Malware Analysis Report

2024-08-06 13:01

Sample ID 240606-r8agdagf37
Target bat.bat
SHA256 d9341104a2652818874ef0d35d3869ae9833cbdde5734bd3d3f82558d7f3cdbe
Tags
asyncrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9341104a2652818874ef0d35d3869ae9833cbdde5734bd3d3f82558d7f3cdbe

Threat Level: Known bad

The file bat.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat rat

AsyncRat

Async RAT payload

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer Phishing Filter

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-06 14:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 14:51

Reported

2024-06-06 14:53

Platform

win7-20231129-en

Max time kernel

148s

Max time network

141s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f0bf790721b8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D09EFF1-2414-11EF-B69B-6AA5205CD920} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423847349" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8b6ecae5cf7a24a82ded8819e1201d0000000000200000000001066000000010000200000001780f8f70a6d329fd5df463be647f2d275a727797f8af60f0842fa6db333d439000000000e8000000002000020000000566725da334821863709e445dcbbacacc559267fc46da3048b27493a80560aea20000000703bb5ba62be710ba05cad7acb480c88244f0dde14cbc16907c4032767e66ac7400000008f73783566bfb4d868d07ec8b7ba0a4f97a07fd358b85a4b17a3c888d0ff3205a915ba7a31a967f68e748554677d6cc54525e6fbe5f5cc8d75b6f82eb9792063 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d004be0221b8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8b6ecae5cf7a24a82ded8819e1201d000000000020000000000106600000001000020000000622620cdc353f0d0e0c5e2cd898a700b6416bc118b9b547bd2329d41ed177047000000000e80000000020000200000002a2315dc572224fe1131edf47408c44405ef7c2ed8e0a269d9cb67da86c546bc900000008083ccf5bc2b6aa3fabb71614b865fe5e56c2b980b100421cb67f0ecefa14d411ea4a5a7c0ce1aaea74fafdbb401795a3b8b17482271ab695d08795e4f5d94f67bc6a5c91f2bec294c2acb8085198ea5449df931b7c033598188cde94f1c844b301a2e9c0285c639012e368336e10fbfbb9f9b183b33c6c8593df0eec6ea480dd250552a577b96ace91ffdfadaf96bde40000000a13455e9df2e02c9dce7cb7d805b644c423e38bfd49f29928c1f97a36e2b8ceb890a7932e57d015dc8b8c78c9610ad2607df4ebc4707aca1fdb6896eee0f57d9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "3" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "4" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\sheet rat v2.6\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1988 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1988 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3048 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3048 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3048 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3048 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://oxy.name/d/AMPh

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\sheet rat v2.6.rar"

C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe

"C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\sheet rat v2.6\Client.exe

"C:\Users\Admin\Desktop\sheet rat v2.6\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 oxy.name udp
US 172.67.218.114:443 oxy.name tcp
US 172.67.218.114:443 oxy.name tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 oxy.st udp
RU 185.178.208.137:443 oxy.st tcp
RU 185.178.208.137:443 oxy.st tcp
US 8.8.8.8:53 contextual.media.net udp
RU 185.178.208.137:443 oxy.st tcp
RU 185.178.208.137:443 oxy.st tcp
RU 185.178.208.137:443 oxy.st tcp
RU 185.178.208.137:443 oxy.st tcp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 cdn.adlook.me udp
BE 104.90.24.23:443 contextual.media.net tcp
BE 104.90.24.23:443 contextual.media.net tcp
NL 88.208.46.222:443 smatr.net tcp
NL 88.208.46.222:443 smatr.net tcp
US 172.67.43.178:443 ads.themoneytizer.com tcp
US 172.67.43.178:443 ads.themoneytizer.com tcp
RU 193.17.93.93:443 cdn.adlook.me tcp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 yastatic.net udp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
US 8.8.8.8:53 counter.yadro.ru udp
RU 88.212.201.204:443 counter.yadro.ru tcp
RU 88.212.201.204:443 counter.yadro.ru tcp
US 8.8.8.8:53 lg3.media.net udp
GB 2.21.188.27:443 lg3.media.net tcp
GB 2.21.188.27:443 lg3.media.net tcp
US 8.8.8.8:53 download.oxy.st udp
RU 185.178.208.137:443 download.oxy.st tcp
RU 185.178.208.137:443 download.oxy.st tcp
RU 185.178.208.137:443 download.oxy.st tcp
RU 185.178.208.137:443 download.oxy.st tcp
RU 185.178.208.137:443 download.oxy.st tcp
RU 185.178.208.137:443 download.oxy.st tcp
US 8.8.8.8:53 s1.oxy.st udp
US 104.21.234.182:443 s1.oxy.st tcp
US 104.21.234.182:443 s1.oxy.st tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
NL 23.62.61.115:80 www.bing.com tcp
NL 23.62.61.115:80 www.bing.com tcp
US 8.8.8.8:53 maps.googleapis.com udp
GB 142.250.200.10:443 maps.googleapis.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 mt2.google.com udp
US 8.8.8.8:53 mt0.google.com udp
US 8.8.8.8:53 mt0.google.com udp
US 8.8.8.8:53 mt3.google.com udp
GB 216.58.201.110:80 mt3.google.com tcp
GB 216.58.201.110:80 mt3.google.com tcp
GB 216.58.201.110:80 mt3.google.com tcp
GB 216.58.201.110:80 mt3.google.com tcp
US 8.8.8.8:53 mt1.google.com udp
US 8.8.8.8:53 mt1.google.com udp
US 8.8.8.8:53 mt1.google.com udp
GB 216.58.201.110:80 mt1.google.com tcp
GB 216.58.201.110:80 mt1.google.com tcp
GB 216.58.201.110:80 mt1.google.com tcp
GB 216.58.201.110:80 mt1.google.com tcp

Files

memory/1988-20-0x0000000002050000-0x0000000002150000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1460.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d2a29afdd70012385753797c487c4197
SHA1 f9b8e20ccd50067a64c05a1179f2442643e4e1c8
SHA256 1360922d8cb178f3b7039232b534a2bf9846213e8f54328a3c4cf9127780eda8
SHA512 f7c752f81adea68d4081e4608cf17a5a4dedbcafa42b91cdf49777225d5b234dbbb4f50978eff639c1adf286b4920caaf5f0dcabdcaee623b61c60f1a162b635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4918dda7e2a0aca40f58946eef762028
SHA1 b114b782ea17048b62c02dbb1cd12183d92d02e5
SHA256 0839cb7ae38964928af624cc0e4350a0cbef704ae32a8b381d9755d74159e87a
SHA512 9a5cb2cbfc9d7543501f42d8e5659fdafe671ba150d5486b4da7ce469e1dae9e7da702f31009f2ae4b4286f02f11b12a3b44af46d1cdb51497add845f46efbaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_D727CFA7BCFAF501CEA426110263B756

MD5 b3ac79c0be394ead6cc9a058a3705201
SHA1 7283b515385fee49e53f0abcb14fc2c113feb73b
SHA256 e34525fdaa09373f7448498a9d07d914cda1af4c71aeabe93222948a367f86aa
SHA512 8b3f0b10915517f4bb5ff0b32ae720cf373e154e8a9352ba8b6cc69d1dea57a2704b32c16575a4e60b0213cdcea65b9df23df015c9268650a26df499320474b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_D727CFA7BCFAF501CEA426110263B756

MD5 6c89c3766a351e9f7c243836ce50a1a7
SHA1 b6239d9107b7527ce8e48411a1264e4df947fb60
SHA256 6a24c18ad79b14bb350f311e8c452307a8ea27b16b1d70b733a35003ccd783bc
SHA512 e3d4e1e3dcb96ecced1566fa3fd5228e675ca536d425df39f083d9225b4fb0d365cd9ef738f5ec4230421d44610e7f4eac58836f7203765b8748a0bab3b4599c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\favicon[1].ico

MD5 05807c4aceabfb49ab9d66e54618ff53
SHA1 fddb5a3eb50d1a255989f72f91911dc21e2d5d9b
SHA256 725d652f8c9ad3d148a0528878b51e2e250d228ab6eaf39111d0664abad359b3
SHA512 e7e298df18c4b3b685169f41918116110cf04566721b169cb501cf3c320b978526b5938bfe4fc3f1513bfe54a25afa509e03b8fb8b23416d00ca7d8aaf67dcfe

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

MD5 ad7ccc9b79949c36a1bf9dd61da4a989
SHA1 4fd8de6e223287e06bb992b25ec052ab37d2c96d
SHA256 5affd4e959a1bd5353d3fd195b36fa01e727e87f0025b52c12dba580c0884b00
SHA512 1330e036cbf04080053d91200347cf798b63e811626913548be8c87f187109e4691ffbde6cb563e3e3cebc8ae5aa2cbff4123f62d2de6084a20c8aec06918cec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\css[1].css

MD5 8fac59cc82346c66402b6eb06273e46a
SHA1 168c66e96fe2f8de936f1f7a192b414952bdb2ec
SHA256 a7c4746419a036e0431b3a141e61669efad456b015252db78fc5995757ef410b
SHA512 164c1476712bf1f59c4b80ddb4587b13b7a68ce3692645dab2fe801c45442a07a04c11a2b2f1ca2da028dc68aea1e1d1da09ad683ad05a2aeb2cb86c0cbd4799

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\dmedianet[1].js

MD5 169c268cd98f4112b916c1b2c03af265
SHA1 629f640e1f133bcd681484075ab7c9cf6598f211
SHA256 075fe53de7483029f3d67b9b5de76b2ca73ab67b9be0fa64fea8c370c1745993
SHA512 378c01a46684ff7903b742213b5de736618530eeebe01f6660982ca31c421c671811be917e82edb2bb3e18611c64c36a3e3fb60b3d2ff82775dafdcef050bf6f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\bootstrap.min[1].css

MD5 450fc463b8b1a349df717056fbb3e078
SHA1 895125a4522a3b10ee7ada06ee6503587cbf95c5
SHA256 2c0f3dcfe93d7e380c290fe4ab838ed8cadff1596d62697f5444be460d1f876d
SHA512 93bf1ed5f6d8b34f53413a86efd4a925d578c97abc757ea871f3f46f340745e4126c48219d2e8040713605b64a9ecf7ad986aa8102f5ea5ecf9228801d962f5d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\jquery.mCustomScrollbar.min[2].css

MD5 c3cf3362ac1b65704603fa5fc3b9cfff
SHA1 73c2ce95ca7559b61d73ced1e892b59cb523670f
SHA256 ad58ed0cb9aa4fed41a85aa07bc92963b6a48a0a90c9ce466563b1b9d69981b9
SHA512 83cff980bf3e6d3dd6bb03be96b92ace0952924cc568dc09e47463e048eb67271f676ef924c613dc446ab52f4b50c6beaa1691c8a9810cb2102e093e7d263194

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\elements[1].css

MD5 e6a75bce19e1af2b4b6e3a01b6f04cf2
SHA1 328fcde6fa575fb9a0ea627060c33ee5b3b4018c
SHA256 34470bbe1df98fed3ca5c1e83781ef6e427b410bec75aeff1dd3c00a43781cad
SHA512 defcbaecf4270ca8e313643d503e47b61e136b5872b8ef2bf46dde15b11c61cceab5df8d2d3ec840c44bb1e84330d31c5c31bce040c9c13ce4b0d124a7c3c1e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\style[2].css

MD5 43bbb018dbfb3c985d19043d1c7006fb
SHA1 18a1b01d19fea3901a9bb321427ae34c70d919a4
SHA256 8b40af05f3b3d6374c0964e7561ea6a74f80230ffad28b281d8d0772696eb344
SHA512 7642f61d5e7808ca36e5e4169f2e3bf73a9e5d47bb64eb15296062c535e4e7d65e150c5ac79784cd9f2890a22e4da45776818cd0b89b6c89cb58c06164eeaf42

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\cookie[2].css

MD5 a53eb58f04db28b561e3cf6f2327c28d
SHA1 771a6fa87951b23f05513c5b6c6bc260052e114e
SHA256 67dd147575b0963981f0a47878165f9048269fd8c90f632a28eecce73b5d9ae6
SHA512 81a8be96bbbcb2c728b7a20bc7426f360db86d129d82f22fd57718c654e61d75d9b466830a3c1deb5935ffa30b599852720ef10017652c3e99500205e67258c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\responsive[2].css

MD5 4d18d138845cb891049afa7b54fb9173
SHA1 bef0e9092ea4510a69ba4f4d78979d21e45b2781
SHA256 9e0a69222639714979319abd225aee347d25c781030300b0f7f77b91e8e37d27
SHA512 5a658bb7710ea375f2a71a14e9e608be5cbea0a39860b6482aed5be80edd54f09213caeabe39e0a687c53b6bf85d50daf6986ecd7f75fea9bab4ad6183b05429

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq6R8WXh0oA[1].woff

MD5 1644e34e928ad26efb5da8c500e074df
SHA1 56430892ff10d9898296400a1aa1652dfa5c02a1
SHA256 d56e7e4959a12ed3f0450f344a3ec75bc65db2963c87f5739e1ee408dbc52d4c
SHA512 3c08771186f632b12ea708852a770782b70044890b9d689593ae4c4803e76fb3c04ab20c55701588fc7e3861749d9819c28ed1e857da2298cc406d2e7daad040

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jqyR9WXh0oA[1].woff

MD5 4f2bcde4520bcc121056661dae327ded
SHA1 5b51e1d9291dca00cb55d5b7fbf4d6cda2e369ed
SHA256 5b046e2efbac34d0474822a7294f43a582329fc63b686cabd4d9f0fdb1c0a070
SHA512 66af2aeec1faa18e5c8de5c5a5023164f88c9f23266c3cd8a4708620602ffaeb62c765929a0709aa54e44082b1ae56739343770b42e878cb3444f93181d54494

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq_p9WXh0oA[1].woff

MD5 a334aeb0a76e640a50fba8a0cf3b12ce
SHA1 da3b1a42280204343c475e5e57ee00e88eb216fa
SHA256 48ab581afa8f2749f3185de9562e8e074763dcee9c86e7c0e70c070295cdd43c
SHA512 2c4a0df9b0398b05554e9295bd78ea2e2e908e06dbb46d0656a9ad92dec1650b69dd8c3adfaef89ab7ea94c925b59d73cfe9f5fb3b474d9b277edeebf49eb327

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq6R9WXh0oA[1].woff

MD5 39e31058a836e48c2939e38cb9feaf53
SHA1 6957e2c2251cac0012f7c2f1a78e3b35f576f88c
SHA256 929c302aae441e768078fc6d01fde531460f7831e391d99f0c737f62c415a68f
SHA512 92fd9306611fb177364e2ec066a29970ad55a6b9516bf82f27567903a8d458e2b253c57a25776a2b5432c0e72f7a1b20308fd492bc715a42a972d3eb99f55aea

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq5Z9WXh0oA[1].woff

MD5 6c81e7d339fe597c4ace06461d2cac87
SHA1 1589e7eb5a4754375c461e25b9e78bfae41837be
SHA256 bc44e80293426e31ff3ca72e1a9f75cbe95df43dbe220171f397b866f55ab1f4
SHA512 a3ab337626198684fa353acc230fdc4c3e42cb2c7f8002a83d8a38d49a68af64e3b4de8b64c00b9c43202852420ce42a4ccd331b3b904e990cf7ec881407ddd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq3p6WXh0oA[1].woff

MD5 a3872688ffc734356578bfdd709e9697
SHA1 7f0bc81266962a33c767c2059ae118f77793bf3c
SHA256 ff7c86d4611a6a549048a8ac4fc59a43358b700122c3444a6c30193563542a9b
SHA512 da87c82fd509d108c77075ec8beb543d54e922fa49526639ad4c13dde841339a1bf4fe182c62d99f64caa8d5f918ceefde4ceba2f65cfef3145cd9a02a983132

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jq0N6WXh0oA[1].woff

MD5 6b5ccc927fac808c062e22ca0a39c541
SHA1 12637edd4ed286e2ab90de7564af63fd67b675a9
SHA256 63744f88b5a89439fe834dffc662aae98e0e3773373fcf67c32abbb9ca46270c
SHA512 d12ab6b7dd120f5b42fe7512db4760694b842d615ef86901a69ace2f8f36731899d9073cfb45b65faeb2a551858dadb53e12d767c1ea37068a26f94a6bf8df68

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jqw16WXh0oA[1].woff

MD5 27f1a5edbbcde6e05cdc58c8bf30033d
SHA1 697e732d5a6f4738c1a58f4ca8fccd2829d5215d
SHA256 840cafc8b59bc3b6e8994faa408960d1cc3e5c6f67ad2a9136160cd113d7942f
SHA512 0fe1676747c77042c5956d616623a2b9fd2b4c6a86511feaec07fb764d1007682cd501f625941a2b660f239d482d5db9d12183f2f2d9fc1b74af5512391ee19b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUFjIg1_i6t8kCHKm459Wx7xQYXK0vOoz6jqyR6WXh0oA[1].woff

MD5 feb375c107e4e64318d165ee77df6da9
SHA1 d0e9c2222ddc251b00dd6cd7eaddd1088c170dfb
SHA256 7ef053ac03cd5a0bc89f2ee8460addefd9e0968b0b4280823ed208a7354fca7d
SHA512 f0d7281a419eebe6de1914c3fdea9cd75a7290d998902a48b93a309dc97ab5f1980f85ae87f767d141a284a6c58df76f0102b5328fb5cd5d4efc48c2d84c2583

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCtr6Xw5aXw[1].woff

MD5 685d6d2a9f0e795c0c50deb87f144d13
SHA1 a1b886c47311f1338e9344a3c7b993bdcdbd03e3
SHA256 6fd450a1474acfc57e82b337edd59ee93765881e15ceb1c18819258df35b3e3f
SHA512 f2eba8a9dafd2a07c6f92fe071c7b60764f82fd12549d561ba301ed371ee93169586e1e2f423b89c9053eaf8f6a1b3bf920a844128c5d3a445da71804936ed5d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCvr6Hw5aXw[1].woff

MD5 4e1ad5ff4359c636f5d6b0771f223842
SHA1 91ed6fb1e2deebc7f4d91d09325296f587d27b43
SHA256 33cc4cb78065f9a20be34824a87e884a73b8bcfc5b4946eb1e22d5468e13a0da
SHA512 4322f2bc1ce4650ca7187acb4117994c80414a1e40e5f0409cdbce2047a882efe3021c4d17f52d6ba079238cbffe07da56ee2b99e0547185a2779bb8395df334

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCs16Hw5aXw[1].woff

MD5 e577d6eae85796946da55bfb3418dc99
SHA1 fb283421e21e5af727a3920c1517df9d12421c9a
SHA256 cb4e2182417c9f2394f97955e2d8097ec082459ca4a24a0cb8ec9cf7ce0de2f1
SHA512 7e413ea88a9908859bbfd870e810140ffe3c1c8dec8602205abb7f046a3e1cb270704217f5cefcb5430f184a30502a450fc05b55fb42b3173a2ba03dfb398e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCtr6Hw5aXw[1].woff

MD5 c61d9cf12213b69c63e92c966fedc7b8
SHA1 9d576141aa88cdf3eb0ef28af355cf687d47cc97
SHA256 03daf4995e106386f0cf86532d05a3f54d8c666abf236aaf0ba787a988293b77
SHA512 3fd872bd74f50bd40679c0c0028b48849b6d0b01211474b3cd20fc1421dd1287463577fef3556311cc4b05c04b9da2fbf9974c73a46e910b2315f006bf0879f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCtZ6Hw5aXw[1].woff

MD5 2390a8d9385278c58f2ce7edf9b2b4ab
SHA1 1029b99b1abb4e758b414b07e2d1fbc6b3d85be5
SHA256 2526fb05726486b99661f4599e876fc19513a8c3bb27cf4135b78de381423501
SHA512 06ef6f17fac2ab5f23a87743d03ffa0cc2702fe803d383081d9889f281da221a81d3743b22372b9fcf92f941ae011bfcbae79a3cd649b10145c36f1db11c8b72

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCuM73w5aXw[1].woff

MD5 5aa60f062cf85ea402c0f8aff4948a7e
SHA1 3dc2c52bac03c5b1fd6236b146ddaf6435f576cd
SHA256 ba8ceea3be5adb94f7ce8532cd93af73b2288767969ee041bb8ba760a4085d32
SHA512 db2e07ec3f48d972210d610b050aba2bc8c558c00fda444148974fd4d7c746e6de4d08296784740f46ce8233cc34bb8ff77310b9b3603afb2393f7ece20409c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCu173w5aXw[1].woff

MD5 dbcfd869317e0e5fdf9401055e32f57c
SHA1 5fff646f54df128d50365ecb23542bbf85dc0c33
SHA256 4702c7c6d6d27427988aebcc56f5c7fec5141fedd3641ed0f01011c7565fd4e7
SHA512 8083ffb5957c5dc1fa98dc47770beff265ef44ac46383d579ad02507af72270566038214b2ce013b52605c48b0ee6a1c98dea3a77e675a7bcb6d2cc99a5b6bca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCvr73w5aXw[1].woff

MD5 c84013307d4599c55ef0ec438d22eea1
SHA1 7f4594dc4d35e8ddaa2858f1c8cb11e54d383b04
SHA256 010f149a6d8db3f7c9ea8badd55315feb45e82bca4a7cbf24b110dc54f08e7d8
SHA512 91944e315616267545bc8f840f0749fccbc52148d4a91daa05524a180e93728a3db92509dd1bfc456388bee608bc136d44b099f794d995248ff4c0ae973dabde

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCvC73w5aXw[1].woff

MD5 a4353b37008902eddefe8f129b5ddb29
SHA1 e7488f465133ce2f9909edd642c67bc0c94fa46d
SHA256 7b8e65780f9e0326c63ac8d3e7d1a8fcd318f861ab1513efa1629e254cacd232
SHA512 47409f7fd4f65e1ac1cb158ba45048feaaae0b93d63a543b2c9682ab86663b3276651aba3504d7be6990708d63d2ba2ef76a6196ee73e285f45694b0d608aedc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\jquery.min[1].js

MD5 4b57cf46dc8cb95c4cca54afc85e9540
SHA1 05e1ad0cc600a057886deaf237ab6e3d4fcdb5ac
SHA256 a28ccf8a7b50522bdeea0cd83cdeca221c18fc1f9df3ee6b3d3c48d599206855
SHA512 a6996f5029858c6de6de30eda54f8acc47d9713cb1adc576173ce8f75f79a2b944b9c04bfa55ad62829e705cede4fcb7c7c90785e8cd3e0252d79a186b1760a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\jquery.cookie.min[1].js

MD5 89b1396632234ee336bf4cbcb7cec200
SHA1 a15fa06c1276f6f5a83e4653cd0a6dbecc5dc18a
SHA256 e61ef2ab7c9da28aa74ef73b341c0502f7ae8ee2951d28a71004e30b7f90b836
SHA512 96adf0ec5ad8112d015ac0b809e249f5625bb0b96434eff14de0a4103a15a19abb3d8c7e9d23a585d26a179dbe8dbb7aa6e51c15550a857a350d1c2480152364

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MB6P03D3\cloud[1].css

MD5 526b65035ff31bd7147be9e785a768ac
SHA1 2fc6a091da52a528eb67d73c77f3fd4ee6351cb7
SHA256 8996a1606a4793b1a05580ff47567f4467c2d16bbe7cbcb049dc849e0105da86
SHA512 ef634c822d276411e7c85a394a2fde9798cc0ec62c02db364889a60dafa5ccb2cb3f2bf70cb513eed9aa07fe36b82b3c0bcf29d630107720f5266a1e0ec6bb2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\gen[1].htm

MD5 386b94c69b64458448937032149d6690
SHA1 dea19753de6a29bde165a464f510d18b6f14473a
SHA256 a82cbbe09199ff491e9dabe3e445800ca0c48c505f5c9050552cc61afe105a87
SHA512 cb77ac473c42e9cc76f6ee887ab0c6e07b98d426aa75ba61466496179a3c46adabdef1c54fe93e18adb8ba4e5e68e7ea3017dcab521ab8f6ecdb080dc73a7f21

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\6n8FrCwGXwQ5ZumBk1SCxOl2ec8[1].woff

MD5 e199e5b56a6575ef46e399512e1666f6
SHA1 ea7f05ac2c065f043966e981935482c4e97679cf
SHA256 d4242b6e2f707137b8b328ae8f28f50bac41fec35dd6a390a43753f5a4bcee8f
SHA512 ba36ccc7e9a90b1a149376eceaacab509c710781480f2084bbfdd796a97c4b4c1bedae0b99bcc028a63e11024627f808fcf0273fc2e715dc237098a9533f15a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\aHTLG2tTlmAJt89PBP6ke1NjNlI[1].woff

MD5 4cf967da363adfdd893c9edf455b3925
SHA1 6874cb1b6b53966009b7cf4f04fea47b53633652
SHA256 8b0cae9f9658ef829ebd2fc4dd1ca0a2261ffcfffbf4baf3e502594bf4e45aa1
SHA512 23d1466cab3de9828d82f8d3369fee01c1ced42c2949eee572ad05b217f41371744a038e908739b1200662d77ff428d0411d78a7f9622a417a1eee335581d47c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\7RkupUWVEcepjeZPFv1xCDdQFhc[1].woff

MD5 e759fb47a2a9c31c8e94a666a9b742e6
SHA1 ed192ea5459511c7a98de64f16fd710837501617
SHA256 17dff4901f18625f10b10f5cdccc49e1d41cba050f682ebe3a224b13d2741871
SHA512 b48434bd5994e48c71312a73b010d11a3367f75c9b22728e7e0a0c9f3b45f7660b1eaa75935f65f6fff6e047f42a4d77c1e18ace6e6135545276abc0bd1907ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\p9QGkWz-vqtayeFDeI6z9Dxffpo[1].woff

MD5 fe95ed78d9ea0199fbf94de0eb9a9629
SHA1 a7d406916cfebeab5ac9e143788eb3f43c5f7e9a
SHA256 00b7c02dd565491efab873ed2e7ab39f4adf39270d2132f0d29187d822efd826
SHA512 325f434ee5c4b6b7682126d13fd62918a97b504a4d1ff65aa56f287178b7e614c7e718dde48aabc6b91d60e9048cbbbc648ea4f91d74b5933bf86762cdbbb809

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\jquery.mCustomScrollbar.concat.min[1].js

MD5 9df3cfdcc9b72f1aa24e2e114455ae7a
SHA1 e6ac207cdb6c4591f2d39f2a645f6dbf42534f89
SHA256 5ab5f19f9bd4a4ddcf14235fc1684eefe7cfbfbc33f0a1fce661b13de43092be
SHA512 f324195be1dd10b907f56b118d23aea270121ace3808f84e790c3eeb83081848142c0a75544c08df6f8fc092583eb7cd7d579147233bec085b470930d6cd84d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\bootstrap.min[1].js

MD5 14d449eb8876fa55e1ef3c2cc52b0c17
SHA1 a9545831803b1359cfeed47e3b4d6bae68e40e99
SHA256 e7ed36ceee5450b4243bbc35188afabdfb4280c7c57597001de0ed167299b01b
SHA512 00d9069b9bd29ad0daa0503f341d67549cce28e888e1affd1a2a45b64a4c1bc460d81cfc4751857f991f2f4fb3d2572fd97fca651ba0c2b0255530209b182f22

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46OBJVV7\rlf[1].js

MD5 e262d0e016c869728542f423a9d43a7b
SHA1 30d9799f50ea8e30119e105ce428d8707f6ae34d
SHA256 682a577f1bffc24c5626b4f1249055ecc208a2c94fb0259261c3a14077beee19
SHA512 36eac2812507cc188cac506b706c19ad47e10820aca6af7535e17f36334fb7a92cd6f8a27eb9dd23487319b7b6173f1ea0c5b45e6330f4549db8f1973956a945

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6HMU97U\ajax-subscribe[1].js

MD5 b53436c6ec7e681a3edcec13f42ec715
SHA1 0aa1b02b89e734193d43d6385ebc5939bb666fd0
SHA256 3b28dd2b4eda9085ee35fb2aae1d706c6d003c2521e4ad62bb2ef2e6969bca83
SHA512 26012f31616624fe4e082265cd8828b9994b3af733603353c9e468e35162368e0a8388d6d6944d8c9f10af0a53c2cec266786a6b7239c4b76356fbcc45698e86

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\ajax-mail[2].js

MD5 06acf64af6cd1d69540460ddb018c78c
SHA1 9db22d7b6b6a223abca82e69fc4fba0c987587c2
SHA256 259ce4dee332f67cc9d86367330efa87617f8c78428774d26dd0528f4942f39c
SHA512 7f1f22b3d3b06d435d440a31faac79d86669ee4dbed9449a3fa631be95d95f3d75b8c9e900f18a044390a5c75f45e0e5eb0c01b6756421103d41d8f71b4c1416

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\themify-[1].eot

MD5 2c454669bdf3aebf32a1bd8ac1e0d2d6
SHA1 df12a0942cf1933f0915fe3d910fa2379f092d83
SHA256 dff415daec911b65dca5be02071a1825b75508ff158de5b8d85976957db931cb
SHA512 106c027bf31ac1d0705a9be9b3ccb8562b38b2229b0119dafdbcbea2273e66624f3cd7a7afcd394985f2f22248736ef08962c9182e7bc0f59cab7f8a878478d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\main[1].js

MD5 86fe5c70d7107cc8ab30e192072ac15d
SHA1 15cd81d73ddec861349d2f1b2d4cf10eaefa9373
SHA256 b1de65cb0d3a28aeed81012371764b92d0ac30077edb2d768dfdfd8640cfc7c1
SHA512 cde0cb8c8f2cec2d40eee1bb0b2b1be68218df4363048969b23e578e57eb3656594b62ee1ef7820d9de370fb3c0382934a306eb6fb2b95355b1d3e1c43c2a5b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N13A0C41\plugins[2].js

MD5 132e96f62255f4daf2aff234f50912c2
SHA1 62bbe81f1a3c0babfc39e2c3abf6d5687f3493f6
SHA256 07174a0088fe0b461713a172e371e448f3d8eef64886d3e2f04a2e178073f6ad
SHA512 0c3529b35f406d334a09a4b90ca40b1279dfd3e4ec9824866fa139ef793b6fc3fc10e9be87e7bb9fac1fdeaa166d2356a785c44c0221bc251babb16310876844

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

MD5 b4f9501215e1491f08c9c9ef77053a31
SHA1 85fd136488c61001bf5827556dd5aef5af9a747b
SHA256 7aa5766fab3b45d2bcdb5608f02c6e95f0d80017c8a22df561114f9dfce48686
SHA512 46003a15c56caf13bd73c2241502870caa100b1fb872cb830bd09e8e1be93dde542fc82d8aec64d0373c17afe5512ab79f8aea5746486c6f7a7dd03e47187ca9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebed7dce339a72b11b07824defc6414d
SHA1 1e580f2c464c4a749956e3f3589e370f73dadf94
SHA256 a3e93af666c45256165cbdf2e74b04a79718e76645128229ac466fb0d690afa4
SHA512 d265429e0047b96cdb611459b62a6a6437ba2c63807ecbcea0cb5ad9aef274c4489f4d534808c6cd520bba5291b2e15e98f685cf21f69faf9a505cc0994494b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f002741040a8c4c7ba94b209a93c240a
SHA1 e9f556d8539e67304cd56340b43dd4800c540670
SHA256 04bcbb696bbc7a3a00a5e07796cd8ffd48f194e2662b0c6b192bfea6c428b9bb
SHA512 c04121f3eedc7a5491020438094b5038cb1940051a9194519488f1f6c7f483f2ee3003d42e14d1a8599a52c22fc2a90fdf428aca60a495e071222d6c2a368f70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63374dbf55fa9620cabe7732b7929e49
SHA1 27944b16ab26f0916bacece706386a283299169a
SHA256 5b378df970f5e52495331e80a6853e0ffd00b1183c0a7e9d7b8c068d4c00c122
SHA512 08acae46cfa77211d3c7706f2a0964a0bfaca2e9a3dbd5fdf4aed7e48a7790dfe93523f3ca33b5418b21fbe66651352ed20dc08fa9e5fae5d07758464303c92e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ffc5905cab3fdbeeedc9ffeecdb0314
SHA1 7cc16fcba91b878f4540caace8d315cdfbf68052
SHA256 6ec4dc955f3fb4ab812dbc626f4eb5e85e11179833ad268c8f1088db4d67423b
SHA512 04b33faf0bf033a44fbdfb2e6f897aa85fe26b55707e2e2f6f9fe7bee28eed1f400d56ccd0a11b9b79436a9ee38b0180fe7c7f6f7c4e74bf1913f7eb64615392

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 4ae08642704e1efd6d7bbad0377ac523
SHA1 aefb9be6e636d271142ce598e21b83a302910582
SHA256 097c5507d1983f1fd0ff24a857598dec7398d8962007101e5f55f19c8cdc13b4
SHA512 af9b4d7761ea25844edc812169270b5f1df9bd2cece0076e56b2ec422a5eb4b1e8455bd393b3fbc966ba66643311ec5c89f973e68ec5b9d9ef56266045ef11a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6c48eb7e48ffc1d454f53423c427a70
SHA1 0ae1cf788190434cfc8930066b2f28fc1d5609ff
SHA256 afabf8958e7ebe638f9b8b856bb65725c40a64e288c6e360498ea080ce665949
SHA512 dff08114785899f9a9bc2f386f7d88bcd86ade0735cb56f08f7ae3783e117044cd478719864da69ecfdb87fac0bbfe120b994ca8043e6b903632276ebd206ec3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9058568ae8124e5fb6c2341a87fe83d4
SHA1 cfea44cf9eca650409c8b362300fceb54e3a6de8
SHA256 e3dec28433fe3e47f56cc5ae6f50935766e94a02ef0955539627e07cd763dcfc
SHA512 bc7e5c68280a08e226cca6aef864e0edf53f8b2d25a250e43bea995fe004def8b9401e6b955863ba50fcd594666cc8c30a65f7a4e5fbf1b0fef5ae7fc376b5f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64b2a42d46fbf6d6b81cc6ccc5799c46
SHA1 523cc6a802d5274b726240e26301f0293a591585
SHA256 9882944bc8ce221dae3177894a2931307b1cde5fba38ce97374e37ea3b5855de
SHA512 f96b181df82aca4df708b30cd56a74f230c424698caf466301818a58e408a64d4e80eb999ea44f0d69e7a4859206ea5670f3a0b0ec4c8d6b47482d720a66b17b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0f3c9457c3f21c8a8d31d11890a07d1
SHA1 d9cc6c5adf630b77feb4a45f82bebc296d6686ed
SHA256 dfe667e2f96336bcc30c612f4c6cf26e734498c1d9fd71c2b2bf3cd8daa62561
SHA512 405336540379446c766bd91ad29db068da54226aaa15e8b6bd6fb44796e133703b384401dd56310925be01522fd9b685781b9a5fe9b0981efac34ff0a5ec9645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e68a6bbd12f5c7896007050d3a6773e8
SHA1 c8372869932e82ee1407c0696ae4c3faf3a116ed
SHA256 bb8576ce91d6299b1bcb5a6ea28be5437c14e04dbd8258e85267056dce2174d3
SHA512 fb989cf2adda1d46bde050452625d80227d310a29b60ea822484f17e21ead4562e1a1ee7167c8fdbb9044b32e07e6b5023e79a3dc66596b6885e95aaf9f652fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71f5f52549318dda9e05bd2c569e5842
SHA1 9d2579c571d2821d9d74dc72515600189d52cba9
SHA256 8c965e5b15825d29fe19dd84d1c684d8168493323a5514322bb278c304fce687
SHA512 920cd787169fe12d68a0aa6befd5304241b605b725d62eab1cf0c8ad87c5dfbbe828ff4f0fa18d3371c5bc7dda58dcb30c542d105753dd45fe0849cdbeba9ac3

C:\Users\Admin\Downloads\sheet rat v2.6.rar.c3ef9oj.partial

MD5 b15eca36ae6692663c06ec209574acaf
SHA1 db0cf96689b92e770f0d408b3d0f71254bf10a63
SHA256 7f57436a0c7e4ace755a5e3e06ca9b50ce29e4c4b2eef19873600dc4569ac60f
SHA512 1c43223b57ce4e7d63e5b30ee63ff181aa337fe1c440b2aa322d47b8100c1b35e1c1fd108f9c63df2d6f670b4b6cc3e5bd59749180d17189115e1c1bc0871302

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe

MD5 dd6667db55acaefa2d7e99dcf5d97a26
SHA1 c1b281ef573df4da584294c61b5322edfed589ad
SHA256 ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238
SHA512 916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1

C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe.config

MD5 2083876ec03ad06e5c16490fcb4ab8b6
SHA1 b8f50f08abd53225c046912471dfd271a98cf15a
SHA256 28026de2c65972cb8fac1ff2865c33e24d1086f7242b2fe951cef172909ad128
SHA512 b16f1fbe8e10b66079d83a46818423fb2e2e8619cbdc1427ce0cd27f06092af52bcc003755e939320cf84f8cc5a26c92e43041013fe3ef60c7d73d8624ee6096

memory/2292-1251-0x0000000001110000-0x0000000001258000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\MetroFramework.dll

MD5 34ea7f7d66563f724318e322ff08f4db
SHA1 d0aa8038a92eb43def2fffbbf4114b02636117c5
SHA256 c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
SHA512 dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

memory/2292-1255-0x00000000009F0000-0x0000000000A4C000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\cGeoIp.dll

MD5 6d6e172e7965d1250a4a6f8a0513aa9f
SHA1 b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256 d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA512 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

memory/2292-1261-0x0000000004F20000-0x0000000005172000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\MetroFramework.Fonts.dll

MD5 65ef4b23060128743cef937a43b82aa3
SHA1 cc72536b84384ec8479b9734b947dce885ef5d31
SHA256 c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26
SHA512 d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

memory/2292-1265-0x0000000005780000-0x000000000582A000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\GMap.NET.WindowsForms.dll

MD5 32a8742009ffdfd68b46fe8fd4794386
SHA1 de18190d77ae094b03d357abfa4a465058cd54e3
SHA256 741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA512 22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

memory/2292-1269-0x00000000088F0000-0x000000000891C000-memory.dmp

\Users\Admin\Desktop\sheet rat v2.6\GMap.NET.Core.dll

MD5 819352ea9e832d24fc4cebb2757a462b
SHA1 aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA256 58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA512 6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

memory/2292-1273-0x0000000008920000-0x0000000008C02000-memory.dmp

memory/2292-1278-0x0000000009810000-0x000000000995B000-memory.dmp

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

MD5 14393eb908e072fa3164597414bb0a75
SHA1 5e04e084ec44a0b29196d0c21213201240f11ba0
SHA256 59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80
SHA512 f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

MD5 a35bc67d130a4fb76c2c2831cbdddd55
SHA1 66502423bba03870522e50608212b6ee27ebf4c5
SHA256 e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192
SHA512 4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

MD5 cfcf8e91857f364e002065c52ff8f91c
SHA1 8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a
SHA256 572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6
SHA512 364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

MD5 2e8ab7cdc2081c09a98f6c5593909409
SHA1 282769c943f8ab0429315869466d042a99de95f4
SHA256 17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae
SHA512 b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\002g2yhf.newcfg

MD5 b18785caae8834f89e34cde89b93cafc
SHA1 cee194149b484295ddba88111a251986bdc0c7af
SHA256 105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811
SHA512 fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

memory/2292-1326-0x000000000B490000-0x000000000B4B0000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\Newtonsoft.Json.dll

MD5 195ffb7167db3219b217c4fd439eedd6
SHA1 1e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256 e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA512 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

C:\Users\Admin\Desktop\sheet rat v2.6\ConfigBulid.json

MD5 3071a60e3daac1fe7b97d115628c98d9
SHA1 249d49479a8a6544f025c6e781268847f42a4469
SHA256 2a725ea0ebc6ce93f78c3f785781558723f663fb42f171b18a8f9e51c5aad725
SHA512 e9745de08c87d2f6746d9fb5f988eb109e9a25b7f61f9ad75aefd90559b1a77a054ccdc942c384b0d1933310345fd68777adf2dc8485bb9a9c83cfdfd7e9e1c8

memory/2292-1339-0x000000000E0C0000-0x000000000E172000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\Themes.json

MD5 fdf6d963491b41d9ba798f60fe27ef8c
SHA1 4908bfc78d191f60ab583fe093bc579fd5ff06a3
SHA256 bfe1437218dd94ccd078a8683f59b65e28d8d63defa7f419b2cef81bc031a7bf
SHA512 96e5981739a3328387aaf80b6b6a071dc7a2135d5bdaa99b638527b9cd82eb514d21d27a26445a01082a4ba8811ac130a671690e51cf780fd66acdd3a12a3c25

C:\Users\Admin\Desktop\sheet rat v2.6\Maps.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22b8274c49b914efef55503e86740ef3
SHA1 90e6abcd5f43726215665b78b2d5fe16f0948bc8
SHA256 a264783fb545db04b2b1066c289e80ea74c08ad2cafdb73173feb5a442d88950
SHA512 14c0f0369b7fdd27f5098690165e9edf852eb9f42d7a97066499806848ede2d539dbe130a6d43d82252bbc57afe1648458b58049d7181f5093a2fd26fd7a2f02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0363348b807c557384db642dc14a3353
SHA1 c47b1360fc1d6f8ccd51e462b7adcf5dcc3ec433
SHA256 9b0dd8b5a61dca2fc4d487c9f384df8b219dc2507a05651e3cc15dbc2cef9f3a
SHA512 c7a7a504433fc5fe9597c8a46d41d17ca54d22128c039b5c3c22597035bfb9a790bc90159b125fb24196835ab3160ba8e7502a457cbb1e04b5b4a9635ebcdb34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db99a77bf8981b1b66ad371ef0a71000
SHA1 b3d02d717f32b604e7097138df49ab43f25be4a9
SHA256 e97c3e575acf7b53667c065c295ea4db606e3379bb3994d0f321950acdfe39f4
SHA512 55008576cbcc30416b3c597815d06ee367f0a5dfc8f820f0c50418917b1c7582bdc169c6905b326980f852c8f05ab405f63c616a25fd8c66125528ba4214f29d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6d5c41f917a7cd669f1654d5493c181
SHA1 fb9da128eecdfd9191302bcc30a4e839652c7ac8
SHA256 0341d9db34419535c334ce8f4f644683d130aeb775309c4be37f0ef7e75d6b9e
SHA512 0ad736a6bb42c67b5fc639968ef7fbe13044d6f85799b7e0abb14494319b18409a34ac49cddb527f6d5e8e6dbeaaa0476c5c80f216f1d9a89bafdbe922f7a408

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0a5ca7617143387380a56074be986b5
SHA1 da263a08a268559ec46de429f45c388f3ddb546f
SHA256 495b81a768a969e9b38e24d23bcfd09cb064ed2c63d0e78c262041632a87242b
SHA512 fb982737776983092e1337465f9a461469a743392666db891d2c45a2d9eb83f13400b14dda818168d4b27f460bbd64c534d5da5569111b70fc429960bdfc22db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5b21fbff92f39197722d337753e93c0
SHA1 4349cf2cbe2f2e98caa7f612d159a662e6496215
SHA256 3b1454c009eaa25bd393d21510ce1c366a8a29f75103394a6aa1be65607253ac
SHA512 1650d1ad15b1b94e68f472c7da563091e0c49f8af0b1bcefabcfad0d459bbb42b9da2b220d1a6970783dcaf7a222879c1ed33444d51d92ec4aa00d85032793b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74b833b1d5f928e761e754ee21f8ba77
SHA1 4db031c4c8d598ac689e10b69aaf05ca5ba01f0a
SHA256 ccaf7ae50d26e9cbfd3a5b3faa39c3b49090f63a39d537c45a2738677c658320
SHA512 1100a93da3ab740365d755687428c2e32fcbb913073f5a5c38f39bcd332acd4091f6e1df1de329e8428a6bc96f241da81cc31e1c1a64d1a720cd7a3d5f8c379b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33a544a19d8279b463e4b8d202fd3e02
SHA1 562bdcd6ce2afe99d8fd8b3efec6d46a41d16ff6
SHA256 6eb600b893dac9cd44897dce3f976dbd623a8cc685afe65cc328b38038134118
SHA512 cd25f17b63d4698165e89d7160ee7485a0f43f8088d671fa3fad76e99302bf7d9f849e297813557b7d05119fb95d3dab3b3670c6976f551f56458b6acaff6738

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 454b202246ed14646350518f7253212c
SHA1 88db3fdf2e4d1456af22c1184e8cd526c871ae4e
SHA256 b8bd46f282655a0edeed675face31b28be7a27bed2d2be699c3e6b8cf7dfbe83
SHA512 60a23da88fd7b9ba3bda24bd3b8a05a0077e1e080e05b0710be8f4a95068718a576401f5311d391ad35dcdc7b2a7b24f9a4d452c01918fc47fb43ac998f2e410

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6817d1083f97ee3feb27ce945b4e6cb1
SHA1 8ed854c1ba2e86a0e36d77e4925ae406f7b0bb31
SHA256 5ddb3a5a694f9f9730feb27b6f4a72213dfbefb1409302f0a8b91e62978ab688
SHA512 78c1064943124dc967a5a2a304831765054fe2cf7d685c72c26128c55a502b491314688854ec50173e5b8bcad42544782e901c5e60a26d8a4e7db77b4f82ea53

C:\Users\Admin\Desktop\sheet rat v2.6\dnlib.dll

MD5 508ccde8bc7003696f32af7054ca3d97
SHA1 1f6a0303c5ae5dc95853ec92fd8b979683c3f356
SHA256 4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a
SHA512 92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

memory/2292-1831-0x000000000F280000-0x000000000F3A2000-memory.dmp

memory/2292-1832-0x000000000EF90000-0x000000000EF92000-memory.dmp

C:\Users\Admin\Desktop\sheet rat v2.6\Stub\Client.exe

MD5 a0e04bf9b43f0b442bd3193f06dc52b5
SHA1 30bb0c17640c414d948ed3e2fdf571b98f125efb
SHA256 71824238c3baec179911bd6e4655ebff234e15d0f14248077e2c388ef4337009
SHA512 d7015f5c8223ba0f4e3b478185fa3e4de0831aee949302185fdc8b3afe59105fe096a3e5ee23219a1c16dfcbc77d169a82774ecd727ef98bdb94a878583a2ae2

C:\Users\Admin\Desktop\sheet rat v2.6\Client.exe

MD5 5f6177f769c803ab896a4eb38e8c43e2
SHA1 7b2127fedef02309c82ca42b0edda96cd88e2b07
SHA256 f11c47cc79c1482e45370c1fc8e397cb891ff19c8de4913c60b225ca037c2e95
SHA512 6d63c1cc2a0220b8dd3b122f19b57d5861316abff1605c1ff0ab2ea4a5651f2365a9200b21b453bbc76712d6b13170df43913238a12f9e8fd3aa2bf1243feac1

memory/3064-1838-0x0000000000170000-0x00000000001FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 14:51

Reported

2024-06-06 14:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4252 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3444 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/AMPh

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9c6246f8,0x7fff9c624708,0x7fff9c624718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,14078586149033692244,3285287155189659396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 oxy.name udp
US 104.21.70.24:443 oxy.name tcp
US 8.8.8.8:53 oxy.st udp
RU 185.178.208.137:443 oxy.st tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 24.70.21.104.in-addr.arpa udp
US 8.8.8.8:53 contextual.media.net udp
BE 104.90.24.23:443 contextual.media.net tcp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 104.22.63.227:443 ads.themoneytizer.com tcp
US 104.22.63.227:443 ads.themoneytizer.com tcp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 cdn.adlook.me udp
NL 88.208.46.222:443 smatr.net tcp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 yastatic.net udp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
GB 2.21.188.27:443 lg3.media.net tcp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 ced.sascdn.com udp
BE 2.17.107.178:443 ced.sascdn.com tcp
DE 51.89.9.254:443 onetag-sys.com tcp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 tag.leadplace.fr udp
US 8.8.8.8:53 secure.quantserve.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 adtrack.adleadevent.com udp
FR 145.239.193.51:443 tag.leadplace.fr tcp
IE 52.49.242.239:443 p.cpx.to tcp
RU 88.212.201.198:443 counter.yadro.ru tcp
NL 88.208.46.222:443 ogffa.net tcp
IE 34.241.35.4:443 adtrack.adleadevent.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
DE 91.228.74.200:443 secure.quantserve.com tcp
US 8.8.8.8:53 137.208.178.185.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.24.90.104.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.63.22.104.in-addr.arpa udp
US 8.8.8.8:53 222.46.208.88.in-addr.arpa udp
US 8.8.8.8:53 217.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 93.93.17.193.in-addr.arpa udp
US 8.8.8.8:53 27.188.21.2.in-addr.arpa udp
US 8.8.8.8:53 178.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 254.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 system-notify.app udp
DE 157.90.33.72:443 system-notify.app tcp
US 8.8.8.8:53 ads.adlook.me udp
RU 46.243.182.93:443 ads.adlook.me tcp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
US 104.22.53.86:443 cdn.id5-sync.com tcp
NL 178.250.1.25:443 csm.nl3.eu.criteo.net tcp
US 8.8.8.8:53 rules.quantcount.com udp
ES 108.157.109.19:443 rules.quantcount.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 pixel.quantserve.com udp
US 8.8.8.8:53 uidsync.net udp
NL 23.63.101.153:80 apps.identrust.com tcp
DE 37.252.171.53:443 ib.adnxs.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
DE 157.90.33.72:443 uidsync.net tcp
DE 157.90.33.72:443 uidsync.net tcp
US 8.8.8.8:53 s.cpx.to udp
IE 34.249.224.177:443 s.cpx.to tcp
US 8.8.8.8:53 51.193.239.145.in-addr.arpa udp
US 8.8.8.8:53 239.242.49.52.in-addr.arpa udp
US 8.8.8.8:53 198.201.212.88.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 4.35.241.34.in-addr.arpa udp
US 8.8.8.8:53 200.74.228.91.in-addr.arpa udp
US 8.8.8.8:53 72.66.84.52.in-addr.arpa udp
US 8.8.8.8:53 72.33.90.157.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 86.53.22.104.in-addr.arpa udp
US 8.8.8.8:53 93.182.243.46.in-addr.arpa udp
US 8.8.8.8:53 25.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 19.109.157.108.in-addr.arpa udp
US 8.8.8.8:53 153.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
US 8.8.8.8:53 53.171.252.37.in-addr.arpa udp
US 8.8.8.8:53 177.224.249.34.in-addr.arpa udp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
NL 178.250.1.11:443 dnacdn.net tcp
FR 185.235.86.184:443 ag.gbc.criteo.com tcp
FR 185.235.86.134:443 gem.gbc.criteo.com tcp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
DE 141.95.98.64:443 lb.eu-1-id5-sync.com tcp
DE 141.95.33.120:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 184.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 134.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 64.98.95.141.in-addr.arpa udp
US 8.8.8.8:53 120.33.95.141.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.123:443 www.bing.com tcp
US 8.8.8.8:53 123.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
US 188.114.97.2:443 tmzr.themoneytizer.fr tcp
DE 141.95.98.64:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 metrics.biddertmz.com udp
US 8.8.8.8:53 lexicon.33across.com udp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
US 35.244.193.51:443 lexicon.33across.com tcp
IE 52.212.11.218:443 id.crwdcntrl.net tcp
DE 141.95.33.120:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 208.195.178.51.in-addr.arpa udp
US 8.8.8.8:53 168.22.248.34.in-addr.arpa udp
US 8.8.8.8:53 51.193.244.35.in-addr.arpa udp
US 8.8.8.8:53 218.11.212.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 metrics.biddertmz.com udp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
FR 51.178.195.208:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7381d4ca-5e0d-4f06-9b29-5c050a96e11e.tmp

MD5 624e4351297da5787af4e5e598470020
SHA1 53c270bce9d3ee75e15f6ce815b295dbf1e8aff4
SHA256 c796f3ef2d37a856bdaeed5ec8cfe6f5c3bc0d93ed117b71c0f5b6cc66dce0be
SHA512 ba9c4bd0a1e046976479c9a7bd8e11ec8cafa738f2f9c7f3e1623af451726e1cb3f9024e0ec129cc733a30708d7243b9e3de95f09adaa03af70510389e90ecd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 c57f807d828f220f0c301c95b31ced6b
SHA1 bc71d42d570fb7129e1542bea4ca45cac312706e
SHA256 59b441787659109db222f729bb4dbcf6ae893ae42b34910c953d78d1cd36ddba
SHA512 e034c4a7d8bff6a9ce6bad760507df9a8bc3222937dd177076add5de888f32f780d4247e46cf90b6689356803ea99185fa2a9fa1173241f0ac9a1cf5e3f75655

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1bfba6f13aaddb79f0e47e228eb587de
SHA1 1e87075aedddc0b08903374c641e28154ba4b8ab
SHA256 8eba7c94782110e7c6489ea9c025d684d478594cc81f4cc39c76fbe7a0cae17d
SHA512 a7d476a278b244efa2578d3962bc69345cd4f8c08daa011eccc2456ce4b96888d949339ce2ac71ccb8a05113db54622741abd17fe3de89c718eb3415d430eb58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 923e66c4317031ca3a5f1ec5c730e439
SHA1 2a757ba0c75807475e034bb459c1e559df7f1d7e
SHA256 dbf7ff08973d798094e35c2899c4591422a6b29239e7d5a342f689011e614b48
SHA512 99acc56dbf857f143303933c6424455cd283f4abd515bfc9819e2c7ed0811442c5237ad9de531c902025fbfd1fec930d004dd78f12e3d2d93966482181e3f478

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 730b80af277305763769bb163aa3942f
SHA1 d87c9288afafe961876e333e1b1770e3a7f33bd2
SHA256 5c648837736fd0c9a8f68fbde56cc74761d9457234762032752ecd154f9111e8
SHA512 83706fc00b0d4a10e40c178f703af70aa62509c7c3c2aca1994e3e9e5e003bf8e0f9222654058b3d673781b5efcea63e3091f43006e3d9bdcdfdad41a4824510

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2bd55083b6bcd426828dfbc3dd1b6ea7
SHA1 eca08fdeeb2530bcccef8190b7e0cc0d0bf67419
SHA256 78f9fb61d0b881fa5e4c0c73bd0e3fbc1463868f2548d9baf373e0de0d19b910
SHA512 c8554ff7ed8809c0b42fcf6ad4fa9bd9a648e85bfe189510634ed5c20fe1ffc7bb8bdd614607f6e5dcd75b20e808caf99c29c439778a4f4055a3169e04ac9830

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c553.TMP

MD5 7126a728ff8298a7a076701d86321205
SHA1 a6e87d363a8efdd13cee35d5c3a6cc8ddb905175
SHA256 5e92e108860e6f489d9264b626238d60278e64580d99d1ccfa5cc4cc73909bee
SHA512 ada0add7c84831dc6894b39f8b863aed0ee28ec4cc2bfaec5ee0e97b0085c5e793cc84f9e9cfd99d2b4699cab251464393a5fcb9bdbd9ef67d887b74577ab305

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c52907112884ab71827bac07a32afbc0
SHA1 18bc09fb0694e2a8350ce898cd37c98ce1493799
SHA256 d32161e357d2543648c5032c7d50a544257406dfb9ec68f296dda03c7fb6caef
SHA512 823c96704f58e72b49246921d68beb216e439aed969083d51dd51787476e56481d92c8d0765dfaca32cc2a9d21090038c9070411115e8d9b6f383a00581d2bfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d31f4dc95fe175f44a8f03a19f50402b
SHA1 d8f85be6bb6941864f01b4c54c7df4bcbab25f7f
SHA256 3ae5f83e22101c05d01c6faf9b6f62752d96d4ebfa0aea3c08c75730f844f696
SHA512 aa8c6dbc8c5714e60b1da56e5e99815e9a4ba85a33dfa84c40e10f294661ea935642e6d64930ccb5202d249d7d615abdc42307404bd01b5ab83f2aacaaddf62a