Malware Analysis Report

2024-09-23 11:16

Sample ID 240615-hj4t9avfln
Target MEMZ.exe
SHA256 3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Threat Level: Shows suspicious behavior

The file MEMZ.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Checks computer location settings

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Runs regedit.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: SetClipboardViewer

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 06:46

Reported

2024-06-15 07:00

Platform

win7-20240611-en

Max time kernel

453s

Max time network

624s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\devmgmt.msc C:\Windows\system32\mmc.exe N/A
File opened for modification C:\Windows\System32\devmgmt.msc C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\vice.com\NumberOfSubdomains = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000f7518cad3e7bd530ced15412970ea6b0b37ec60d34d8f9d2be3c3f8ab0d7dd08000000000e800000000200002000000062b3847fdd433e2176417d077b8fadd6477e4e518ca4d864695294b25a8266e6900000004ab33ca122a7568e07249be95e18f177a3258cd08a67317fab1ab2f37c5a2d9db08a4a4ba3499b0fdfdf27d17ca8b593b0527deb5630ce2e9f652ad69ee5dee33434dcea369ad4de408909d3b509ceb22cc82610ce603bd52a3b4a9f2fd7256449a0db826b85308c02b52ede47ef58e239f38a8734b2dfa04aa7bdc65d466373f1c545fdd6bb884d7befe9cadb5fd899400000008c80140211c38b34e717db609a2e42eb49bf3cc2786d513722bca37c3482f62d759c1e83c32633d3b20636f585c6e0871dc1345cdcf78ebd6b6098cd6fbb3378 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\oembed.vice.com\ = "8" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "12496" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\vice.com\Total = "8" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "325" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\oembed.vice.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "331" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "331" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d2fb62f0beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "325" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000a2e4f1f5e44f5897821b0973f2255fb10d4d9c8d3b428eacbc4e9fea94e5fabb000000000e8000000002000020000000bb86ff259461031c6b32507ae414a4c43b675bc3ca386ab8a65e25f76f23060b200000001eae823d02bc5f2b19d808f038d9d3cb95d09e8b98ef1f7d798d4ec10189cf3d40000000f1dd51630381d0947826adc2e42ce55567eebbb9b0de8987eabfb16755f1f4bd3cae389a043c5edb6577d018bab61c5a5dd5ff5cec482d896a04e9a2b69a212a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424596097" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\vice.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Windows\SysWOW64\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 2652 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2652 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2652 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2652 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2652 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 584 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 284 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 284 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 284 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 284 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\mmc.exe
PID 2652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\mmc.exe
PID 2652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\mmc.exe
PID 2652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\mmc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=bonzi+buddy+download+free

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:734219 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:603151 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:603168 /prefetch:2

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x5b0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:1324059 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:472111 /prefetch:2

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"

C:\Windows\system32\mmc.exe

"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3552299 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3683390 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3486804 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3224640 /prefetch:2

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"

C:\Windows\system32\mmc.exe

"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:1717348 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:1062029 /prefetch:2

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\System32\mmc.exe"

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe"

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:1324148 /prefetch:2

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3159215 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:865432 /prefetch:2

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:3355849 /prefetch:2

C:\Windows\SysWOW64\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe"

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"

C:\Windows\system32\mmc.exe

"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.co.ck udp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
US 8.8.8.8:53 consent.google.co.ck udp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 play.clubpenguin.com udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 8.8.8.8:53 pcoptimizerpro.com udp
US 8.8.8.8:53 pcoptimizerpro.com udp
US 50.63.8.124:80 pcoptimizerpro.com tcp
US 50.63.8.124:80 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 50.63.8.124:443 pcoptimizerpro.com tcp
US 8.8.8.8:53 www.pcoptimizerpro.com udp
US 8.8.8.8:53 www.jqueryscript.net udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 104.26.4.155:443 www.jqueryscript.net tcp
US 104.26.4.155:443 www.jqueryscript.net tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 50.63.8.124:443 www.pcoptimizerpro.com tcp
US 50.63.8.124:443 www.pcoptimizerpro.com tcp
US 50.63.8.124:443 www.pcoptimizerpro.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 static.hotjar.com udp
GB 13.224.245.89:443 static.hotjar.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
US 8.8.8.8:53 cdn.jquery.app udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 104.21.66.214:443 cdn.jquery.app tcp
US 104.21.66.214:443 cdn.jquery.app tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 13.224.245.89:443 static.hotjar.com tcp
GB 13.224.245.89:443 static.hotjar.com tcp
BE 108.177.15.155:443 stats.g.doubleclick.net tcp
BE 108.177.15.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 c.clarity.ms udp
IE 68.219.88.97:443 c.clarity.ms tcp
IE 68.219.88.97:443 c.clarity.ms tcp
IE 68.219.88.97:443 c.clarity.ms tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 8.8.8.8:53 motherboard.vice.com udp
US 151.101.194.133:80 motherboard.vice.com tcp
US 151.101.194.133:80 motherboard.vice.com tcp
US 151.101.194.133:443 motherboard.vice.com tcp
US 151.101.194.133:443 motherboard.vice.com tcp
US 8.8.8.8:53 www.vice.com udp
US 151.101.2.133:443 www.vice.com tcp
US 151.101.2.133:443 www.vice.com tcp
US 151.101.2.133:443 www.vice.com tcp
US 151.101.2.133:443 www.vice.com tcp
US 151.101.2.133:443 www.vice.com tcp
US 151.101.2.133:443 www.vice.com tcp
US 8.8.8.8:53 htlbid.com udp
US 8.8.8.8:53 oembed.vice.com udp
US 8.8.8.8:53 video-images.vice.com udp
US 151.101.130.133:443 video-images.vice.com tcp
US 151.101.130.133:443 video-images.vice.com tcp
US 151.101.194.133:443 video-images.vice.com tcp
US 151.101.194.133:443 video-images.vice.com tcp
US 108.157.60.44:443 htlbid.com tcp
US 108.157.60.44:443 htlbid.com tcp
US 8.8.8.8:53 vice-web-statics-cdn.vice.com udp
US 151.101.66.133:443 vice-web-statics-cdn.vice.com tcp
US 151.101.66.133:443 vice-web-statics-cdn.vice.com tcp
US 8.8.8.8:53 www.npttech.com udp
US 172.67.155.215:443 www.npttech.com tcp
US 172.67.155.215:443 www.npttech.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.200.10:443 jnn-pa.googleapis.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.187.214:443 i.ytimg.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 fe0.google.com udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 softonic.com udp
US 8.8.8.8:53 softonic.com udp
US 199.232.209.91:80 softonic.com tcp
US 199.232.209.91:80 softonic.com tcp
US 199.232.209.91:443 softonic.com tcp
US 199.232.209.91:443 softonic.com tcp
US 199.232.209.91:443 softonic.com tcp
US 199.232.209.91:443 softonic.com tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
US 8.8.8.8:53 consent.google.co.ck udp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:80 www.google.co.ck tcp
GB 216.58.213.3:443 www.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 id.google.co.ck udp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 142.250.200.35:443 id.google.co.ck tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 softonic.com udp
US 8.8.8.8:53 softonic.com udp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 199.232.213.91:443 softonic.com tcp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:80 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 216.58.213.3:443 ssl.gstatic.com tcp

Files

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat

MD5 f1b45a515be1cedfbae8c29607dc6cd7
SHA1 b50181870c02f5e1435bc75231d5317765dcf99a
SHA256 4a8087f4771cb586f17061871a45aaba1ef0ea7f1fdd36561cbf6d4ff72a9337
SHA512 5e7dc9dd79b58ec8917b492e76653273ce49a45288e8ff00350ade2e9ac1f85465f4c487904455ace03a63af575b9c57d46c046e37a6c4b7b9a3b3efe362b457

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e23532b64cd076642fd014193e9aa845
SHA1 bd913bb8e870014519504082a9558bb7d61a9180
SHA256 40b4928da63e430a51294fa7ce0635d637146afe02b62c7a2ca1b11733eea073
SHA512 3743d2ba7993af70fe1317d80e7fd3d9cd52da4aa27b43daf08f74a0302cd643957c1f9af87e38d887e74667e4ec3eed1973fb83ee9c8663c6318024ad18a8f0

C:\Users\Admin\AppData\Local\Temp\Tar3C96.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab3C94.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c7efb1c98eea58221c80d40f8f14da9
SHA1 6354c8f17b0c108481ca6af999010bcec790c4e9
SHA256 8539580986893a9ca7f05d83abf7ba5811727f5363e67146f2941f53650c4e30
SHA512 27c1505514b1d4b97401d4f0e732234b3233b7b7107d969187646a7ea3de2725515d925e14dd952e681c34989db289d2b47a65bd55ac412c8732fdf437a19b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d9ecf54a4dad45167fc415f9da685e8
SHA1 1007357515ea689910a4ccdb0a704e292ceac06b
SHA256 654da0def2fbe6b9aac09bac6d4e31b88041b9f777d10e57f64e201e0a4e3758
SHA512 1efe7d4b52ceaf9ccec11ecf04f23a3628df15435eaff6b136ca1e20442f8a22af18e02f175fed0906fbb49c8a00b7d49c24bf0386f5901564340ca211191824

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b28f1313052660cb5e9b897046576cc
SHA1 128a750d8fbd63f10a69730b23247622d92b67cf
SHA256 8f8463aac5e2ef333fc2509041ea73cd8d1e47205b240080c1a7f051a540e66f
SHA512 1981b50ea76507ef9cbc836e211b0dab743302534f7c6ccc26161b2d1de5d2731c3edcb943aca5769b49b7f898baf29b6cde0625b01903e2e6f22f600e785300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b01df0365a4e4d1f393b362daf623645
SHA1 df390bfeefe2277e9867c7570aaf50f51953c003
SHA256 f9c7ecd195cc2242da798b196800c7521b15c6fbc62b6b5075764adcfc26c8cd
SHA512 b835a1a8d8841267b90cc32477357ae556bcccf22a55f3a57533cc3afb0df141e589139a9e7fd6bb8f7e19010ac3afd640eacadd96c4fc1bba11358995584fc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5e73da0cf2e92fe5eef59eefd51805a
SHA1 449134727478190d91dc8f878d942ca0e97b43df
SHA256 226056d87d9b13a197f6cb206f60f0e6e8f47c6a879e51d3d66723f5ff300b88
SHA512 039a6252a7a5e8bc61aed0a547663130d3feb2330525a897a7c0464a724d5a387b3666f9570822858955a938e283f30614963f9f6ab73c60b3a6f743cc57a2af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52afe2515b4e4bff51eb2a6c63a081b8
SHA1 49436844ce16b9ad10a00dda1715818fa9dfe17c
SHA256 dc4938dedb357bcd4153dc3262221f2e9c6d9b30caec04054deef89d3b652aaa
SHA512 dc1f14ceea33dbefb2703a5b1befa63445a0137add2b9725b3bd932ac1bdb54ae59b84aa9c594dc6d342d3bad5cdf098f8e8932623cd457e69d68bd50d81ab9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d81614cb030d78c4b11ec33e8b7ec4d2
SHA1 6663a3bb1620c63185e2f64b2c5200e2e02abca8
SHA256 e0df3f8635bc653951e67a1e5b0cddf735c69265ca1e6cb94d0853c726ea4091
SHA512 855c20c4adec4412899ec6657e3c798fca4bf41b87b72adddd00508ecfbc3041e426fffb6607dfa92c79a6a1f285d29dea78f817f9c2c6e37f16074c61329021

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S3WEIZPD.txt

MD5 2ddffb40678f1fa785cc399bb2c0955b
SHA1 0c6f9dd68054b9e3393213a303c0424ab310bf0e
SHA256 77d7860c789f6e6a57978881f5ba3ee1670b6927f8d0e7b82332218ccf3fa4eb
SHA512 70fb15bc01a7c6e424f912f917b000fcbd581a2c11dcadac2b36cb7176167f193375047d396f91e33eebb28050c0db9985152b9b6eca436aa32887e7df6e0330

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 87a4863dc59de0bc7c67aa8f13b9339b
SHA1 f466f95e0c8860ba6441cc93c491a656ae3fed76
SHA256 e68d0b42d0696a8c02b257af823e625afee27276bc197d9709b157f140e50a7c
SHA512 84c1026ff07eb0749ca0c890d6ceec40fc3e341352ce12ea0f8dd296c6a530628a00249361c91137896ae27ea7a3e97c03d74376ac4c3fe6fa728ea44f5db7a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ac5336f1f174cbec803904fce0e8256b
SHA1 c3f4bf7a2f88953e56db56275921a2695269503f
SHA256 e26d49105fc12539a2bafdf47186ccf74046c5da69b2f4e8f8656da386118b93
SHA512 3b05ee314e3d041efa9ba89a458850bcf544e576aed810034490e3219605a1407b625d031481970f87b7b934a0a83756122f93043cccec71fd3a6a1494981f0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 c7a6ac4eaf783197adc9147a07fc61a7
SHA1 c62c070ca569983ef9b554326d66e870fa653377
SHA256 55c2e9f1c475ebaf9408970317f396689120b72731703fd0e8fe830fbc238e12
SHA512 b6ef1f077954b4a157d3955b32d972847b096da0a1fd78aa4dfb8207bdfeebf4368191361d85b3eb6d914bc7434e19b37728d40f63cf2eb5ee6ef47e456065f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_A34D3B1C2EC7792CC8F97AA4FBCEACCA

MD5 8d988f4975d833a8a5965909a6736784
SHA1 4bc6c629faa5d8842ecb55dba62812bdea4d9a4c
SHA256 21a6e72528c8e6b98e5c5b4ff262b58648d8d532881ba4dc2b4e0727c6d448fa
SHA512 45cea9c59c28e22a82a646342b34fe42180d7ca673211750c75f5f01ed616b81217ab6deab29d0a926449eb2e60213b6828de6148408edf2c2eda2ab474c3bb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_A34D3B1C2EC7792CC8F97AA4FBCEACCA

MD5 a41ab057c69f3551eb86a162ae4a2038
SHA1 db709f5b95e68e07443e14ae519ffa8126a3b678
SHA256 a9fc9fe6315a35e81398ca6309c9fe60d9aec8785ece36f9b666acee950fc6ee
SHA512 4d573c662f01d430a5b3d39abc58017ee0812067244b4a79b51d27e7408f30fa1402e8c131f0bc7b811ec75d7304a33f3fbbb677ab6341bc1101e52c94f0c9a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 541c5f0111607afecedf8f6992a553ea
SHA1 bcb5e26fb92abfd382f30c3246f09c1d6e11944d
SHA256 9b315a8977bb13f7eec2f2215524f86979f1ca91e5b5a9e02a7a4c5f80d8e1e9
SHA512 28ed504d4fd77fe2fd3ad0dd5db4ef1be576ac223124be37c9a2249de3dd3bda19ef005b932604b92d9978e25023bd0c3872188e9c05bb7bb11ed429eb9ccfc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 77a3f107d88e4310e9aa0f380b4e5a0b
SHA1 5c92518e3d7ae4b450f2bd76281c6d31fb3dd82e
SHA256 7fc9835a39560f95e59faa5854ee0bc99b7f8375c5bddcd40fe7abbb8b4d1dda
SHA512 8653c8f6167322d497f2a77d143d149c34cb2c448734b5d7292b41e5b0ca3d2f3094c2f8fd6fe708f7a1f1a0197dc3991ecfe9d7385dbfd9756b77272001f6fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 4182f0e25fba923f1901b9de3bb14a40
SHA1 73403b5efe56d62ff1ea5520e937bbcf2eec269a
SHA256 8cac4921af175e3c1c904d8494edfcc6bb289881aaa5a6892006dc2a32a34844
SHA512 a64d067384cedecc443e34874c9d2b599a9002f6110e5a1b866f18ef89fb3133c9add2f26824b4e5b2e4f65cf2b6adcddf325ec3eef905a9b543746a50519d54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f14d6d4c4170df064741349184b3f4f7
SHA1 f2034279bdc453d7f58aef1aa07b79b6dc695518
SHA256 dc088ac10b0e3343fa79df4e3ed0d8af0c60099e6b7dd3b2e1fac9b707fcdb45
SHA512 50c9018397e2d40a6c31cb8a4674c1e2a891877ac8263e6a6f99c9b8a480163c509008a154175560883c69998a303a61dc50f65f455e7e9d6c5dedba3416121d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dece3f49d02c118a02d7124753d8ea2
SHA1 2cb6bbc3afdd8638b7491c5e988147cb207e42da
SHA256 2e5d1e33cecbafe5d2f473fbfcbc5f4011d9e262db30c89efc0d5f688113405b
SHA512 b9dea0627df4ccc3ace838868b88d576e4a7b5912f3399e2f74994ac3b3a3158c5a9db836d323fd96c31f3401fdb4fa326a385011a1e985fee6dfcc761b24531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 561c0498261ab4cc1414ea9be8ac9e3f
SHA1 50995544f1a08d6a2b68d8509396641d6b008b1a
SHA256 323fd0d9d73c42992bd0631ca7e566e3023783910aa4138780adb5e837082caf
SHA512 0b79a5957fa196b4511dea6f8733a4338eb19d11494891088b56c98b871a9c61f1921a74d9a2dacb800ec3901c478930f80b7ee465db261b7a9408626eebe733

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1780beb4ef591745f15e051899ab62d
SHA1 6f029f575794c8d69a07c1f61bf20f378004771f
SHA256 da9776d75a094ab0c1dcedaaadb1c9919f0e77695fd0338be5e0b1ad2e3fe279
SHA512 65dffc60a965976b444cbf0e101ea29f0ed85e1310db08a6f8f7077e6c8de04ee88b6ca1299a42ec180f4b235d6cd2cfa6b09fe2440735084a2db2b85b0df8ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85a53857fe14a7b663b0e5229db2fb0c
SHA1 36eb2be34305576ed13311f701cad392e6eb9292
SHA256 1769b7183c572f705ba22cccecbb2522533cef7d1c5c422d2e33249e5526ab53
SHA512 b44a2c8a8af2a364b8e45e791ebeb8c78d0ef6a2e0021202c692c58ff354600fb8f7be9daecdf7a7ce629c9ed9d47106d2ad5099027f7cd5dd69d4f6fa1ef80d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd092b45960078d061ad8dc388a08c2e
SHA1 4a74bbfba281880e0a9a40fe72cfbf0904f3dbd6
SHA256 8295063504a9c0d4c6d6894628a63e0948f09b1c59fea27a2126ca033f3b8ae4
SHA512 c19cd664eaa4f1032125f698d3472167f48059c44eb8322d9ff53b9022190e5ac0af3d601842c185a18f20cec45deb04f3cc3905dda0c2bacc686a1e36baa4a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bb47e2ebf64099d375903d90c8cd8b4
SHA1 3fc60a8c13a3b5f77268e6a92e99d5fa3f3a844d
SHA256 490082a73bda12164b59dbe52d7b4f1e1ab91534a533115e41b8e555097330b2
SHA512 719e274c753b0d2e4f5b5ef057294f7bb12aacecc377aabc1a19206863821aa4bed9225cbdcad3b0007a50f5a7f34293744fce55d94d00a43364146f6d8bd82b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26f0926ec1a967edfdd1b01ba05f17b5
SHA1 5e2969cca814f3fd1b695330c0db1ef439f7032a
SHA256 a2bc7aaa3bf5ca81875c57c974e598cfa543f70436352948f3c6b3a54adee839
SHA512 44180fc0f1988b024d9e19c65eeb160710fe3c4b2768722a05c4a4426208384c3a98e58f41095585faae634c1e192652e63dc83dc9e6089bb068e7278af2439d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ec69093410f9827388b72ba7fdc66bc
SHA1 8a446a9e40af2968e3bf419d744977a25eefee58
SHA256 5406ee5255bdce95cfde0aa0ca86f4a95e2d27c8d82eecc334bbe17e2b8b1739
SHA512 243809bc1049f442a171c724b1925bf1e13aadd184c8081de13649bb1fe69e8b050f6914def1c0c8f893b47fc2c0b1fa7e45d23f77170ffd6cedc0fcbd299a7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd06d6c8ab190c06ca2a81f7840dbb26
SHA1 3cd08fa02b640ef7a59bc75899da86607dcd445c
SHA256 2aaa1b7a1fc41b48e09df586e928ba894c2f24ed95e72da9faa84cea3ca74997
SHA512 555f7361620e576634e12e69fa804b6747613fd02a43bffeda86cdd7fd960f1f9b58abaef5f83b3994e31555f35816bba2bbff2efac1d17a38e0959f0fe207d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S8D6DJDA.txt

MD5 db03ba2c260df76f5c090356868a4492
SHA1 8fe60c99497e4b5c950a217e0f29dde9e9efe2fe
SHA256 79b4912cd87cb2de0569d5f5eaebf96d75211d87262bfc758a4a74fdcc88e18c
SHA512 d612166f42017ba943cf79bc8a84793bf0f6183220fc3daee1f0eb8faf2a8feb3c7260ce64385c154157013254b0a993dfb6b5bd61fd2c41a076303ccc1f10d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40c00f4037f81c3bf3994b0f20f8ef92
SHA1 7007c4ad8bfdff5d5beb7334edda5c758c30e39f
SHA256 75b24063d95292de9322e4da628f571cb4f667a1a379135dae1384119ae2f5b5
SHA512 4b7a7def9d8ad32b89b258a3f6e36a7f94d66d253083306d8c68b631e663ce1f47b763ceca6c6237be67cc5a2df35259ee4973224cffd28870af5038d4b3c19d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OT2S05NU.txt

MD5 0f11978ade31019ceaa11bbc7bd2b3d3
SHA1 8bf741e449b0e7e61fa72308f650cbaf0e437c11
SHA256 c607514b62a113746329cba5b017e8e685e1ea72561f3576abc5522776810b7d
SHA512 74dbea7dfaea70ece6e1e987aa1070a534fd2c4569390e23fdcef3ebdaa9ed8ce6e9b86956c67a5f8e7922f47dc9786337d9ec27b4696dc08d13eb95e027aef9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M901U21T.txt

MD5 7875eb4e84f39e9d6e77324481c915c9
SHA1 81f7af85ae777bff9ae6ca4dcc42d20598e2a92a
SHA256 d5de79d3ce625ac5a80eb837a09c598119d12245bfbbd985a00a1ce1c6ea931a
SHA512 8ab014b9822330f6a25c80f6c23b6b7fd2bba163ccabea50d97e65262071ae1786acb48e1bb86cfd99103b07fb74ee647c4edf652cb25e21ea2c6e4e25d6125f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4c18e3b70d7a60ddcee4fc7ed3cc11a
SHA1 1c57ac95815b7dcd97fdad6ce07e733fff5a1ee5
SHA256 f403494e28c16f74887653104c9d0a00314522c12e38e7940e0e37bb95f45716
SHA512 0fbd9ad2ecb6ed3ad9852c4bcb6a53bd46c685ee17f7f4b6171d02c3f3981fd9da610989dffa7c7520e23abad7cd19d548d9dac9de1819e38b5a02e88b205929

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7UF3ALSE.txt

MD5 45ce9045a7f5027afb628d86a240b282
SHA1 041f55d800064021b0820980a8b0bdc74afaf949
SHA256 47a88f579010610609fa389749a27d77135fae2fe0d5b8d2f67f9babae8b6222
SHA512 b0cf95ed31ad884dda7b7f8ac40e43f6c949fd2485e57d3e9e7a029f8eeda5ae49eac332c1d1dc05d64766128873c6640dfa3f27bf21f50220131db675b355a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QRYQQ239.txt

MD5 03979f7a13d9f98593bff5803c9afba2
SHA1 8cd770188dfd3876650245726fe988bda4bffd07
SHA256 49b68234034034f9123d359c5b8123a4e22c06fc43639b8ae55bddaee065911c
SHA512 2dfc4f744a5060b8ffa7acc154a829bb06d302c5df3ee779354e39eaddbfd47d550634a249a3fb2d8694883abd50c57ffcf1fccefcb51918b45c6cfaf8cbaf89

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\search[1].htm

MD5 a41cc61ffb870a75c7bf6e0da97c931b
SHA1 f8811caae14734241b7aba71a6403e2eb09789fc
SHA256 824af2d1d22518d618577e004bc94b3c3f8cd843bd83ebd3f798fce5f2278d05
SHA512 2c5ac3317452706edeeaaecfdae9624f8da8ad9bff00a7d3703aed832bf5c82e2abe626a1b65a7c7d460385e76b064bbc23b849aa3d9e2717da0e3ad9993654d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6K6SV30C.txt

MD5 b09efabcc46ae4efaa5473b3bb2c49db
SHA1 57ac58a4147cd5bdcd7959414f4d947c3fd4affd
SHA256 0ba2878d5b12f761c40e5daceaf1173a9e5225644cf7e1ee32d60d318146dad5
SHA512 d7e0d0710dac6a065c2d05893ec8157ff7f33ef24e818df6f37d3db0b1423422bfa224ea20ffc44ae59cb539e0fed9dd17fcf9a3ceb6f410d37c1f155276d4ed

memory/2804-997-0x000007FEF70E0000-0x000007FEF711A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RNJRYX6K.txt

MD5 e787281ee484e0ed06be52447be3903d
SHA1 582dc6f21f63c48106bff13d48ec1166fe981ddd
SHA256 268a35685cef57168d754d9941ecd9531858822461627d40e2e6b91ff4109e5c
SHA512 e5bb9c80c785981df87f4fef4185bc3bd382ed87f70ef5a2204d2f46b616c796ee8fddb3745cf188eccebc2a3b295c00d0d919d4b9cf48f54c45b7b5f5957ce7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\search[1].htm

MD5 0f38b161f4360f59d395b2c20f40df9c
SHA1 b5893a3035ea7a612ca27521c31fe3edfcfbc132
SHA256 4106a27e4e2f3a0b77fbbed59f44216af47c6d496d092eeadd8c83989ed81ba0
SHA512 74e1b66cdcd90e8684daef91a3eb88fe75e6c1e193a2ecf5a3c26c582ea75a6b4476398967849b0ddb3809788507e70df5ddbd52bbf1303b45d6f6a435eaf1e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GRQPDFPN.txt

MD5 4871c000ab7001b490c8c7f82a9453db
SHA1 aa5d13b3d18b8c20b76ec218b118b0058c09a0b3
SHA256 4db04660d36ad7d984d0781a5d09c2b143246f9e50f6bc0d87aaacf78a5bf057
SHA512 71c916c4af4a9200b5fda8c17cad45e58eb4ea6177f93b917e86fc035eadbb4a02b372335750cfc15c461453cd3f4b8943c4a704762392a65cd72d31f5800a08

C:\Users\Admin\AppData\Local\Temp\~DFEA05483E93831CC7.TMP

MD5 bdd9803d5ed64de9f02e2072a95e5026
SHA1 ec74b54457e12bfd849283f6d692e9fe8a537334
SHA256 6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603
SHA512 a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZWOBEW67.txt

MD5 c838f943ba591c3aa7282ff1f1a8fdab
SHA1 25c3c7e9376dc3c29ac53c5657855a57f2330f2c
SHA256 f0d2523972be34939c20879bbf8dae4c7a258d74ae1ef2440d577dee371c2dca
SHA512 32b65796c606c461751e987b751a03cc4ba554256348b583da15ed71d2e24f5ee2c9e460fc98820c36cf525e8eab5c0d247f285db8157d7dfa14bae5a42bd367

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZBTI9WRK.txt

MD5 740fb16a2c2743af5ab6caf89638e60d
SHA1 b85aded6a0b9cc7049b6691c4bddd9071a57dc65
SHA256 ff23d70b3b0b69f1c9f6599eddda4fc126c6d03a35e877be907f6a5af5e313a7
SHA512 f62516dccb5c0324edb2c5664cbf63157ab70e46aefd90131b755905f96a3e7f84eddcc48cfa1b460f5d8d5d36b4313acf7515f259a6c1141fbc85e54386f8b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 698c37ed899fdd2bc65a26d9f4e2c53b
SHA1 bd987fb30640fb263de781dbe39be801590812ef
SHA256 075803f99c5c8cf09a366842337434653490faec462df2f789c7f9fd29766348
SHA512 332b14490d6b6ddff62fb9c0ee57400b9142d0342d4867f1e4cd724d5befcab0b12c0033aeba559fdc90d8b687cffa05d588295415235a2fb1cbbcf24d483f01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56b7a6bded2c9ad1bcccb268e8d7f30d
SHA1 8088dce277f0fc2580fefd79e6020e2372248356
SHA256 21d38c96ebfd599465745a90990b41ac2cb8575d4c358e969fe9949c335159e3
SHA512 42642cbfab08e0be18d01237c002b2fa110967395e6f06127a4130bbd133dbee36e7c95dfa13d1c901e11d21f0a8d97f21a1b6cc0a6ea0f4856e98df1fb028c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 83f466b5e107a966961d5a2d25ec2c30
SHA1 cc80bdf1040436d6f09a8560f82724b2ac2829d6
SHA256 09231faa875c114c8048bce3f6633e003f266964815f2bb1434bdc9681e8fad8
SHA512 628b740de2810ac6b12008ba1336be91af6305610b464c48e1b5d9941add152654025534b426dfeadf04b1f0fa877b27eaab53173679a5c4b37a9b00cdce9a40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b12675d95f2aea1f18f8bb229795d894
SHA1 11153e7143ebe4f424e73a0f793a6e167dce8e2e
SHA256 af76a5eda748634ed2ca0c54eab2962e102c0f34d37c6b1de22c5910f7547758
SHA512 339ccae763dae417ab467690165bf5efec3193a4ef7ac3c8fc00a67d0f47773f5235034be665cc4f7ab89c517fbc9aa1a41d202c5d91251e5794418928e4b325

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67dacd49d27d4fa96a2d0327d4458219
SHA1 ca41641af978514c8c6ba3aa6159aa29e1d503fc
SHA256 2b91fb5c1a29dcedbdc14a5cde36496c8dc9305bdd5ea40a5e3d9bd15705d73d
SHA512 2c0342cb15df3285645c0f151017437085f921e82e7020c2fcccce2bbe492787711abb9bfaf52fbfe11f8e86ce5b80d8b86d6c6339b246bcacab03d5d1e715a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d2827b368ce8c6413e73c1b75e1c9b
SHA1 7b5c4f50d4cc0b9e9ce446ba4e31053de95e2370
SHA256 8ecf2a0c7b1e5313d5f71b34478481f58f1d62261f51b669ae44028cdf6cf332
SHA512 0bb1686ab721d71c79fe04f5d7e4d6bf95d77d635b3b28f7893cca080d497f7c81128ec21abdcf3fb5cdb9e423677df543bee936647822a823eeff9d7a38da80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f2ac4afd9407dca5c09821a4386ca7e
SHA1 680a6409f240f4324e2e559a00de1b3c7f0cc047
SHA256 ccd261ae0b014b71a1211ee3fa8e62028bff21b0590810c2d12c06faed98187b
SHA512 1fc63b26a9ac2b9d5c850adada949f4cb01f6cf3acc75436ddb755d235abdd247c25e35e77f2492b85c7ec907b6b4e660ae96fe951a698e348f52e11c39a4f1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01289d08e5b6fc1800b01272aa49d539
SHA1 d3f4e13fcac110334f0ed8c014c2dec1820e4faa
SHA256 f4dbfd83a72a09f59587c9318d1d0cb0d0e56d334e5a498f1ccb48a5e46c9d73
SHA512 ed41b61266e495f02dfc3b0209b6ed2bd16e13a0f4c01e675b1f9da0b752ad17d6d54575be800baec2e331fc083a402685f396ac9fd3932d8ec7f2160878204d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\js[1].js

MD5 b039b524a63b981f5d25e30ef0b1104c
SHA1 75cc6a78ab518309775d3da26b444e1a2744848c
SHA256 295aeb809225cf235b0f2cbcb0302571670e4a87ba9d95743f15bc8b1de314ab
SHA512 fa7f5436897b829c5fe7c947998a67138907d7895f41495c21ff3f5377561b1d53ec41a3f7b4424801ff684aeae7187b9663806f08af5595d576c7a811a8c4a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\PCOP[1].ico

MD5 6303f12d8874cff180eecf8f113f75e9
SHA1 f68c3b96b039a05a77657a76f4330482877dc047
SHA256 cd2756b9a2e47b55a7e8e6b6ab2ca63392ed8b6ff400b8d2c99d061b9a4a615e
SHA512 6c0c234b9249ed2d755faf2d568c88e6f3db3665df59f4817684b78aaa03edaf1adc72a589d7168e0d706ddf4db2d6e69c6b25a317648bdedf5b1b4ab2ab92c5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat

MD5 e321e44136f76a7e3e6cee8241339c1e
SHA1 7ed146c985a74064c11ad045a4ef490aff573650
SHA256 35161a5a7a153a1460e0f7823901f385dc6ca01abadc4da67b89b0e965da09fc
SHA512 df77afec60d1b24e31abc25e1ba90928bceb7ec12b000cac4fa2d779b805026d3878743b2db7fb5393954474047330a69a777aa166e4517e0682efeec8e8be8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 241574b9bfbd4798ebb3bdb3154c034a
SHA1 272c225d48a388b4363ec92270ec06e33bfb7860
SHA256 162a94dfa5c40bb16ba0f3bc381d5f4ad91fea5c5b7d096d14815ee3176af628
SHA512 276f8766d93b6cb1b8259343d3053ab0098da6b61bc17fb37c7e07e6d46e8f8ef44d645cbfd0d50ed69cbd4dd77d4c02e7ff60ebc4dc71197c504eb59d02a98b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a9f94e2cd6b620fbb9affca72559f1d
SHA1 a3d669fcb3604bbc57f2393685686ff0e80bc015
SHA256 9c8a07ade78f91836cad51088bf8704c8a79d2ce95fa9edb295017f487b8817f
SHA512 c3549217a47f26620b333f0106fbdc640b120366df565cbd3d35efb96139f551056513e16cb34b8078b5ee278a13753316008b997a21fa527b89e474b0718dce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e71c0325708147958ef2826c0d5e3e6a
SHA1 4eaf98d6cbf494e3c4a3cfa53daadc89f18df861
SHA256 7a7de786088a822eca2775f71642aae8496edc0c2fc15f3ffdf9b7d648895ccd
SHA512 a75859f50686cfbb00337b9502306b4bca349527cd0767aab82536589309889b55281a11e90e3c31d26c395e4650784246484f512bad6b5bfe42b89931fa8bac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a98d099e041a52c4cc92999cba860165
SHA1 a37b3e13b02237cab60661353548b5eba27dda73
SHA256 6d6b9b110fb92c301e94145230234093e57bf882a8059e9c654beb7392ed7494
SHA512 dc94d8f151b0c746fc43e8a1c3d040dc539f7d9604c8dc6db7f7528ead4d2f034762fd85285d997aed68d86b29188434118381a2f917c4d6ec5156d8f6ade8af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 305980bf66320a6dbc6372a50b962eca
SHA1 708a5bcac5a62ec1e383dc1c9a8882f367a4cf92
SHA256 114f9ddf45863bd0269e38a3434b4bd992bde2839e3720986f7233fcc23e7031
SHA512 94a1fb798edc06dbaecfc978090eb15e26efa4ae8540be1f3ca8e8c3e404036b1c2af6281aeb0fa2659a43443460431580aeae2c61f7ce1151132fd46704d80f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 384362a3e057aca90d1c0326bd448627
SHA1 a60e16c3b4aa82579c925e5bc5252742f001c2aa
SHA256 3f71efc2eb3acabb26e787f803ef0aac943486cc0e570bbccb0c2ea5beb5fa1f
SHA512 452ff7ee25517b537d606ae21296db1ab3fe73fd6808454bf7c4b4a42f480ce90b945f110b8d9a594b73b88552b28569f42e038770c2d28af3cb9e91597cee1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40b6f54834ea13e62bde11c9c26e9a0b
SHA1 3f8205aa8cc435198bff66ad95268d78352d30fb
SHA256 31a4a6536fed3ad8598679038a5c8204b87f3704d80752e2169133db13372dc1
SHA512 59856b9bd9a335658546dae873cf07fb6b26b4a23a27c584e2d1c29301b3b39eb7e8d8c67a21ad34cfbd20c76c559fb020cc7031c02f2240ed02051be5d8fe55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2f0aadc634e13418ca054398094c41e
SHA1 122947266f697e2c4bda66d6bb16f688ff2351f9
SHA256 e27b328e165cd6cb8e7ce6ee4f9844f0c35eb3334bec85c44b3a8131cac182ec
SHA512 52cccd91a45742eb08ed63a3bd39401cd7007ef3a95f0f992f0ded20765f2f7ef460ea046823e72adc0991bdd80e283531f8bd2ab767524129b3a2bc23d9e958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 986dcf3d1d17f6be493f37abc66d5089
SHA1 02bf92e4df852e7ca602ef9bb1422ae0621518ee
SHA256 4ed43591eda98c79ad7a5f1566091e6c4d1b4724f9f31d4c808a737ff55ec9e1
SHA512 cf5b882d9b2e286df00515be8583372ae005bc730c6700be4221d7e57c71d04bb2d5cc4facf6b9048a514fd33063573c8caf29b19520953fa25ca9a566da6a6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94937fe33adb3ebbe130bedafecd41cc
SHA1 34054a85784d04164152ad3493c9698eddeda640
SHA256 47f6a10c971b90dd286b6ab236d69fb26c50db738ecc246f80aefe990127fb18
SHA512 d06b9465b71d36711c7967805198ba0663ac9358f1c44a99912b61b87efcb46b4007c37e131d8cd7c954a5d34a1d10308cc41c49ccec78c6ebb6fa40e1cd72f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V1VRTKKY.txt

MD5 65929e7f3da96b98e1fef3477e53db4d
SHA1 0d47a5cfe402f4b427ff6fda734ce956567d551f
SHA256 62b903f1f10c135b19e8d8fa89b04ea67a17a755011ab7cc32e07c80e1eddca3
SHA512 37e2a18f0b94252f96f7ce1224e6031b66c24c65d6651c597ca66955278d12f8154862d6560c1f0e744c708c17f38e53cb3f04863e7b5f27459c35e6aa0ba4a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2aed6775b1a7300e68d0928a7c0ac7d
SHA1 5d5f4514dd0b3b044ebd7e7e46c31db91db49be8
SHA256 dd2a57ac89a31b99ea5b418099018f244adba0c56b3280bd09e4f0e7ed1e8b0c
SHA512 4f936d82998b85e5eaa77d14fe39572f15041d0f289b07471316d1ce4068a65aa1256dbcd5dc9a48139b39ceb762a63bd4040e7efa6adbf6b5db24e04cce14a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 77ddd452c6b09ba89416c593350da3c3
SHA1 081f95c59700df04466905c3b41ffa929a1efb2d
SHA256 1dece4a9d0441a466fe89eb6ef3c9c652cca6dc5c1253622dcc65b6060ba69eb
SHA512 a0f8540f63c8a7e89e2676860c7ce982a5d059825a6fefbf90dc410abc098330aa7d8c547acb65db32f3bba1874a71a18cb02110bd658acfc2309b5a222c9d0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbd217f4332ad4282108a0e7d4ed62a7
SHA1 76da6fb89945dce5e55098ebe0ee62a7e486b093
SHA256 faaf5a9ca8f80dcf311133be39e3aea1f50ffbfd741831487ade0d41ea39855e
SHA512 52f9a449956b80dac36dbbd75aeb3ac2017ea4aebddd39d1514c68c8ba735129c288052d7fb3370ce397d1e6c6b909f9dca1c60b4ce62be0f094e638b03d9e92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7b0a0639841f039ebb53059135d85c5
SHA1 d15d405861169a5e94407e4c0874956c2af7a8e0
SHA256 1b80fea0598c5963079a6a04b1cbc7cc8ae2034c4aaf8b8f87925368a84e1574
SHA512 2186267152338a53db8c85b08723d944372204894302ff7f373596ebd9d931f9eecfe64ea788199d085683977e49d0594f0fd4877ab8384d8339aacd2edb7dda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c56d5748541d7b4f253e2bbc49800116
SHA1 01e44353a17270f1b9f01c770910558dc418d370
SHA256 d4ef7898c464428bbfdefd2cab9fa0096e214c681a16f08c4bec7a52dd480396
SHA512 d7210d943a4f88bb3db3c1444b57bff822164b57b2b8aab8d270e410b9e03ce2d72cbfc56886abf6c9cf36c60ef8880c149aa917f15a5f220a0cfa510de8988f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4576a507d99681213d8e30bba497dd5e
SHA1 207a1546d30b739017bdfffdfb1e3d5b15d867f0
SHA256 18be8f9109ff076fc7e557db0d9f7cdfff2c95683eacc0d44ff5097bf8f4efb7
SHA512 887e8f6a899f32afc7424d6cc7761c5619af9271084c05c6493e991f9bc5958b6aace35460139e1bbcf32b2b614db6e41c5667b8d881a2e10ec9fda890ba2868

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0de0eeaa1e90bd73ce852db9a829b832
SHA1 5bf326894bc10597bfe54cd0c0e2e71902468156
SHA256 58d4e0486a62ef158e724e17e6f3c0df4d03fd8ee59f785f9480b3496ad54bc9
SHA512 644f467eb635a4896663fc984854aa43b0dc6b2ebb6406dd75109d1dbabb6f2f0fdbf14dd10b04c76178387422ef1e1105e9c989aeed275442f21348e921ce71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ae091a341262ea5c6ab72a2ca5d8ab9
SHA1 74eb2a5b21db0eccd69482dad9e7cf0ab01e2fdc
SHA256 b049c01378ac7a71dc0284c6d48143a947ea88f21b2572a25d8dad0722337bd8
SHA512 e6b2e8928ce86adb8f07d36113c961b0fb7a807e55ad77cb2356b0559f1be707be741498908966d2667cfb922275dc6e25ea28584c39e17ad48670042caa3dfe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cbd32a5f750f4aae5b6130a48b2e62d
SHA1 27892c8d065909db5e8411f81901171641fdf990
SHA256 1b0b7f98543a3ac3802a1ac6f6989f34725b06386fd5b545e343cff28f0b3f72
SHA512 115818c030749b6f27cd4882afbb3a60b6e4fdac8b6faa98fc3a7e9512e5533b870a0b6b7e8ba2c799e52c83ddea5ef7b2aa9f1edc0dfae7482b0753dd2d6629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0ba8c4492241025d6bf67cd982e3dfc
SHA1 58d0201c4e6e74544a0763cbc8abdfba2cb6523a
SHA256 3616b89b824cb3021693ccb96154ae5b66639daaad626edf95dc3cd2c067d4b4
SHA512 aecf2b18451b840044a2f41f55cff36801cc970364238ef9ac65c084bed57a6ee6e0591a065fd509e30c566224edd9801bd967dc132098fdfdbafa3c03c3ea65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fd8f2b95c5ae9aec382be0b05eed01d
SHA1 bf5cd6a94287e2f9d987366ff10347c37db6e34c
SHA256 3f360423caf116da9ddbb89a5a87556f820d52de9d7e73506d1553028be6d542
SHA512 7894a62abf09ccc74371b06f9e37a18ff6c33a8568f1e77bbae574188591cd546821a831b48e2a5948afd1ebdf88f4e57ad6aeedc3ce173d032ee2c30b7aaff5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a65dbb6d6809d14ba40324483ae7420
SHA1 378ecbaf8ae7905afb191b94ccd02dd3e428255e
SHA256 eec81de68bc1472918793e8f432c7b67693dfb28693937a096f85f484cd13fbd
SHA512 d1645ea3ad2fd1f806c039baff2d9a01e9b87b5011561b5a893d0993be3f26f24df2372a5bfcee3309cb063cf6d02e2db1def3e0f180995f2dbafdf315f793a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_AB9E6ABDE5D225B32CD1A91CAF7467E4

MD5 7edc1050e4e5b2907c33f3b65d63c08b
SHA1 f756ba71dcad04cb539f7265ff38f1d584750f34
SHA256 e59ba2799ada6c91581356ab352fa67180ca4ac4272c2629292516de4e5f37c5
SHA512 56575441b853a6f1347588e45cbf8d8719db43eb7da2f573b5b7a1796a8498d90b090082136e16ba0d8c9475e3d2aa6dadbea50fe0e892a9929d920c6b532a0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_AB9E6ABDE5D225B32CD1A91CAF7467E4

MD5 c59da2dc41068546adcf30f4b7d6f931
SHA1 800618c2ca43275e8bab5f5f50f24a47cde6d1da
SHA256 ebe12c8aa39490b5a9f6876540813a5a31efc56005ce054c325feed9d0a42b18
SHA512 119c483805787591f3c5975a39fb5fb2faa7d247e91026ec056fc82467836875fed782201dd0ad08ef2a1ee3d2cedd6c0862540be42d91834e4f36892986bb01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7f622be315bed2d72a2c404f4b56ac86
SHA1 53fa07899c4c831fd8a449e838323a97e518dedc
SHA256 e3d34b10d7661d414ae2167b63ac9a5b635d1638e70ea50b881e92fb911e41fe
SHA512 6b847dcef2cd3f281c51cca147026958391680b4ebcb9e901d9224dda75a1847cf478c74fc0ed8d2387fb6a7781541518e09c48fb9e43e21dceb57399ba0c3fb

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\EB4DUR8Y\oembed.vice[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\coast-228x228[1].png

MD5 b17926bfca4f7d534be63b7b48aa8d44
SHA1 baa8dbac0587dccdd18516fa7ed789f886c42114
SHA256 885cf4c748081f6e569c4c5432249084eded544d55f7c85cf47ec1aebe6bdcd6
SHA512 a99269cc3c0af6a291e5373c4e488eaa3900e66bc3342933da3a18caff5401a4408aa1cb4463fac649c3cc5d88773f789fb120e292ed956188f1f5eda8ca7633

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat

MD5 0e9ea895ff836d8694f423205f4fbec4
SHA1 b0e9046850b7b63a8706552faeb57c29605db3e8
SHA256 9524728ea6b5e75da88083de1b277edefa767001a7a075b817c306478e1337c5
SHA512 b808a195d48b6caa3f9cf99453834614ebebe10f342229c91a3894b2cf24e9843f8840e08f1bdf717953d5524c42a1740ae00e5cfcbc6aee4ea9e59da556c5f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6PB5UJI9.txt

MD5 0ecc8ea9b592095c0128acdffeb2537f
SHA1 f70a6d23b663c7dd509ba7c041dabca651fe15b5
SHA256 6071a0f707d0b29c213298c271758e72345b4bf6b635304e804f69e9a246c2de
SHA512 03d6796463aac959518d29d2cafdc4407230a10207c869408bf6c344c467a23c2da8dd3c4b80aa65fbb42ae07706f393575e58acee804c6d050b28e920a38c18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WUHITWU2.txt

MD5 9626415c41746112702968de1a3d9c4c
SHA1 005bb9bf14b90d15256df1c831e0c35358d97c51
SHA256 23e5051ea4b80a88e43daa97b9d6cd38e4e0e627f1404e9f87cb9f6ed2d83808
SHA512 6fe9e53d40c1d8ce96a214e320b2d530ba87470e99646141d7c7cc8589a2c4829f7af1b074be6d7db5875474834de0996acb3cd712f462d680ab1782a2dc8571

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94

MD5 d55b8958f8aaa2bec65bdf004b0d5d82
SHA1 a714c0b06b249c4de3137cc0f465157add65dcfa
SHA256 abde29b017a033a780771592d3263da40a92d05c8141d77dc4d0bd757ea63699
SHA512 bc63984e5551fa8f8a5d6bc305b7e6d4eea403a1f787efa9126bfba56e8be4cf02e99f2fa9edf19964ae1080b061126d94be58789aca84283fe824874fd2419f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94

MD5 7188d8815ac719e3e370103f607e5dda
SHA1 1c702b3438a8345c0558ad2ab3baf5d89ab65312
SHA256 586a995fbe3d1735087c015c4b9d4ed25d42081681874a2b498a9dbd444e164b
SHA512 13ebe79d182ead445434fb159ce1c686c8bd06b81fde652f4b83cab20bd091dd7dc40ba5c388bcb1b3af74111969c0ab569da76458628769a1edcc2f00eda13b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

MD5 f474c87e4fe17ec6e274d4ce1207ed37
SHA1 94ab4a865455282384687444355f6599922158c7
SHA256 642f6fec22b157141c7140d494f322ed23cf6e99768648f1ff792436c4f19472
SHA512 8c956a46a55c5bfdc66899b9e0c2d3a64ccf6f71b05704d4eadd8281c5b5c1fffd986d8a4275dead02f18f17c2601ecf58e8bca1f27df364b17b950ecdc8295d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

MD5 dd70c9de721518fd87b4f1e8fd8c6a3e
SHA1 899cdf087100e024813763ba9d1b5a61410d7897
SHA256 7b6f87b0d58ed547af31a701fcba7255564cda4d1a1dec5dee96e2a86e051a1a
SHA512 cd41fffe36148dddeb01d80ef0b498344333d0dd746bb356e27f979f74440adb3805f53d8d2dddcc52e327c87e929c5e6b2ba3c99e4f76e41e82ada0a7d9376a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 0e90c4684eca00721f116bad5fdf1b4b
SHA1 fbc8fdc559396287718bf7027fc39e2fb776ecdb
SHA256 e7d20b3adceecea231998406c681ab61f68e87fb1f9ad5fe49dbbe666015de31
SHA512 606c6a73d25aaf14cbd4a945893f39622c64d7929334addd055b4cb87bb8fbe5dbd76ca4d68c3064a5ba9761fb6738ff768e1e8be1c40a4d019f1157ca21c804

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 52a89806b41d339f5415d015aca5ebaa
SHA1 e85d15eace47046168d407cd4f6114ea575b0ebd
SHA256 2723238871404964a55bdcfb064e24787d63f6a5744de10ebb1044683ca4cdd4
SHA512 c6764481ecca5ebb1338c887a034cbbe6f368379e30cdc56f4388563134ab1b7a32b0d58911a47660babc14b1fb5b2c817bf63f88c53cdbed1a01089ff133cd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2XKP1RDI.txt

MD5 251039df28605082b2d9071395379b23
SHA1 6da35ddb550c741b3164808a5308c062405cd471
SHA256 9936b5857265c7d324070db9c2774a434ad6e8332794e1673e76055654e30ca8
SHA512 0bf59cb6172498c573dcc646826c9b714e301f3b35f6cc704e5b073f4b5b5c8171c18a962118e76b2fc8e51fc85e1a0502e72e46ce998b6faf2234d28d049e16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 40c7572dc5df2eb22bdfa55cc31f7d22
SHA1 b119d4eb7d213925fb01922a83f30de24c4f7256
SHA256 37fe3c4788d8391d77ecc2e5fe0d055eee3588a20e248135321b637383d45666
SHA512 f1fedd7b259fe4377c61f8f42ec463eb25262de26b0d7c43f97b93a2d6c20320e2d7280b0665f63e5ef1abc7bd988d9d67ac7b36aba6ec9382bd1817afd22831

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 4c0dcb77f8cd7e5750b4354f68669f75
SHA1 0731c5ecb2cb6b64d2eab5573ee6cf72435198d0
SHA256 af19e1738dc6f15814ba2603857cdd0c55baac2fddcac86ff819f09b020cb22a
SHA512 7bc34c67ff3046c41b27688a3c6a99852702bdc71565c06f1f8ef6fc04f358d8e711a31cc60cb2c18859885c462931fefec2507d41f1c6b3ed2a1584209d8dbf

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 0b3999b181954dc30ef04f4ccf266d80
SHA1 9a0fa60d68a83bb7555e5e9b9452e9be8cb9cebe
SHA256 0806950fa9a8cc028d63e065704704a36f5098cff2e73b24c4e5faff51bfe6d5
SHA512 f1ff3f2e03c13fa98d333071823893768309dc4189cf152dce9a4ef1ae2354a4925dfb773692e77ba43cee3335485930028f89f0857ea37db03d1ca51dffc137

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 3ccfcce6dd4778d0d4491c069d50bbab
SHA1 896ce8621eb93eddcac648acd544ba928fb10bb5
SHA256 20c8cd5ce49e85ff369e7da64eed9c1a167ddca5ed8bb4fa73a9e67321eaefe8
SHA512 f37d97068818183ff440a88f1ecd5d72f448502aab6b2db113165f6ec692c466be485096f8c78c26280c7f57f629db13f6ad436bc48156ffdc51e09d2e9c09cf

memory/2804-2842-0x000007FEF6110000-0x000007FEF614A000-memory.dmp

memory/2804-2851-0x000007FEF70E0000-0x000007FEF711A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SM7MXDYT.txt

MD5 e76a31a9c5dc794b491d7d8e7dd6aa69
SHA1 8d2a9dc0b995668ef02290a8b3fc84be2819ec4e
SHA256 4e1da3533a75822448d7235d686f6ecf42303605b23a789aa612e5175cdbdc35
SHA512 2605fc9b6da2ab6140b36f7947b6b389c42b519fe9d91e96e3f646b7b6b0e90775601368dd0f98095d92712785ac43ab4f37dd8de1870dadadda27abf2dc43b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\search[4].htm

MD5 a4d9ae83d488af6206c02058e591e1e9
SHA1 e92f3ca4db460708f1c6206d589dc0fc42ce5c1c
SHA256 385a004f309d9133f9822e32d86e2f19e164b7e55517e5b4f6080de4d689e733
SHA512 392edf77be9b500cf00c1d88efe907c15cc921897cbeabd933d2faac844f2b1e823f12bc802bffbc956b591ba6435f948308120a14d08300b6fdbe37f4adba6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdc241bc09721817bed628beb4932944
SHA1 8071778bf55d7a5f87fdaa8bcc4e84407015d589
SHA256 25c663fef7df25003b019f78d618a1bb3fad6a9404fa89623bd73dbf74a4d556
SHA512 e0814f3725c10b936a3fb13984b743e051bad79033257868e269a28b3275f88b2bfdb418dda8e19296167adba77c9b524e7d50843ee8d46e91e29b9f1189a3b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LQ1N25DY.txt

MD5 337817b28f1424ef994ef02ca43ca266
SHA1 29e700a6523bf21c07fb6ac475ee5437cb5f9c11
SHA256 efa982fbdcd729bcdf631f432c73efa91e6fdfed2832f0c9edf3cc575509edc0
SHA512 7659c849285eda366428f404cad6a16f633c562a4ee206ad25246214dfcb001978c62d88b6096bdabd99666287ae3b43bfb7b7c84a3c804ac0efd27e31475e30

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\search[5].htm

MD5 fa38658fc6a200e1ee8e0ded5f1835c5
SHA1 42a691ab8562a5e9874b7e53d9ed6b631117bc54
SHA256 76f40c0d562571e87a8210a9e222360a3a51f819399b7e383361cbd0bbb073c7
SHA512 a6e70160f4e26c667bd2903f56cb2ac76b05f7b3148c98307d1067d211bf9d2e542bdf88140a703ef6f975f020918df3b10e0f5654f0042e0a4e2d536e118da6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D8GFLM8G.txt

MD5 7349c81c24ad8bf75a590cb3442786b0
SHA1 ac620869e53294f855125fb290d219454e5e82ea
SHA256 7a126e98faf3fbb88f825f4faab11bad18e1cdfa681389ae93733ebd7dd53576
SHA512 2f25ce71f2a97474de93474a11797f056044dd5f5a720512ece0aff71e80fb40e0fe60381e3694a2d9d5986b74bcff360f48e95f78af85aab6e56f55dbd94caa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aacfb23b85460e5d866fb857d5c32e5c
SHA1 0e938d75e36d8ec9db84fd305f957bf7691bbf5e
SHA256 80b1c87e7c28368526782b1dc390c084d58c9443c695820d962e9fa3f8ee56b1
SHA512 71ae39c1ac896ffaf4a03445b3b48a0ec46115bd06c82732427b88f2dd3f55a63656c4cd316b9b4a7a0c84722c9d1c1b22c47ee5ff4b34c257b0f097524276dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\18KV47F9.txt

MD5 320ea7ea130f06048eab7e0554b89aea
SHA1 381e42e22bc7b4cb41fb9c0f707020bdd29ab118
SHA256 29a34273eb71e9c6bcc9a655fdbef815bcab83184033007f7c6fe3f9c640728c
SHA512 1a77525588bc30f3816e6b985d2fc3f439a8bb33e5d96694fb5f1334ea1a5d51fbe7056f5d5dbd65b980b46656fd024a5908572100e7e1918483899e1c0b09aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2PWG6CL7.txt

MD5 2d2a46b489c4084d941e0ff11dcac351
SHA1 b0ac88057043368734c5aee76ab4ac5420afcaf0
SHA256 6819b75dae4f55400bed43e9ae0096394837725a74f1ad063bbec17fb51c7b3b
SHA512 f07f6fe69deb7cd61886c77c8c1f24cfc560b494faa1e538dc0eb6abf2873f2aef4898eef492d09de0c465aa301f497d513c12b7ca224650662cd80f135f70fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EP1NG3UB.txt

MD5 2f7f7100db8b6c2e7e48b3f8a9625652
SHA1 89c8cb3dce3bd855033498e86927605cd63ef228
SHA256 6ad489088afef2717eb4ead600aad59565c2fb566e00a6a0475b317d644ec259
SHA512 a233f32b110707c47a4eb1e3fe87d3c4a18911d6d89d2c7f19c37e8641204939ea40ef9cf179d3e89ff003250be3328c8d7af2d6387db8b11a175b3404bbd3d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\search[6].htm

MD5 6b99c7801185b84c7717d1e78ca9f565
SHA1 7c1528bdf8fee1cfb3936c3f23f5af907b84bf80
SHA256 ea2ed4a71053a91f380ca3eda57f5785db0b4649179b3006f5ee23d80ab41a57
SHA512 bb8735dee1e60753316048c96ec9cfdcc08dc653270cd30383d1e3159ab773e1547a9a401f75d8ac2c0c9768e4c5d69e4a23ed05d6ef35de4d1f4b4b3a3ead9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CHZNAVX5.txt

MD5 02f60752f875f3a1e92b5a7853ab9f6a
SHA1 f677814105d8b507a75fc7e6868d30e95e87f48a
SHA256 f7d7994845126f19117ba73bc51814e5dd64efdeb91b6714431ea0c9d93d062f
SHA512 97ef1befc2658cb2788846395f39d4cfde1ee4802bd84f3c7da70627fd67d757ded4fc95bce434439bbea1af19bfc759c9a287e4a6410304f90bb25b26fb2e19

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3JK00ZJ\search[3].htm

MD5 0c256d0ec24d4a11a1c98da7ccaf352d
SHA1 c146d9d17f33acce5f682a16bd99e0ee6ab34089
SHA256 03b2090f235fd2d3bac76d648ab5d6bb16c4c3b8b1e3006787e15332bb2e2c6f
SHA512 917c88b2d715dbba72c7a3506e8e5a34856626b51ff3a22459b86a50d6bc0b8f549fd8020e066296835c524aecce86be068c4068a4373c9f90dfd977ef012380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HTPYBD9W.txt

MD5 75c1c03e114b0ca5d66a95fc73aa24fd
SHA1 870326034597daa735a43e5fb676e50c7047fc14
SHA256 d49833b3550a8dc3988c3a32ec357ff44a8566a9a4e6ac0e5776510500953c0f
SHA512 d816248bf6eefb88fd4bb5a984365b51c5d0968d00705698a8ecc9f2e88cf189288fff6e8e9838ddd23798503de44a847eef0fa88b752264a159a10662134b19

memory/2804-2940-0x000007FEF6110000-0x000007FEF614A000-memory.dmp

memory/3924-2941-0x000007FEF70E0000-0x000007FEF711A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\search[4].htm

MD5 db1135c5220b7713371099aa41910389
SHA1 ef458ad828ec5435a7f940280a8a2ca5b86c4463
SHA256 c0355cefb0a3e3f661c1253570e12e64860d03a301ea1558927efa98b1689b66
SHA512 eefccc732158b42e0bf848aeb980edf4ea243c374c6decedfa7080793feb18a21b10e363cb422d26c7f2b56f1c60c2720d3e05be425e6cb6f3c03c89057983c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\16RLYSOR.txt

MD5 4ad21ca0c29204394a6dc51e2412d7ff
SHA1 2785ed4c33ea3681f01b083f4e1e6dc6d1d95fd8
SHA256 aca2bda7082180b4830f397da03e4e934e520ec5ee53d260229460663f2195fe
SHA512 1d7cf8b45df21f3ad9655a7ef93ba0855669ad0d5e77d2864df63fc0c2ae335f977d1b38f24d0992f515a3de9f27920b2d5d40c8833f72f3a6fc33a503ae4688

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\search[2].htm

MD5 11869d04ef6d032a1bb0fe26fa126c0a
SHA1 20a6bf8cc97fff31c956e2b76f1949796abda69b
SHA256 eff0370edb1f31271171c97dbaf7ef0d14a07d4d613d39d18e438d1655911c2b
SHA512 9d7c5f479dbe8f8609fab5a71b762d8cbc9a6b6fed48ae4492871186955dee80036516f27562a90551c66b6ee9c74b453ec8cafdaaa200c1edd626cc2df20269

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V3UK14XM.txt

MD5 5130360aa40e9d0fc0e5c18aaf7f90b7
SHA1 c5521601ccd306be0f7f5204920f8d7a0845c453
SHA256 8b1d196001c238d50f027411595d4cbd82f84bf2947fc3870766449b8b04fd14
SHA512 ebaf889d58e3347122a11d51dd4d358db14eb470674d2b621b7da2ff32b3f164863ac6297a658f3a34c97c8c3c6024d389f1286699b7b1bddf84d003b86608ee

memory/5068-2994-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 4ad1b4621b0cb69ae560d052848d623f
SHA1 8e1eeb1e3e23c145bb6ba8d4aa92bf555e689a50
SHA256 2b618c71c1eec99e34c09f43c2ca43ac36871f57ff3db73cebcca41b1c39d11a
SHA512 24d5be56b29c960002d111ffbcee3bdcefba82d0eb3b40f1e27e1e35423422c1c5ef1c8fa59d91e0b4f0239366222105a5e7b30c25287a709221c4c92fa199b9

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 7e583732e93384c975f8bfa11c31ee8e
SHA1 89e5e3765ca111b606f0b3eabe45ee6e136e9807
SHA256 90d9ed5b563dc3e5bca03720d9b636bcde7cf9cdbab50c104af706b32148b74c
SHA512 ad84d419f73bbcc06f7d959e9d50e9fa124cda4ca0bd8bfcf87cb859ae8e4277f369a1b180deb92ce9df3eb7b1d867998cce2f88a0a4edd30065a1ef3f763e2e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\735B5LKS\www.youtube[1].xml

MD5 83364086df5f33382cdf67d28adf6bbd
SHA1 3842031a5174531bfe8ebf5e38ca747ac4f6cd51
SHA256 33dd81130987544d5efac5a9f6a88dd7cf61bebdf85bafc0bceeb855a54b3fa3
SHA512 6ddcc9275ce5f0bdae50546dfb09f476ac340267e7cbb90d144e4e76aff5b679c20922de476fa59ed7ed9db0393d0aa4e591554a72628fd9a4b22af4c8a50a97

memory/3924-3285-0x000007FEF2C30000-0x000007FEF2C6A000-memory.dmp

memory/2804-3284-0x000007FEF7E50000-0x000007FEF7E8A000-memory.dmp

memory/4496-3286-0x000007FEF7E50000-0x000007FEF7E8A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 06:46

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

574s

Max time network

574s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{ACAA3862-B7BE-4E60-B1B8-40BEA9F5BA7E} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\SysWOW64\calc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\SysWOW64\calc.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1004 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
PID 1140 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
PID 1140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
PID 1140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
PID 1812 wrote to memory of 2408 N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\splwow64.exe
PID 1812 wrote to memory of 2408 N/A C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\splwow64.exe
PID 1140 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\regedit.exe
PID 1140 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\regedit.exe
PID 1140 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\regedit.exe
PID 1140 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\calc.exe
PID 1140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\calc.exe
PID 1140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\calc.exe
PID 1140 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 1140 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1140 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4892,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4856,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5236,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5364,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5356,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6020,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6252,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5196,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5832,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x498 0x494

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5240,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6724,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6260,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6856,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6676,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6968,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5368,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+download+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6972,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6760,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6448,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=6984,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=6392,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6768,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=5728,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=7100,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=6556,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=6460,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:1

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=6920,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=5500,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7188,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=6056,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=7252,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:1

C:\Windows\SysWOW64\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=6960,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=6452,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=7240,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=7432,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=7400,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=7660,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=4720,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=7740,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=7544,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=6600,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8080,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=7856,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=8276,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=8400,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --field-trial-handle=7964,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=6896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --field-trial-handle=8584,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --field-trial-handle=8272,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --field-trial-handle=8664,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --field-trial-handle=8684,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8436 /prefetch:1

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --field-trial-handle=8560,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --field-trial-handle=8452,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --field-trial-handle=8480,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --field-trial-handle=8948,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8476 /prefetch:1

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --field-trial-handle=8352,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --field-trial-handle=9100,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=8824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --field-trial-handle=8384,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=9260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --field-trial-handle=9232,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=9024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --field-trial-handle=8964,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=9104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --field-trial-handle=9600,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=9628 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 13.107.6.158:443 business.bing.com tcp
GB 142.250.187.228:443 google.co.ck tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 228.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 216.58.213.3:443 www.google.co.ck tcp
SE 184.31.15.35:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.175:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 216.58.213.3:443 www.google.co.ck udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com udp
GB 216.58.213.3:443 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:443 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 consent.google.co.ck udp
US 8.8.8.8:53 consent.google.co.ck udp
GB 216.58.201.110:443 consent.google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
BE 104.90.25.175:443 www.microsoft.com tcp
GB 216.58.201.110:443 consent.google.co.ck udp
GB 142.250.187.228:443 google.co.ck udp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 aefd.nelreports.net udp
US 8.8.8.8:53 aefd.nelreports.net udp
US 2.17.251.10:443 aefd.nelreports.net tcp
US 2.17.251.10:443 aefd.nelreports.net udp
US 8.8.8.8:53 10.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.54:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 54.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.200.3:443 www.google.co.uk udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 216.58.201.106:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
GB 142.250.200.54:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 lh6.googleusercontent.com udp
US 8.8.8.8:53 lh6.googleusercontent.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 172.217.16.225:443 lh6.googleusercontent.com tcp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
GB 172.217.16.225:443 lh6.googleusercontent.com udp
US 8.8.8.8:53 rr3---sn-aigl6n6s.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-aigl6n6s.googlevideo.com udp
GB 173.194.3.72:443 rr3---sn-aigl6n6s.googlevideo.com udp
US 8.8.8.8:53 72.3.194.173.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-aigl6nzs.googlevideo.com udp
US 8.8.8.8:53 rr1---sn-aigl6nzs.googlevideo.com udp
GB 74.125.175.70:443 rr1---sn-aigl6nzs.googlevideo.com udp
US 8.8.8.8:53 70.175.125.74.in-addr.arpa udp
GB 142.250.180.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 rr2---sn-aigl6nzl.googlevideo.com udp
US 8.8.8.8:53 rr2---sn-aigl6nzl.googlevideo.com udp
GB 74.125.168.167:443 rr2---sn-aigl6nzl.googlevideo.com udp
US 8.8.8.8:53 167.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-aigl6n6s.googlevideo.com udp
US 8.8.8.8:53 rr1---sn-aigl6n6s.googlevideo.com udp
GB 173.194.3.70:443 rr1---sn-aigl6n6s.googlevideo.com udp
US 8.8.8.8:53 70.3.194.173.in-addr.arpa udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 216.58.213.3:443 www.google.co.ck udp
GB 142.250.187.228:443 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 google.co.ck udp
GB 216.58.213.3:443 www.google.co.ck udp
GB 142.250.187.228:443 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 telem-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
GB 142.250.187.228:443 google.co.ck udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www-minehacks-net.webpkgcache.com udp
US 8.8.8.8:53 www-minehacks-net.webpkgcache.com udp
GB 216.58.212.225:443 www-minehacks-net.webpkgcache.com tcp
GB 216.58.212.225:443 www-minehacks-net.webpkgcache.com udp
US 8.8.8.8:53 www-minehacks-net.webpkgcache.com udp
US 8.8.8.8:53 www-minehacks-net.webpkgcache.com udp
GB 216.58.212.225:443 www-minehacks-net.webpkgcache.com tcp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
US 8.8.8.8:53 225.212.58.216.in-addr.arpa udp
GB 216.58.212.225:443 www-minehacks-net.webpkgcache.com udp
GB 142.250.180.14:443 encrypted-vtbn0.gstatic.com tcp
GB 142.250.180.14:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.co.ck udp
GB 142.250.180.14:443 encrypted-vtbn0.gstatic.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
NL 23.62.61.97:443 www.bing.com udp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:443 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp

Files

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf