ccafc4c21e8392e3500da6b2cf7e048cab37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d8d1148390ea1431c16b3550e9fa42b
SHA1 b0ed8b94e2fdaad959ba141e7477fb6ea5decc18
SHA256 c766099b1543ca7f5ebf59528f229fa37ee9e5fd3299ef34a5835f82683ae4d1
SHA512 8ce0665fb7ed1a0065b87681e6ec927d136578b0538038232345be63f229145f32c5499bd462d8b93190ca8f517370b038c65b976371e35a2844c1540a42a01f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad3ddb445e8833e49b38b782bb1d8b93
SHA1 29a87f75c0a554141b1a179982e8058b31d1f167
SHA256 1330990b27d1f3f2047bc2618f01a08757ef4f2b7011a1447988f16f3787ef5a
SHA512 c2e147796d886a37ca35d773771935340471effbf82db7ac0185d4e23edf6a20f29bc0c343aed2c7d570663aaca8da904cf4bbdb1377c6ad993cd4734e5f84b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b12cef7664494fab92036e8897975d8
SHA1 97b171b23fafa12e2a6421c302a3051ba0ca2a10
SHA256 b5da33935ef3d1f23bcc79b9c901df7aae88a67c6e8e9623f637ba1ad06dee46
SHA512 911022292b2980cca32c1531c7e893004a78a0d1dde8c6d642e862cdfed23c7db78a8036762cd1682e24253fdda686c552ffd878ebec07106cabaa10081d79b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64a2de26f92e499dcf3177756ff33573
SHA1 11d083373139def9c863efe91c28c90cd6e15f0f
SHA256 87ba00fa6b64b50e2056b54d29f5e1be6354b2ae97a493d020e6feb64e9c40e4
SHA512 de6368c1f1eb13d3da18d7d5fad349377d87b9b39075c19b28012792a3561e318b38e269097ac26a23604c3ba911bc811ddff4b8f566adaa5d5b2cb4b5f301fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28bc80443751f8ce5457f401eb85350f
SHA1 79d4b0a0f2898be23049618030b18ae6f380bc57
SHA256 5d3a2984736ebbf95796baae96d8bbad57d2f192865b31e3f58cf8774595aac1
SHA512 96db1f06ff7463efc7e40a469eed058e5d2681a2c9657e4a3e1614d344bffc2e475fe85590b6d3cda94de63a3defdee5648099a8dbfe70f878178b08bdb1c29c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2595bc52552fd0ec2b65b3b220f09eb6
SHA1 efacdf0ac5349b98ff821d5f0e573a303d99f135
SHA256 5bd3c03acde9b5b305ba27a37a506948d58771e409be53cdc5affd0dc71f1f94
SHA512 b8f66517fb01d98dbb49f6e2759ea26583d13cc778abce55c59b29ef2e8c218c63522ea8722546e5f23ab6a137eb470868e55a80e9c37aa7f260f4ce7966fe2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51ab4e8bafcd4a72deef519ad185e2d1
SHA1 5ebf687a4a88a760e407df9115906bb280b7f40b
SHA256 a04729c9d09d7d6c43b0eae6305fca85fcf73f028bae2dcb8661f8c7b79ccd0e
SHA512 aa21a5574b93976b0c689bdebb18b393b494d636f59ff5fdaf1a1a36a0f6dfbdca43458abe0a6b8ff5d27f784fd50d40a7c893ee32fb99458010d8ecaa7602d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56f62279688dbe8a4dd466ce77878def
SHA1 0d83034f97b535bdf90ad73bd64b98922c607b45
SHA256 489aa4fd315cefbdf841d5d3ebbc1d1f3df765b9a71005fc49b6f326ad20f0b5
SHA512 eee77452cbccf905ab5f263662bff2d7e176f2d71ea06b2b58beca91d41522cbb76b8959115b9fe358afca922372f91b848052381e98c40a58ebff08b38c50e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b42843579526865f9bcf482fc74b375
SHA1 a5db11b10cf90d1ac141ed6614d3ba8b7dd8b777
SHA256 570d46e1e50e740ca8ab393179d6b52b37bd8dea418aa82f38b43d32855e92fa
SHA512 f043162bf7edb0667be967a5ef4771819d6ca03df5590ea6377248936b3dcbaaf6587b02ed03550b6d6494dca6859290c34e7dd2b743ab0a4cbaaf441e610e5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a23e3ed70290fe5fbe51e6469095097
SHA1 6e07b75408717cf947a40668d689c9d7aa85643e
SHA256 c77eb83c1580a22ec913627e7ebd1ea932ffecdcfb2f07c5a1697e5e654a5a8e
SHA512 ed9b9cfc5095960ca741d8b86981c78f03a21e89461e5a5de8e9dc9c98ae378fbe8c5dfe9c50c6109d2b7f121063d27e94c891d57108d11c3f51cd9ea7003f04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 186a7d4a8192898b999fdf115a98dfe6
SHA1 05d46ddc95be06e24f5b8c8cc346575ff5c32d26
SHA256 4f48252fcdbc16e9e76bfb19655a230716b984014f2c81fc53d277ada0ef437c
SHA512 f8225b38a954ae2bfbee1b5219bebc79bc014061074bc16620152d40a1dae18ccf9a0547a38793c82b1a13466e5e7de6c585607d183f16f26d1ae6aade9310c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cd6bf5cb9b12415b5cc9404ef4a46a6
SHA1 ccdccbd337ad6f52d2c583726f902cc526413cb5
SHA256 b0bb96d1a99c18b7e9de1b70ce30c4ae50b6e0b596bc1e029139bec3660d325f
SHA512 b6597ebdd16c40a688b4acd9c54b52ff622e0aea36baea80aa6251d401095db91e56a94469e5fbd9990bd92eba6dffa3279d4ebe8a4e4b852741e4a7bd88294b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1c4e4c4090f40024dfb3036da8c1237
SHA1 8ba19a21cbbbc497e32b1a48b395a4edd6dc11a4
SHA256 4b1b39d15a6937cb11a3bc544231c8dfbed2203e83aceb91e81e69aaa16199ef
SHA512 d08ad87970744469e318a804f01db71ca137844f02670a7ff2539fc4acf296ba446bcc02624f561f219b0f8cdf01e1235aaa6eebac5c421bda17be72f3d86b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd4d540963947c8650cc854724173fa9
SHA1 721e35ab082cafae7e2b781f6dd17cb5bd2002fb
SHA256 68c064345d4edb47aecedce87b7905ddd328127167ee22706e9562df914f9641
SHA512 c524e727cbceac6e23d68eb8633bb6e3c13f945d21e82b162b1c85e92d2b99d79c4aa3901108bf9eec9b736f151c3578e7330bbde0a3b8c5d7095aee38fde515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd77789d95ce3aa64d33318ba9c27700
SHA1 df41f6f1f3eeb581a7e15b111ef4206881a860a6
SHA256 7d4abdf2c9ed45c529d9db3a06c5acc80d6db1028586d35fa5b8405feaf1ccf3
SHA512 ccfc766c14243a25b3a6b6a8087edfe6292330f3b525f819ee35ed0ecf9d99360ebeb11c27c0140093fac5a5951a3a8c5fdb2260057cc6fa13b39de70aa6259e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\MKFEkvLeq6P_lkpF2o1bDYiWKSk.gz[1].js

MD5 370c2016aa828eaf24be5afb06bf2196
SHA1 0cd738ff493f615fe70cca77672804b5c1fa22c8
SHA256 0b333d23506560c5808011b1551ff6b292a9c243bdaf32d8e1002975ff60b489
SHA512 811ee12ac91e5d7e7aacc7f6ca18b4ff877dfe297931b9a09167cce7cc7210461bf167972a83a06eb9846df43465f36ef30124967b5d410eb72c4d21f8441ba6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\njelUYNJ9xk_aIzI9GKLCNIsxD8.gz[1].js

MD5 cdddab121eb434876615391ad4107b9a
SHA1 8038444c80b8e76ddf8ae5c00ab5784207e5aeff
SHA256 243d212a9ff764ccda9b19c3c823b2f408a0718e56a3e7a8b5b533e108db56cb
SHA512 1964d190bf10b9d686626097188b6d0b2a02c0039993d97a135355d8a44399ded3d42465d1edc7b55287aa9380835373fd921c00cf92ce234cce92b0c2453084

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\NACWPdOF4HnKbWwzC-p9GBL9pxg.gz[1].js

MD5 0d6e3bfdf696a00c29c14c489dc922a7
SHA1 0bb596bc687494db7b09e0be83f8badacdeac1c7
SHA256 d6f7536ea498edb5c0519ba9ace01344bc0a11720a478ea8498ea1d2b3081da4
SHA512 837e125f59febc5c4449a28d6aa31696cf999d4a8f30978a228c6365f638d56755f0464938caf931c07fc1074b2f0c92c12d2c1f575d4bb3abc5fa698b32913d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ed64af07d2a6b1b3625b2391b56a366
SHA1 298b4a217a890a8be76dd0b2d2411384c9426d13
SHA256 36307ccab33aeab8f68c2b4fb9ac64232ca1553ac14c2a4a59255248884ac789
SHA512 c2b5ba98c4e8cd1b5187e2be3d048c05f49e5151ed32be96982061f8e3b845b1888125752d60a8dbde864894629d4fe59d3552b2083deb2abad4c88bd074e125

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\g2mFaePdYzQOubI8JEItbebrED8.gz[1].css

MD5 6d94f94bfb17721a8da8b53731eb0601
SHA1 ae540db8d146e17cfc3d09d46b31bd16b3308a6d
SHA256 21829c74fce2c9bbbb3099a7a487de71465ed712410c32bc6c69884db07a90dd
SHA512 bf33fb4858b56f888108bcd5c2691613b68715e260e59c1e37a050a709be04a8e0eaf5509667183a0d51f1201e58c02df4f744a0772242ee5b61595c44c072e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\_ykiGO1K5rjAQeICdJheT3jfLeY.gz[1].css

MD5 7a903a859615d137e561051c006435c2
SHA1 7c2cbeb8b0e83e80954b14360b4c6e425550bc54
SHA256 281d6234fd292800c2a5dbd14e524c9cee0d4438188b0b7d873abf41515a7666
SHA512 aa47efab7ec689b838d1e5adfe26e035e8b93f2b806f1954214447cb2065fa5906f81a70b4c656b3ce1490d8ac2009c7e7b0f96491d6d4559c41fb25d08fe35c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\VbSztIaSY8XAi9dm3h6m51N3zH8.gz[1].css

MD5 f8a63d56887d438392803b9f90b4c119
SHA1 993bd8b5eb0db6170ea2b61b39f89fad9bfeb5b5
SHA256 ef156b16fdcf73f670e7d402d4e7980f6558609a39195729f7a144f2d7329bf3
SHA512 26770bb2ac11b8b0aef15a4027af60a9c337fe2c69d79fddaa41acfd13cac70096509b43dc733324932246c93475a701fd76a16675c8645e0ec91bd38d81c69d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\tPLNa5UcMaQEzzg0acZfPM45N6I.gz[1].css

MD5 9baa6773c6549250a3393e62c56eb395
SHA1 5bb4eead8609cd30b9b96b23ec4fd0082ae64c1d
SHA256 dadf403df8cfe888e59e6a051aee3783a2bf0bcc60dc1d09a7797daaee726ca2
SHA512 cf12319cf07897864828d9c950df4a98a0628d828a7fee75f1235fc5d3a57c90a40b5ded2743af2e62b1d13d3f6be0d302ada054e7c0d7164b8ba12054909b8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\u2k1jj84SPAViWHBjNpkhFEunis.gz[1].js

MD5 be90c5657fc460ecac37e9562a61398e
SHA1 78da66ef6053a78cccab6e0d6bd7d7d18c6cc3d7
SHA256 365cd55be8d007923569c20fffc7303d0b2b99f176ab5a99fc275ba1fcd65fc7
SHA512 778d4fee82c12eb2816503ad826ddba720dc29944f9efeffb0a9fd2457c1fe9cc3870f6024f22044f98a50be06ac1a85ca4a8c51fb0727225ea281c2bae03a10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ff6dd81b2fbe628b54881eb79b76de1
SHA1 1bad5c00db82b6ff8f264e91b29723e6c70af8a3
SHA256 ab464a9450febcb5a36a227974b07139f12a1fbb2d55df731b86487168fa3421
SHA512 e8652ba0829233bdfde732f8abf8e06b9cfad18f739b2ad70ce42b768a1ec0de8544249f9c2ad2720aa0812e556b2e56f5866f06e34f5f83b501f805de87c654

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 764d267bc7d26315ccf408ad0604f628
SHA1 3dd1444500705cd922c11ca6883879335876ada9
SHA256 f5f5fb811853e2cbb17eaf1882a3bbe942ddb569cfa437cf9f69bfadd729c0d7
SHA512 c0b6ddc430ba1a7d4012acac8e690ca587cb0f66e9e14872b33b2a084bf9d7d671e161c546f691ff37e3214b2887b3a2a0e05e5b96fc71e19e0ac007441b7acf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383063a5f79cdd5742a506014a851bbc
SHA1 8e18a75523f4872e3bdd54fbdc1bb1324cd375c7
SHA256 2e7e405f9e068000a465ee4db164ad3b9d98d7a4edb3f5f6fa00f5db4a003aa1
SHA512 9db4289f61de18f4d93801f07e6a48214faf065b8b7de67ec0554c40682b4ebab21c53a4f96da0b4e833fa989873b008a6d293b1e69f46e8ebc4ee37711d4430

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ccc9e6e92f4ac4e9cd1bc05a59c206c
SHA1 fbb719ff4e0a0697e2fa9a1297e8c9020261ba7f
SHA256 2f71da21615b8ba87d3c95745035950947120b0e5418da3566575da7439c8420
SHA512 382456bde1e704ab37e501e9618d67510f463af684f92f948703500153444c1d2b820fc60887c4b31f0a76ba5ea59cf186429f055cd3c67a15308e456b7b4bce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3eb11e24ab7330a45a7f5c8bdb00eb6
SHA1 7a55354e76aad99e91953d52070153888d3eeb0e
SHA256 758f027ae44964bba863a625be2ef1c229a99daa7df2d19c43986692e4dc089b
SHA512 4a99be38d8ca305941879df2a688705be130c18c00fdad4eb6f9136156183bb333279db4d1c8a8065309805331dc89bd71e958794701213fa0d6bcfa2d8ca512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1945438a1505004e9c1e3632a34774d
SHA1 d2035df72bd495413b227f2f77cf2ce8bc053927
SHA256 4ca6176b309eb863cdb2872ec8b4269868bd86f17bb00b2875d8208d88b4c447
SHA512 2162eb60acd9c0fe48dfa69ad8c439af3cbb7c05e72ab0189424f3f433d613b91836a809e02cb647d10133d6203a281dafb60797b51627abf7e776a7ff8c3d72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8e00283988390eb7b5a9fe21ae8146e
SHA1 b5dec2bc3575ca0c070208f8dd39b60d683ec2b5
SHA256 e4203b4bbca6c47b691530528f4d5bf527ac9a6b003fc413bd17982ea3477e57
SHA512 2a4ae9c2d9faba894fc94fd5ac258498c90edd6617e4b19e7d7a4c589265d9bc8173dc57261f4780d83780ba9a477a13473297dabffe95f347da02d115adbe04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c2ea72908f418cfc121606bd8b0d9e
SHA1 6964c7ca1f6fe2d23c3af4e9bc639fee16b794a6
SHA256 cae8daebfaefd52c232dc8e350be4e9c3dc2ea28bbeb80a7b85c9a9d38d1a525
SHA512 04ffb10697e6bda7e451cac9a1db0d6ba053b31ab73fb6c0debfad86d0586aceab5d53edd7662c500a6591db5f052c4cfa90837af8173a655d5c65ccd482f3de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3424c7fb18803f07ca8a3e84b32284
SHA1 399ab02e57b6c03c968411e44fc9187cf9315bbf
SHA256 f64a548f03857ee84e7303ab87373b00db534274abaa1ddf77236f1c3b3cedfd
SHA512 008b2b94005059d074dd30184445bf83dcd6c72dbf73cfb8077487c5552321171446197bbc037e9c4c723acfb813474a234622a4bf92db4c6379457320cee292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 177870844a033bc7d8a978b31deb64e3
SHA1 cf873f62361a4ffec57114c297953fc0475fc4c4
SHA256 22c8397d94c86c4211ee916208bd4c39b6d5be418154fea58fbbbf30598ca15f
SHA512 4d0b67f472689c2887590222ad38e899fb2a23ae2e7799b6340eff934f81d1ec61a823acf2fb12dbf432fd1aa874f915f43b024310e384cbebc0ee34b717048a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61dc5758b9d9240256cf949c7590b794
SHA1 acd7031f867de487bbee9aecdae28d41d855395a
SHA256 76c3f453905ff3fa1e253fa420198af28faed596def22b72a67ff2b8b252ba81
SHA512 ff330f9d260c3b9dfab3d9c561ea88b4f0f37100f4f586d1376befdf009f8802b3ade76341bedf4680777fb59a3dacefe48a0d968900035825acf3e58b136ec1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cb0b7c9430f285bab694712c8daddb0
SHA1 003ed4e23a3288208b61553e2b5ab6ae06fe54cd
SHA256 6e7d15d0d64c095fdffddd5993938c36a7f5217d43de2a45673f4b17c06a0b1e
SHA512 ede22ade413ea091bb2be763f5734899dc60bafcae2fcf86898d063ff29066783d874457dad7d2e4a2621acfbc2a5ac0183340d64fb8a7f2070b6a051c4e11c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a99a4545fc70c424f9b354ea5c9760d4
SHA1 dc4c663f27b33facdff3a993f0649d328dee47e5
SHA256 486d1a0e9f498fed1ba89308f2097616e693cfdab0b73007e078f91a3070ce5d
SHA512 e5354caa002c41a95e8c26e34a4bcd1bdea8df5abc8aa508f5431b7dfcfdf9899be99ef564391ba1c3c90e1ec28898dc1b58b418b4465e889bbecf3ba0da887b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1be2186e15ea0f36f4bb51be0af3e1fa
SHA1 816887eb7c0e46cf3ec40af211d0bd0acc11c1a8
SHA256 c25135519eb7b62516daecf0388808e170b74f9a73911f08be735cb91befa6cc
SHA512 0d5d320e93f070bb1dc24715a4aa718ac0a09a7be29032ca104841f6c32ae336b0d78c188ba4922909b5e44c813eed8eef824d9168761711aeb5260888042059

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a50fd3e1a3f799f6a15758cc2b91669f
SHA1 4a6617df5b50aab6b67bac1052c5f4965d16c530
SHA256 28822e05f07c8d182da21ddd9704ee75945b24cb5a0b5aaaf58b967984b553fa
SHA512 07a85e423582c01c6965e21d948229614001c674a89dc602b7eb0dce6a63bccac102326ef01f3e1bc0406c27adb10ae35f7d789a812f4867f830a9465c1215ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd312c9e1e1ada31ecb44a61da758488
SHA1 a6fbc672f1ded2fac6f81979e78b07922df8657e
SHA256 08e818aaca6832c58c0ea9dc0a62024efe01c97580babb5770ad085e614150bb
SHA512 07400f1b15d1c46949e54e2b79d98a0e81b43088d369cc0e90847dcff0b958a6dc500dd9176f5b218d4e43f64b3632b26bd2438db88db5444f8f7a139aab2eaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52316724bcddf6c893e261ebf2709e81
SHA1 54c6014331c3a561636b49e419d49705d3e2507a
SHA256 2accfd141a49a9251c0e7b78b0813031f082d68b4e9eda62f455cc047a8a6659
SHA512 17988018d7eea5f88edaad46222cb242339aa3531ed21c5f616dc60af7074692b9838ec19636a119ef89f580362cde964b3e3fb0bbac82e540b6bd3ee7197e25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94df1deffa8685be6541df66256af024
SHA1 afec075117edc50b6681d4582039b23943e5a4b6
SHA256 a7adf969fde685c54fb98d5a7add3763a4ed4d14569af5d18f170498240d180b
SHA512 668c499dc26aa740b46960b9d56bff9ac2ae087a375c2b750b1a0a157bd0e2c9d58fe3f940f3f04759f78fd14e386144c308d76c84f88638c465ab2449d7f89f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4417f96c573e006334c36d0bc1a300cd
SHA1 b8d8d6b0bd95201a210cc5f15e15804d5c69ff1a
SHA256 c0318ad3ef13d126bae4315d9deecee25d010a60132061881a34f48a4705f809
SHA512 417550d736b6efa8100893b52eed4889dd2c641d85dd4d697543f3b851a2e2e16f2275fd3b60ea5cc0b9f13e7160bfb0c8a4d0afb6f6b09c13ba2471bce0ce4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a07a557a63653fb81ed20cdca4357a3
SHA1 d1e85b38ef6b93865e8c6b21648a3bc03e21c50f
SHA256 aeec39db3443a67c9bc2e74a95b41cd4185cd1eea254e50fd1476d0f1e5455e5
SHA512 61e76acc3ec794cc1dc8b44f3c676bc824957ef77afa443af6a4578beee73aa57c74af41679dfcad283f6db564278fb645661abb2a06d1eb09f8b37e695c3b1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d67893802fb74ce2da0aa32ce14a213
SHA1 57cd0e82574ac4eb5c33d81a0a559ad66b335215
SHA256 e58ce493125549a1c81c6cd994f50375b8c8d4912e161e86f351f7a2c3de6def
SHA512 cca8ae34c1de51be75a51f26eefe1a681879c527f5afafd6b71cd5d3f864f357a4d6345158c10fb829ef927385bbcedef044721a668b8fd139bb4a2774983e2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b28f5fa559204b0c21cddd9ba4031cd
SHA1 4ae7cfc61e73531fb51fcd110d672b321c1a4e0a
SHA256 38a8a50aa6541c4c78d7a438f157b5e29a49facd24834dbb1cc6a2b2517e8a6b
SHA512 53a577aee7b7cc49a74dd384b67491a1031bb306185ea90fd5eea6a68020cc6874e0e750ae95d3cd82184bb5afc5268f920a4e281c5b412ee341a821ca227177

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ad354f1932089feb5572cc9dbe25f37
SHA1 e60b7b017f4b3c61ad9fcd985d7433421b4effa6
SHA256 73aecb10df352a7584d5acbeda46c0e0c668c90757002e7890cf93695123a5e4
SHA512 feddfc509436cdae5a16e1d70bc8e4714daf37d130ee504863a1d59424c4ee3770f6d4b79c7f2b3016c2e853ad87997db84fe25b9869af34b1fe60d8ad4d1f28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec9c0df37a1c03a0169a562d475009f9
SHA1 2197b0527e936a53136206aa892994200b3ecaf2
SHA256 36ba7a88f92ed9b1193161207b3275c9b0b35c59dfe68d03082376a6068153ef
SHA512 03c943012ece7d4ae9855ce9568b2d1aad83cd1909ee27b5adf25221666ff302007255201cda3c099595ea2126fb2e003cc1e625bb6674106f01e8e78cc5def2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cca9539fac8a85109f91d79fabeb801
SHA1 2cdd0569e48ee0924b0dcc40030abf36a820848c
SHA256 0ab950ef1fcfe7c8d15c7620ceeb3dfd4670f3e71fb94af2019d5c21aa705a2b
SHA512 6b9d6ed0d2aa5f89978f20a7ff9a85f647c96f92de88011c5cea9abff9dea174d8ba8e1958390df3ebb6a96880082250379501ed4ad35e7ff55fd28be3897829

C:\Users\Admin\AppData\Local\Temp\~DFA1A0ECDD8B8962CA.TMP

MD5 cb57a8dc475e9658b547572038caaddf
SHA1 a3e57d2bedb444ffb929126fb6455ae7e1dd2e80
SHA256 ba0694a3ba24cfb559e65ebf41dbe49431f1a35fd918ccd7f08fe191123401ab
SHA512 d08bf82449a7bcf0311164f5265a87921b814ba5fca97bf087e367f7313a53d9b39999c4881ed2de036b61a4bb30a09bd064e03625a02be328246884f5ef10b7

\??\pipe\crashpad_856_NMXHHAGUBSJXALPH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf79d73c.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f2eff7a372f5405c3e60498b4422bb68
SHA1 c8c1542033c07b3c51550f98a2b98a2891cb308c
SHA256 0570bfd4454e9e652d21e635b14b77c235a6dc6a00d5ca0438fa13f6b02f130f
SHA512 bf8d80abb0889f7aa79fbd0e4771788991e32a02303d9f28a4fb56bc1d201fde84954726e48c0c77dbb2e2b7540686ccd4e997ceeb612d0aafa4ba352a649013

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4af2782000bb2f9ffd7af08c7166c2b
SHA1 b1ed744c326633654068eca972e2177c42b2a525
SHA256 a80c01f8e2d64c8d74bf74ff9b769baf8ad20d57ae3668d84aa82d0dc8a9c3a6
SHA512 02edb9c937bbaff11300cba68f79e37d5546c8a758d6698bc30c7fb145679c345389d790a183d11cea5f3234a6e7c8f1e28a13fdca7e14ccb21e8ee0663ffea7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ae1bccd6831ebfe5ad03b482ee266e4f
SHA1 01f4179f48f1af383b275d7ee338dd160b6f558a
SHA256 1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649
SHA512 baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1a1c48f50ee94d53607738ac6420a416
SHA1 1f560f6e773d40832d951c8de7b7b907acafbdf0
SHA256 c7f907d4699bb151f3610f60103e6dd1ef9bbf6c4d921f710167552844d63dd3
SHA512 11a30afb4093763d6d4811a1f0d156865475120d68deac33a2433044d80913be529b8e6df95f1eacf1497e49c79bfcc501ddb2bd01959e497f7acc4fe33ef17e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2c96ed4c3505123b992720652bc3501e
SHA1 a72bad7c05f463ecb29dac6fd0af3f8797a955e4
SHA256 bc869e3952232bfb828fed801194d715140080785202f33b64e60f37f337a8d9
SHA512 6eeaa591fb8ff1074121af2083ba091157791ce976ccbbdc8eb804738a5794e0fd7cc3007c33d73124c136c242d71ae3ac5cc7ab4d0c85e559b6b7f5db118f67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ee92608add148cb4f9dd825bba0f5bf
SHA1 2c29d46abe1c25708ecebac4eeb8ab61252b75bf
SHA256 6cc227980d33d19d7ecbb58796d4b32d22977045a696a7f48273eec55571fd14
SHA512 1525cd7a31c6a08181fb2695f73fe4c2f85ad8425557bd3c1e248aae631d057c1d5cee0d15b546842b16c1f7b041f26959996815d5322fe43f7dba9577143761

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9faa2f45a2d7c8960908cee6af90d18
SHA1 1841f3a79a4e0b3770efa0cbf8dedc1eb04b092d
SHA256 c75a6b91fd7c83e6a72941e5463f73f4b853f8ce5ff5670f0d8d45b2a9987862
SHA512 3afeb9d21609dfef2f98a077cfc379ada072e7409d5676fe15631a35b8da407a98decdf7d66abb33b43729e21b5f5ba7d059ab9ea32d3aad810a671f97765399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5387ac18404637038d2adb30a07938e8
SHA1 5b18c29334c7dd312e3c2ef73a8d0bc074254610
SHA256 cc6857b603737a7b0af0817db370713cb72cb840490824b7c2098c2e43b02da9
SHA512 5bc41a1c1832d44150732dc891d4e2eda860843e6b8ca2b3dcd4cab9e63fd743c34e8914cfef4ac0e99e58c1e174bb5b8d340838bf5232cd677f743937aa48ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 107a7b28312aecf10a991619e11ca19b
SHA1 8a9f5e987d062cf24f19d6791fe1d358cadc9d1d
SHA256 a151f235e06bdba433167a593a8888b547b841af8c644ae3225b82b22fdff0f8
SHA512 fbacb97f070fde07369b75d4cd8640ebfe8685dc35093e21b3cf7d4658ce34fc47074f7e290cadac0d2450676dcb77db3c182dcf1c24b732d1409277febcb89e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1aa14865de1ae7cce28c6a2d8382dbfc
SHA1 0e0868deffd0ec8bbfb37afc0f27a1eb1df82084
SHA256 5cb575b5186989374477645d1445cf166a717454f4a2e905338f1c7d55577a6d
SHA512 67adffc49232c8a17f7bcee6c9d39451164c740a23069a39d0eb6953a36139806b6a23ac459e221fd26fc00ac3b8f06ef9eec1964a33786a2ee30e8b06f990a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 148c8db5f21546333c8581b36646b47f
SHA1 2485224ee714ac9b8fe149f76367a36392c9e84b
SHA256 4a4fb3cbe1ab66e781515a3b6f4441e82d2192a1947a9e506d56810388b33dc3
SHA512 95346d339cac6898c085dd4294d18da074851d899f6f2d6fdf119037daca843ab0db1de80f4ebff240a93f8a1d5c434c64e7f2bb5c58dbd449e6f930822e2abc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6870f3356c8087d1ae6a9b48db429d50
SHA1 adfb1f060e141e7d3cc0451ee70149dab7e9a15d
SHA256 d7bf9aeaefb968485c63e7f310029adf5cc1137012cdb3d9517542cad41e8dc4
SHA512 9971114ce85a1f937df3e39f8370a585db27694e146dfe1a7aca4020835c1866f001f262b89824f2c6fbcfe5f237c188ddd917c8695079d120f68e24c5b41096

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7fef8e68-b940-4401-aa96-946fa0f58c43.tmp

MD5 ea5883040b5ff5f992ab029074eab6d8
SHA1 a3c6ce68926cd89ba2a601cc20f68ef405056d9a
SHA256 4b97d32fa1ca0c20bdbbf2833a26f7e7511e47bf873526d2927ba1c525bffa89
SHA512 f1512a571a3591f01d4fda850625d97b312c8902372ebcb331550d1f1e383f072785bf7580b333b7075e9140e86ced3717d233faade4ab6f9f951cbf26fdc014

C:\Users\Admin\AppData\Local\Temp\tmpE032.tmp.bat

MD5 94a6eb6002be4882fa8447e7d7596e6d
SHA1 092c63ec1f989a46862164f92f284ca1ac58942a
SHA256 2f47fbe7580dc60507adb63f0c18a271552730d091c3374386069638bef0aa41
SHA512 8aebfe17b7a6539b41acd68b6a3b0fe854c1360a5eef55db44a2bcc379d5c969cc127413d0a7e1723ccb1f44b8b478738822a3ca329134bf9afc6cb0151ff9b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 17:04

Reported

2024-05-31 17:22

Platform

win10v2004-20240426-en

Max time kernel

629s

Max time network

548s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1576 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1576 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1576 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1576 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4948 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp307E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:65468 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp

Files

memory/1576-0-0x00007FFA35933000-0x00007FFA35935000-memory.dmp

memory/1576-1-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

memory/3712-2-0x0000024A71CC0000-0x0000024A71CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rolm4sh.gnq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3712-12-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/3712-13-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/3712-14-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/3712-17-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e36164c76778c19637405adc15c138d
SHA1 5a84b55368cc3c58c628aef578b658fede2a27f4
SHA256 bc9323059bc4e6793598b39d942be6720745037ded472e084f2b2b4b60d07f87
SHA512 d2dade91b8654b52857af12addc756817910463d5cd366fe9a13d6b23c3f2024ee2603b094bc03815b5f0f28891142d914aa65950e8a073961a4a5a312c25ff4

memory/1576-56-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 69c00aa1f2cecc09093eec932c788209
SHA1 2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c
SHA256 c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
SHA512 8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

memory/1576-60-0x00007FFA35933000-0x00007FFA35935000-memory.dmp

memory/1576-61-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Delta.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1576-73-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp307E.tmp.bat

MD5 e4ce1b5295a8e890101ca100159d0174
SHA1 4de4b9ea775777f4134a96946e78940701b3a4b5
SHA256 11072ca2adb25ffafb99b9d71c79b4477b6490994112b67934d7e974cac6794c
SHA512 d01e7d81ddc3990f6b55d5c92f39186d0c76edc551f83843a4f8bfe61260041c4624e1b1ede0e393eda3020596389722b91d038d3d7878bd67028a433b996b93