Malware Analysis Report

2024-09-11 16:32

Sample ID 240614-nmt24sseqq
Target https://misprogramaspc.com/itoolab-watsgo/
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://misprogramaspc.com/itoolab-watsgo/ was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Stealc

Detect Vidar Stealer

Vidar

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:31

Reported

2024-06-14 11:33

Platform

win10v2004-20240611-en

Max time kernel

130s

Max time network

133s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://misprogramaspc.com/itoolab-watsgo/

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\ProgramData\GHDHDBAECG.exe N/A
N/A N/A C:\ProgramData\CAAAFCAKKK.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A zsdsoftzfile.shop N/A N/A
N/A zsdsoftzfile.shop N/A N/A
N/A zsdsoftzfile.shop N/A N/A
N/A zsdsoftzfile.shop N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6032 set thread context of 1064 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5440 set thread context of 5660 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\GHDHDBAECG.exe N/A
N/A N/A C:\ProgramData\CAAAFCAKKK.exe N/A
N/A N/A C:\ProgramData\CAAAFCAKKK.exe N/A
N/A N/A C:\ProgramData\CAAAFCAKKK.exe N/A
N/A N/A C:\ProgramData\GHDHDBAECG.exe N/A
N/A N/A C:\ProgramData\GHDHDBAECG.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6032 wrote to memory of 1064 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 6032 wrote to memory of 1064 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 6032 wrote to memory of 1064 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 6032 wrote to memory of 1064 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1064 wrote to memory of 5604 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1064 wrote to memory of 5604 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1064 wrote to memory of 5604 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5440 wrote to memory of 5660 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5440 wrote to memory of 5660 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5440 wrote to memory of 5660 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1064 wrote to memory of 5604 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1064 wrote to memory of 5604 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5440 wrote to memory of 5660 N/A C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5660 wrote to memory of 5840 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5660 wrote to memory of 5840 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5660 wrote to memory of 5840 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5660 wrote to memory of 5840 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5660 wrote to memory of 5840 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5604 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHDHDBAECG.exe
PID 5604 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHDHDBAECG.exe
PID 5604 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHDHDBAECG.exe
PID 5604 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CAAAFCAKKK.exe
PID 5604 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CAAAFCAKKK.exe
PID 5604 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CAAAFCAKKK.exe
PID 5600 wrote to memory of 1680 N/A C:\ProgramData\CAAAFCAKKK.exe C:\Windows\SysWOW64\ftp.exe
PID 5600 wrote to memory of 1680 N/A C:\ProgramData\CAAAFCAKKK.exe C:\Windows\SysWOW64\ftp.exe
PID 5600 wrote to memory of 1680 N/A C:\ProgramData\CAAAFCAKKK.exe C:\Windows\SysWOW64\ftp.exe
PID 2140 wrote to memory of 4028 N/A C:\ProgramData\GHDHDBAECG.exe C:\Windows\SysWOW64\ftp.exe
PID 2140 wrote to memory of 4028 N/A C:\ProgramData\GHDHDBAECG.exe C:\Windows\SysWOW64\ftp.exe
PID 2140 wrote to memory of 4028 N/A C:\ProgramData\GHDHDBAECG.exe C:\Windows\SysWOW64\ftp.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://misprogramaspc.com/itoolab-watsgo/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5040,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5044,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5300,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5388,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5472,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5304,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6268,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6288,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6452,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6456,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5112,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7052,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --field-trial-handle=7232,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=7236,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x308 0x2ec

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7756,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6700,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8104,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=8112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8384,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=8400 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\" -an -ai#7zMap24776:168:7zEvent25760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5544,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe

"C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe

"C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3668,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:3

C:\ProgramData\GHDHDBAECG.exe

"C:\ProgramData\GHDHDBAECG.exe"

C:\ProgramData\CAAAFCAKKK.exe

"C:\ProgramData\CAAAFCAKKK.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 misprogramaspc.com udp
US 8.8.8.8:53 misprogramaspc.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 misprogramaspc.com udp
US 172.67.205.82:443 misprogramaspc.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 2.16.233.202:443 www.microsoft.com tcp
GB 23.73.139.27:443 bzib.nelreports.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.205.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 57.234.16.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 kit.fontawesome.com udp
US 8.8.8.8:53 kit.fontawesome.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ka-f.fontawesome.com udp
US 8.8.8.8:53 ka-f.fontawesome.com udp
US 151.101.1.229:443 cdn.jsdelivr.net udp
US 172.67.139.119:443 ka-f.fontawesome.com udp
US 8.8.8.8:53 fm.bemoonsenates.com udp
US 8.8.8.8:53 fm.bemoonsenates.com udp
NL 23.109.170.153:443 fm.bemoonsenates.com tcp
US 8.8.8.8:53 misprogramaspc.disqus.com udp
US 8.8.8.8:53 misprogramaspc.disqus.com udp
US 199.232.196.134:443 misprogramaspc.disqus.com tcp
US 199.232.196.134:443 misprogramaspc.disqus.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 23.62.61.171:443 www.bing.com udp
US 8.8.8.8:53 disqus.com udp
US 8.8.8.8:53 disqus.com udp
US 8.8.8.8:53 c.disquscdn.com udp
US 8.8.8.8:53 c.disquscdn.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 151.101.64.134:443 disqus.com tcp
GB 18.165.160.128:443 c.disquscdn.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 202.233.16.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 27.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 68.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 119.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 153.170.109.23.in-addr.arpa udp
US 8.8.8.8:53 134.196.232.199.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 s.w.org udp
US 8.8.8.8:53 s.w.org udp
US 192.0.77.48:443 s.w.org tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 disqus.com udp
US 8.8.8.8:53 disqus.com udp
US 8.8.8.8:53 disqus.com udp
US 8.8.8.8:53 misprogramaspc.com udp
US 8.8.8.8:53 tempest.services.disqus.com udp
US 8.8.8.8:53 tempest.services.disqus.com udp
US 8.8.8.8:53 referrer.disqus.com udp
US 8.8.8.8:53 referrer.disqus.com udp
US 151.101.192.134:443 disqus.com tcp
US 199.232.192.134:443 referrer.disqus.com tcp
US 199.232.196.64:443 tempest.services.disqus.com tcp
US 8.8.8.8:53 misprogramaspc.com udp
US 8.8.8.8:53 misprogramaspc.com udp
US 8.8.8.8:53 c.disquscdn.com udp
US 8.8.8.8:53 c.disquscdn.com udp
US 8.8.8.8:53 cdn.tsyndicate.com udp
US 8.8.8.8:53 cdn.tsyndicate.com udp
GB 18.244.140.59:443 c.disquscdn.com tcp
GB 18.244.140.59:443 c.disquscdn.com tcp
SG 45.133.44.71:443 cdn.tsyndicate.com tcp
US 8.8.8.8:53 tsyndicate.com udp
US 8.8.8.8:53 tsyndicate.com udp
DE 148.251.120.78:443 tsyndicate.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 128.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 134.64.101.151.in-addr.arpa udp
US 8.8.8.8:53 48.77.0.192.in-addr.arpa udp
US 8.8.8.8:53 134.192.101.151.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 134.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.196.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.44.133.45.in-addr.arpa udp
US 8.8.8.8:53 59.140.244.18.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 151.101.192.134:443 disqus.com tcp
US 8.8.8.8:53 cdn.viglink.com udp
US 8.8.8.8:53 cdn.viglink.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 misprogramaspc.com udp
GB 3.162.20.32:443 cdn.viglink.com tcp
GB 3.162.20.32:443 cdn.viglink.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 wcpstatic.microsoft.com tcp
US 204.79.197.237:443 g.bing.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 links.services.disqus.com udp
US 8.8.8.8:53 links.services.disqus.com udp
US 199.232.196.64:443 links.services.disqus.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 78.120.251.148.in-addr.arpa udp
US 8.8.8.8:53 32.20.162.3.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 referrer.disqus.com udp
US 199.232.192.134:443 referrer.disqus.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 zsdsoftzfile.shop udp
US 8.8.8.8:53 zsdsoftzfile.shop udp
US 104.21.78.196:443 zsdsoftzfile.shop udp
US 8.8.8.8:53 zsdsoftzfile.shop udp
US 8.8.8.8:53 misprogramaspc.com udp
US 8.8.8.8:53 196.78.21.104.in-addr.arpa udp
US 8.8.8.8:53 getintopcc.pro udp
US 8.8.8.8:53 getintopcc.pro udp
US 8.8.8.8:53 getintopcc.pro udp
US 8.8.8.8:53 zsdsoftzfile.shop udp
US 188.114.97.2:443 getintopcc.pro udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 104.17.24.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 229.129.101.151.in-addr.arpa udp
US 151.101.129.229:443 cdn.jsdelivr.net udp
US 8.8.8.8:53 code.jquery.com udp
US 8.8.8.8:53 code.jquery.com udp
US 151.101.194.137:443 code.jquery.com tcp
US 151.101.194.137:443 code.jquery.com tcp
US 8.8.8.8:53 137.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 getintopcc.pro udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 132.169.44.89.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 postnav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 postnav-edge.smartscreen.microsoft.com udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
GB 51.140.244.186:443 postnav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 15.125.203.66.in-addr.arpa udp
US 8.8.8.8:53 xpaycdn.azureedge.net udp
US 8.8.8.8:53 xpaycdn.azureedge.net udp
US 8.8.8.8:53 xpayeccdn.azureedge.net udp
US 8.8.8.8:53 xpayeccdn.azureedge.net udp
US 13.107.246.64:443 xpayeccdn.azureedge.net tcp
US 13.107.253.64:443 xpaycdn.azureedge.net tcp
US 13.107.253.64:443 xpaycdn.azureedge.net tcp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 gfs214n196.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n196.userstorage.mega.co.nz udp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
ES 185.206.27.108:443 gfs214n196.userstorage.mega.co.nz tcp
US 8.8.8.8:53 108.27.206.185.in-addr.arpa udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 dl-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp
US 172.67.133.78:443 feeldog.xyz tcp
US 8.8.8.8:53 78.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 58.251.201.195.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
NL 23.62.61.75:443 www.bing.com tcp

Files

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe

MD5 ad2735f096925010a53450cb4178c89e
SHA1 c6d65163c6315a642664f4eaec0fae9528549bfe
SHA256 4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA512 1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\libcrypto-1_1-x64.dll

MD5 28dea3e780552eb5c53b3b9b1f556628
SHA1 55dccd5b30ce0363e8ebdfeb1cca38d1289748b8
SHA256 52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8
SHA512 19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\msvcp140_1.dll

MD5 69d96e09a54fbc5cf92a0e084ab33856
SHA1 b4629d51b5c4d8d78ccb3370b40a850f735b8949
SHA256 a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee
SHA512 2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\hogg.pptx

MD5 4a1bb50a70821601f854cb93681f57a1
SHA1 be7d7dabd24c40066f301499dae299cb90afd8c1
SHA256 4db21e4665018a3e6cd03ec1b65f42a1c6c8f8046b3f451a1e025a2013e8203f
SHA512 c8157213c3232cefc4e2d075091b1b848b67b2a802244e368223a89e22ee90e8b46f0e5f6c09ecb251ada5c4fe9325d1009fc81f31baa1e1367923a879fd4f7a

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\amphipod.tiff

MD5 7046dec9149c56b47272dcb80f6c93a4
SHA1 d4afde058b8c769d8d2348b2cba5cec3c03d2f9d
SHA256 36136cd5d386697746e5fd80e1cc218ca560e2695cc820fca3cbb07529a3d5ef
SHA512 e0bcd5f1ec2273fb7e40fce2af989f498ad60044a6f41cde08fac500e48b4388702f3d10b17e9f76196d3c66e34d1196fd26175062be678c1b44f2fdcddfc812

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Qt5Core.dll

MD5 1ccc90e7aac237b45a75292bc9145cb9
SHA1 738c89f4cc688efc84e24994f4dc077cc77342fe
SHA256 2e33fe29145a2f13dcb56635eb292f6c25c116e1e14fa081eb728ee04071ae25
SHA512 89ab2b82c1d93a22c63eb3f09344bdd66a8b7decfd106f223c8f17ac7953fdf2d89b35d9cd1452239f3df131c03f2bc059471aa261b57ccca1174ee6d26662fc

memory/6032-97-0x00007FFD8FF50000-0x00007FFD900C2000-memory.dmp

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\Qt5Network.dll

MD5 c24c89879410889df656e3a961c59bcc
SHA1 25a9e4e545e86b0a5fe14ee0147746667892fabd
SHA256 739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e
SHA512 0542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\libssl-1_1-x64.dll

MD5 4ad03043a32e9a1ef64115fc1ace5787
SHA1 352e0e3a628c8626cff7eed348221e889f6a25c4
SHA256 a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1
SHA512 edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\vcruntime140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\vcruntime140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\msvcp140.dll

MD5 1ba6d1cf0508775096f9e121a24e5863
SHA1 df552810d779476610da3c8b956cc921ed6c91ae
SHA256 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA512 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

C:\Users\Admin\Downloads\#!~#0Pen_9898_P@$SW0rd~!!$\steam_api64.dll

MD5 6b4ab6e60364c55f18a56a39021b74a6
SHA1 39cac2889d8ca497ee0d8434fc9f6966f18fa336
SHA256 1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3
SHA512 c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

memory/6032-109-0x00007FFD8FF50000-0x00007FFD900C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a96305c3

MD5 8aea42a306949d29e9aa5fed9833b397
SHA1 289fa657d4900c73d046e8980ecd4e6a6c1e8c82
SHA256 9194a39b0a5adc7f850b84886cbe10a796e8ffb6d18ab2d41f9ee5249fcc794d
SHA512 dcb2e97b5a22053c6263a43c5efffd6dd9f376f6e3638d6da64ae483e05f6bda419e617e6a57514e1699c8349f7ec07b511a0f0371319fbed234cb6b9ad2ff61

memory/1064-112-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

memory/5440-124-0x00007FFD91FC0000-0x00007FFD92132000-memory.dmp

memory/5440-151-0x00007FFD91FC0000-0x00007FFD92132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\202fcdce

MD5 2f369f8828b2026353928c5691baa334
SHA1 f6874ad9bdff2d130d1db38c4f72b3e3e810cd50
SHA256 552eaba9b8519ee5969641ca0a4ae31501de5111f3210ca6ddadf6311226687b
SHA512 6ee6903921ec6a92ceb57015eaab05f2b8692108d2414614c213d4bb5a441fdcee00e61e5b909445dc33a80184c12748b4b1e7518574d5c94da6e11eb8af9e12

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/5604-156-0x0000000000E00000-0x000000000154B000-memory.dmp

memory/5604-157-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

memory/5660-158-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

memory/5604-159-0x0000000000E00000-0x000000000154B000-memory.dmp

memory/5840-166-0x0000000001630000-0x0000000001D7B000-memory.dmp

memory/5840-167-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

memory/5840-168-0x0000000001630000-0x0000000001D7B000-memory.dmp

memory/5604-170-0x0000000000E00000-0x000000000154B000-memory.dmp

memory/5604-171-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\AECFCAAECBGD\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AECFCAAECBGD\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/5604-248-0x0000000000E00000-0x000000000154B000-memory.dmp

C:\ProgramData\GHDHDBAECG.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2140-259-0x0000000000E50000-0x0000000001363000-memory.dmp

C:\ProgramData\CAAAFCAKKK.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/5600-270-0x0000000000FA0000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5724b5d4

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/5600-276-0x0000000072D00000-0x0000000072E7B000-memory.dmp

memory/5600-277-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5d7f0ffa

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2140-283-0x0000000072D00000-0x0000000072E7B000-memory.dmp

memory/2140-284-0x00007FFDB18D0000-0x00007FFDB1AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/5604-293-0x0000000000E00000-0x000000000154B000-memory.dmp