Malware Analysis Report

2024-10-19 10:24

Sample ID 240926-3zsgdavckl
Target 701bd4943357734318ee825bf2c0bec0N
SHA256 719fe9d0e6787ec225258d6ad79654cc90fd923f0f402965640efd7c132f3f72
Tags
rat netwire warzonerat botnet defense_evasion discovery infostealer persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

719fe9d0e6787ec225258d6ad79654cc90fd923f0f402965640efd7c132f3f72

Threat Level: Known bad

The file 701bd4943357734318ee825bf2c0bec0N was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet defense_evasion discovery infostealer persistence privilege_escalation spyware stealer

Netwire

NetWire RAT payload

Netwire family

WarzoneRat, AveMaria

Warzone RAT payload

Drops file in Drivers directory

Downloads MZ/PE file

Unexpected DNS network traffic destination

Checks computer location settings

Impair Defenses: Safe Mode Boot

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

AutoIT Executable

Suspicious use of SetThreadContext

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

NTFS ADS

Suspicious behavior: LoadsDriver

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 23:57

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 23:57

Reported

2024-09-27 00:00

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened for modification C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.228.168.9 N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{18BD9A6E-DA3F-45E2-805F-11EF6B906D07} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 996975.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4344 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4344 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1708 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1708 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1708 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4344 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
PID 4344 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
PID 4344 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
PID 4344 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
PID 4344 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
PID 2824 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1680 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1680 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1680 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1680 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1680 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1680 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1680 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 2684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe

"C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe

"C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd762546f8,0x7ffd76254708,0x7ffd76254718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8

C:\Users\Admin\Downloads\HitmanPro_x64.exe

"C:\Users\Admin\Downloads\HitmanPro_x64.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe

"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe" /update:"C:\Users\Admin\Downloads\HitmanPro_x64.exe"

C:\Users\Admin\Downloads\HitmanPro_x64.exe

"C:\Users\Admin\Downloads\HitmanPro_x64.exe" /updated:"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.146:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.146:443 th.bing.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 146.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 169.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 www.hitmanpro.com udp
GB 2.18.63.58:443 www.hitmanpro.com tcp
GB 2.18.63.58:443 www.hitmanpro.com tcp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 pricingapi.cleverbridge.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 104.16.243.229:443 pricingapi.cleverbridge.com tcp
GB 2.18.63.58:443 www.hitmanpro.com tcp
US 8.8.8.8:53 58.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 42.87.18.104.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 229.243.16.104.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 sophos-privacy.my.onetrust.com udp
US 172.64.155.119:443 sophos-privacy.my.onetrust.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 download.sophos.com udp
GB 2.23.221.234:443 download.sophos.com tcp
GB 2.23.221.234:443 download.sophos.com tcp
US 8.8.8.8:53 234.221.23.2.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 files.surfright.nl udp
US 8.8.8.8:53 scan.hitmanpro.com udp
NL 52.174.35.5:80 scan.hitmanpro.com tcp
NL 185.105.204.28:80 files.surfright.nl tcp
US 8.8.8.8:53 5.35.174.52.in-addr.arpa udp
US 8.8.8.8:53 28.204.105.185.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
NL 52.174.35.5:80 scan.hitmanpro.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 remnants.hitmanpro.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.97.160.56:443 remnants.hitmanpro.com tcp
US 185.228.168.9:53 8.8.8.8.zen.spamhaus.org udp
US 8.8.8.8:53 56.160.97.23.in-addr.arpa udp
US 8.8.8.8:53 9.168.228.185.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 hash.hitmanpro.com udp
NL 23.97.160.56:443 hash.hitmanpro.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 scan.hitmanpro.com udp
NL 52.174.35.5:443 scan.hitmanpro.com tcp
US 8.8.8.8:53 wealthyme.ddns.net udp
NL 52.174.35.5:443 scan.hitmanpro.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp

Files

memory/4344-0-0x0000000000A80000-0x0000000000BEB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1708-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4344-14-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2824-15-0x0000000000BF0000-0x0000000000C0D000-memory.dmp

memory/2824-23-0x0000000000BF0000-0x0000000000C0D000-memory.dmp

memory/4344-25-0x0000000000A80000-0x0000000000BEB000-memory.dmp

memory/1068-26-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/2524-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 9bf6045169b192244cfeb2b320b8a468
SHA1 b94874bf2c49fa87a7cb97a08f82b40d7001f8e5
SHA256 7a96508f95b934d8aebacdb9ee6a77331396d70740ef01f929eb71dcd8683575
SHA512 02897d51ec2457b1c3d380568be06a5f28460ae0cbabd5a8c2eaa957f3824eff8e4dc602ac11a2d3c95ce8d19afba883af17a9aecef045407ce58c6a3a430258

memory/1680-30-0x0000000000BB0000-0x0000000000D1B000-memory.dmp

memory/4460-39-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4460-47-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1680-48-0x0000000000BB0000-0x0000000000D1B000-memory.dmp

memory/1948-49-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/3204-53-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\Desktop\BlockClose.vstm

MD5 3406c7cebc35f54f82f43333de6c13ef
SHA1 3089ceeb736bdec890fadb395e9e38c59b214c24
SHA256 0ff1144aa931e1a2b35b602f14836eee6c696ab16579d6dba63ff88ebad00800
SHA512 708be022c19f89276d82ad170dc540e0ddd2d4b56eff8dc750c4226517ea0e3dd7c7ff1570221b98a7cc87e10efcc1b359a241760af0114b02c8267cc7c7761d

C:\Users\Admin\Desktop\ConnectExit.csv

MD5 ec45b8b4d2b2f340281a09513945433e
SHA1 c91b0a7a1a881a2ac6b6f7bfa6158b36b166ff88
SHA256 19d060a7b68c5d7e751bc555d11bc198d9199dea6b0f1793fd989f1bbf67e4cb
SHA512 cab4f7d5b09ea8cbb67b3ded1a98cfa340c0ee479c2210b433b941aa137f391dd91c8ee710b438bf7c86fa4bf3324b6fdb270e3073b75c6c94a22651432becab

C:\Users\Admin\Desktop\CloseMerge.vb

MD5 7f5b1fe4684ec687fd5d69981b2f482b
SHA1 f2d6db70108893f03b4a6232bdd079b303c2fc3e
SHA256 b92faeef9750705b29b6f4bd2f77d38fe787a9a8c557f05ffe368a307f90911b
SHA512 af10acad281f99a1efefba3c3ea2504f4fa44812eb0cb854204cbd266ca24e60c940c36367e9351f0e32ea33cd0648a3441f49782a60d1beea571dc2c3131429

C:\Users\Admin\Desktop\CheckpointEnter.rtf

MD5 ad0a983f6478af5396fcbe0a98039ffa
SHA1 1296a5d84d835dbbf3dbe2be02b77305b01b2f5f
SHA256 3928de7e8a41a69509c03702bc9737d93c9f23694cc7880518ccdfed3d814820
SHA512 e6d5c89527f14ed40b73c3a2d7229c7f61fb7fdf8e7187cc9eb8dd8cf29cb3e566ccb591837fc81ea59b0011b636e6ec9b9f2a3c3a4ee57491bf94d4f9c3f837

C:\Users\Admin\Desktop\FormatRestore.css

MD5 86b57ec464c2c20a202a1f3872b098c5
SHA1 8b1a0330c0f6fc5c00d4886b0a3a880feeb92eb6
SHA256 56720e9beac72c6d33efe0e1841b346fb7f8c05bb0dbcca298cecfa605f8c736
SHA512 1937f9163f9212b55c3ad24678bfcf6cd7a95e27ae408ea5499b2b871359d739bc1ec731f9b310f75a4d2af2b649b61cb5b46433454f29bd21aad9f4955d2080

C:\Users\Admin\Desktop\MountWrite.xml

MD5 159f9418bf39f66d13481c80ab70a173
SHA1 3fb48295657e0b918291b044ef0701ecba302f21
SHA256 6b77f7245f878a72fde93b72501a9e2e7200d5b0bfa0f6f5564946d937d48494
SHA512 9908d3bc97a89952bb308cb6a6651038cb3c3941017fd69bdbd1be747339963ce900b2b9e1fe7e1f920c094f54756dd7efcc4afb9feacb15f564cba010de6e57

C:\Users\Admin\Desktop\MoveInstall.lock

MD5 115587c87a12e6798ba15427cb072a46
SHA1 bc0de5a9301fab7d1ded26517119b1642a46bfd1
SHA256 d770fd84671946b383d84b39859303128ef1a8dfae3399924164e6ff1d438343
SHA512 c4a7e4c7f6ef2a00929b56d71a95941e9f97ebd5342e4c068f88b62b6f70fbafafb2fb15db04edf7741dae83bb3aa6d062ea14b96428ee65f68e5f2c065118e1

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 862c7426195575dcfbff667b86dbcaee
SHA1 a8886cd4da791f2bd92784a0233e1ae5977e8986
SHA256 ee99a6882046192fe8d7f9921690c9a776fbd2391b25506a12c6e3f7e1515b79
SHA512 04cf882bb9eb212e3ff2960857b6914b6ea97ed97700c1617f95235ba293d802d71220b9a873aa274acc6cec038abe4f630293260b896027d888f96d23acaf3d

C:\Users\Admin\Desktop\LimitApprove.xlsx

MD5 a0e73abe6a2b7418ae5d2df82b0cf60f
SHA1 50362d542b057a8c60132e06ea5eb83f827d3397
SHA256 24bf6a4f40b1399676ffaff2c57390810a56c7f2f1c160fbe5fce0e0d6873664
SHA512 8a7fdafeade7144503a4e40ffd2de130f0242c3cc0b56cb19d02f4f6a1462cdc1d5ed3bacbc09ea651ae39696f9266a4444ba060e262caf4cfe5ad420940a425

C:\Users\Admin\Desktop\FindStop.ram

MD5 25242825ae96de46045ef8991d124206
SHA1 bd774d6b28a544fd81ff816f816ca89196118c9b
SHA256 112fb2ac947640ab56fbb7f65ab0649001d5b07f8e990a346c01628fd9f043c9
SHA512 a4040e0edf635501742da7d083c5cf8c5ac9cade690629a6f2461e452cab2037c8fe83d9fe877aba46a0c6fc58f843911d8ac4845806c6dbdfca07c6c7c4229a

C:\Users\Admin\Desktop\EnterTest.crw

MD5 73721781a4e0230db424100fc455fb7d
SHA1 ff6ae2d42759442a5fceded2acd3f9c6c8ac3aa5
SHA256 dad10b0de687177cefb30ba556ec276be0d0a3c0547a551164819761c4afb87f
SHA512 850a118b138cf342c919ec86f7b3e9f403b37c2006a22150f4351a90cc3a8d21ba8b61defb9b050a7c2d9c207d5949c24861178323f8ec1ede68f3eaa627deec

C:\Users\Admin\Desktop\CopyStep.wdp

MD5 34e2736badde18eeb9f894636d5ea88c
SHA1 c94126644e187dc15a7c7aa23c568bcfe8f30bf1
SHA256 48dae745dcfc10c7e90b0b8c5a25b0802fa7d29a91617a01adadb6a7348394c4
SHA512 904d57d36f81aaa3d2b7b665ad58eead1bae62c46b92b2d70b3836ba8d5e7c8e02fdd4b4da00642f449629f16949cc6407a23f390287aed665c0510ea9a155b7

C:\Users\Admin\Desktop\ConvertFromInitialize.mpp

MD5 ccf1d102a79fbd794321a8a72b918750
SHA1 f714225a35d120fb01f1bbd734ad4902c0334bba
SHA256 73d02b77d6ed7af54749eb0cc782406c4727f251baf3132b9452a9437af6c73b
SHA512 093a6cd73be38697e402e0bcc341489e146e78b637cf9aa2630d7d272d2de753841417050dfe29315498b063e2b077adee348a75a8d2329c735a1003da16a012

C:\Users\Admin\Desktop\NewPing.xlsx

MD5 e037dd87bec8a0fdf3636b3e4fb72c40
SHA1 72019ee9c2ebaf0f7a7688782f6a2b3b7b915690
SHA256 a5dc12d32df8ce4e06832ab570d741120b8e73276456755c853c5a720a226d82
SHA512 5da877836dc2cc06088d1d9bc5361288a204b516ffa4c9016c5ca37feb7383c1d35dfba2946ef63c77f9fe72f647090a0ecd9d085efb8280f3defd081038cda0

C:\Users\Admin\Desktop\PublishImport.gif

MD5 99a315ff18f82cb2da291828b804eb31
SHA1 a99a5a7a3c6370e6906261442871ca101c5cae01
SHA256 abe3fde16758aaefe0775f04fc0373ac1f88b26a4d792f263fc2c9a07d39e879
SHA512 90f1ee40e94a82f0fc8137e4e65efafb89b4c2b5117d4ef45b163e213a4ee7736ab087db38e7564d58d883ee3e773fa1f3bbdd5213b5dd598a5c6d7dd76f3b34

C:\Users\Admin\Desktop\OpenUninstall.zip

MD5 961b5fbf6e3769554697089fa17d9fd0
SHA1 b661a5b71024c5ad1f686bade903d106f64f7095
SHA256 ae6fc9ba508dba59506048d36a3b69975cd96c26867c072a0ed257884eb6b983
SHA512 3a7f865a0839fd71305ecf8e3fb8ffdd1db0c5aa69e0fa832eb2223cef2a1fa2cf213a4e22e71bf4d021933b5b6de358675994a4671add44ac63dcd89bf962a1

C:\Users\Admin\Desktop\RemoveNew.docx

MD5 fed4c26259a893764af311fd8b175d59
SHA1 a4b315e1207c3cbc967e661cc92c50592c2c3243
SHA256 5384f56a6ffa9d3ccbb4bef93a90d9d88753cda08348a3cf2125f6cb4de7b028
SHA512 cfdb3d2bd923555c0b436a8759b2ca0507365402ab63f82e05c6e7e66201a8cc79095eca93b65b0e6f0d978d181e4a51baa2ea26777ffa44a23e1718956c81d5

C:\Users\Admin\Desktop\RemoveOpen.docx

MD5 e1109a46dd58685a9eb905806c617926
SHA1 5ff1fe5382974997ea72c8bfb1f5f20b21962ade
SHA256 6289568fe75b551141a9041039fa1848876df142434b15a961407e9a91ff6e77
SHA512 473136abe10abb9f2df54c1e336d98608a39eaac3b28d8bd1dc8789417eb9745952f76216456d2fcad4521bf370d85b8c08f82dd263c20101028e68bfaa57a4c

C:\Users\Admin\Desktop\SearchDismount.M2V

MD5 db2ff7f90c5f0fc4ebed237099e9884f
SHA1 a53f370519b401b0a0408ebee2bbbb2441716222
SHA256 e7154a19b4ae09f87b256f1fd48197bd2c45e891ac6154b9a0b26e5c0adfedd8
SHA512 0231844d5203e0e2582e2692f1d386a665e9d05496e768bc5baa68f436bc2328f7c175d94e091c0edf2ee6e24c6ca4cb0c6f81cac1454049c29d360a3ca7ebdc

C:\Users\Admin\Desktop\RequestRead.dib

MD5 63daf045d10ca8be4ddbd049dce4144a
SHA1 5ed28490c3e0c3657ee0e5cf96cb481435d9f8d1
SHA256 eb2c73b68740d68a682e3818f6d633b7dc0344b77163b6f89f494a9061824380
SHA512 f1f0f9ccf3faa632517c123780acafce5e1f98eed83cb42b10ff438d66f44fd42219c1d718b93c185f4c93ba3a2d89f124610fa595fdc9acef50d9bb37cef4ee

C:\Users\Admin\Desktop\TraceConvertFrom.mid

MD5 2d1cc53a8179b93288e56efceb95a10c
SHA1 95ff23c3d0a36185317a675b1aee0a624bc17ae6
SHA256 1b3ee306adc01cbf1fd2f0587d7090c31962854d0387ff015e16ada5a2562bca
SHA512 432a1f24d46772eb54c92b3288b2f0161e67080238e29d7d52633e011bda1824cac5ce9ea849352f15f16456f87c33e2737e0ea33a3a0a3b383c7b91be43135c

C:\Users\Admin\Desktop\SkipShow.mpeg

MD5 b8b8d8d67fe7e7ac243aec27239e51ca
SHA1 f5bcd5b56063a2bb44a32fab1b54b52f773eb2d9
SHA256 86be6866568779bb96e091999172ee6b842e301d60db45ccc79379a523692af3
SHA512 5cd04e2cd3ecd097fe4383de610c50a739dafb6dbe75eaf8bf04efd374b455a51676a7de7f4d5b9751a5efab9fe67afe913819c66c71b34a3197d192f2cd82d5

C:\Users\Admin\Desktop\ShowConnect.3gp

MD5 3ac91d9bbf47f4189305045a9d00a054
SHA1 3c9beca4ad3027ca3d6128d8e11551a9b3192b79
SHA256 0ff9659d69df16308c46e536bb3da89e05a97b937cb06fa9e7d7f56becac41dc
SHA512 3f257cc4a9e3e7d0c9142212064b79acec2e07f333cc84cd2f09c300634317d4f21d1795ead7751e6347d69937aff844026c0d39f2af79b61abc4652d9df0b68

C:\Users\Admin\Desktop\UninstallClose.vsdm

MD5 5b811122432495dc85997a59a7e92ef8
SHA1 91552d2014c7d2fb9735493769d6e3d26f562ad3
SHA256 a8d3ee7f005b048a6bd9f7e4389919dcaabd2ca1295f289561c15f2a5677be33
SHA512 2bcf87fa4134db71fb8fa3f5b6a448b524f76a66bf9dd580761f09681169742c57502906b0714df8024a083917882a3ad877266b28b84d9218141258a5fa5a8c

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 fd3bd2500165d2f2db06370b88a453e5
SHA1 d82940e0b9f1a78be043ec441e5caf9c12a8340d
SHA256 6a3438794bf73866af5a6b0cef0e8c7b84e6785098a259509b57a77a11924c0a
SHA512 da7080f10468d951ec2f9257557c3cb229f23824402266a376b23b3bfce77209e75ef5aeadbd35e026fe458a27cbe64c0f3037a0a05d1fef9b8f8e06229c6150

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 976de81f2f2f14c82d8a9c5ab655a645
SHA1 5237deacda986d2a055573b1bab441914048cfd9
SHA256 491813b4059ea0cdec176a67e95f91b3aced2065385be58ddfc85a402283d7b6
SHA512 98422ce189b874cfe646428f2695cd403f97b789f8b90e6ea86f8e4ae28be46d419be9b81e1d72e2ef20d9e7f624afd73bba70b96db19da8795a3d3418d56d11

C:\Users\Admin\Desktop\AddOptimize.mhtml

MD5 85764d07c788d853680d854019f7a310
SHA1 d0413e9c874b57e168c227df1ff02d1762904c8e
SHA256 a13602d12f3c36eea583d7e94deca9234b3c70293811c3c2592127eb809be3d0
SHA512 a5e41148a2bd51773e1e07be5b6c1be581139a8f07fb2a4ec6a9cad3ee8a8a33eb458a43a16633d163fd2c2c24a08a69be0e62502764c2caf18e232d361fbbf0

C:\Users\Public\Desktop\Firefox.lnk

MD5 5117bb8a1d3215b6284bff00feb2fecb
SHA1 70228bccaf8f55a30cbd8e42ae9beee4e50ba8b4
SHA256 bb770b1670ad29abc714bc57abb4cf67591a1d4960a874627fbb536fc36e8581
SHA512 4e86d019431bbb1976a233d1632febd812f06c25a11552fede0a194fb1ac8c7d98dab60fa5f524d9aa20b4dd2f2bd4a277cd537b82202991bd8ba35f4743ed2f

C:\Users\Public\Desktop\VLC media player.lnk

MD5 ac04d7ed49ce7f6eef13946688933598
SHA1 10f6326694b3ee0b9af7f289b22ccc09ef565bfd
SHA256 df36313782e7a80f740655864721e9b2a1d4dfc1118e4b8e7a9c3c084f7456b5
SHA512 ea7d77d7d479a2319fca1ccb31aac305776144cf464bdb81c098f2ee6bba20e97d8ce833213e5f3977c20be5a8c925f2d072993dca44fedb4e4dca696f11cb8e

C:\Users\Admin\Desktop\SendSync.pptx

MD5 c68cd01ed3f0899ab903d147f49e62ac
SHA1 6e0a72ab95a8c7ab76b59c003ee0d41b63d849f4
SHA256 a4b335cd48f864e189d51b083164a55bc779f44fad43971e1d471921b4d37178
SHA512 54ba9b7a62841cb5fb7468cab18175412b7dd2b3a8855a98ac8c524d32841452be3e8c2b91734b9dc12444c55cfe896914cecbc8e05b9ab60786988b4a112664

C:\Users\Admin\Desktop\SearchExit.xhtml

MD5 c89b94a4534e311d48c1a5292fb5e9de
SHA1 00dc4f499c9d1dbf85a221859d92d41c1bcaf018
SHA256 e139b92e65bdefe53296442b08420208037b42770dee67612e38d07a203efc07
SHA512 8b1157a80686f08877225aeff6b776d1872fddea422eca02917a2ad9fc20968010a786f007aa5c2fa33274ea5850dc81995bd430c1fc3997f41cf9a66e27ed31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

\??\pipe\LOCAL\crashpad_2528_ETLHWLBTXDBZXWFF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1f7131824a46e1b9e9957be09d80fdea
SHA1 15349d9c55bbf168c05c17372c88cf4a13df8c2f
SHA256 87e33359fff43bb770190e32bb6069f6e9f01bcc0a72f819416e28a7f6bce677
SHA512 4e35ba65099b82c23adb25e05a99ea74c0a54963347e953e8f8a6b5e995b56b88c4eefccfef42eb35029d039b8a5a29a7412c663f1eb1a3054f8500e3f52098b

memory/3204-111-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2524-117-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c0ce97f05f285e97eb2fad3d2bbda86b
SHA1 970d483eb7732b10f420c0e210463fb5efe307a6
SHA256 f148af03a8da5fb022167bed3b7b362bada90045353ca73e7342bef0207d3f64
SHA512 b9636f1bb27413b6d1dfbf88b341b7b63452b5aa63e5c7613826b86bce1d778ae600868bedced7218993d5f229fcc282ecc2b217779afca01909bb199202dbaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29ba4d407d128b5fa19029e044ab12ca
SHA1 6676c2ed5f76223c4719311932b67e16b60e9f83
SHA256 02559044cc29177340a4ec1eba6d9e96ab150925ef31ed415011a09349bd308a
SHA512 28711accaf3e7f2a505021a15bc6f791a5ec98f0d8eb5ebc86fae1f3b2daee22125f91a6c574a59751a7359a2879bbe992ba9785021b8450a3a5b714e9381f80

memory/3204-262-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2524-288-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9c3026e7be6ec093a48b66bb31565a45
SHA1 7cfa8f64cca20e6d9572e516fabe3491726e6c4b
SHA256 ce0835db7ebe17aa2663c7e0c82b2c80ad8db12a52004f9db2ebdff943dfcb95
SHA512 141e195dfa0a503bd360ed1e6abe600e38d085b5cae295122243567b8fbc3d838f7279372e2a6e43a427d99b1895e5ab277b60e325765108fa3e2ae04c9d3be1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a9370d99c45bdab86ef98f564b561b26
SHA1 ede5e5e6fa67d1ed98b6457e5787c12cd1ce8b5c
SHA256 5ccae665187415ba69deae38a12e07b804018382e1814f6e58d4bf43d3e17a62
SHA512 37aa45620c2a59cbdbdfe1d1480e196d981340681e9f6811018f3dac151f2b9bdfc328b625a21a37c49ebac1fb11c96abd56d5662d2fa1412c18d7b52e776f47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589b41.TMP

MD5 bef098829e8f487ea1c92fd113824fae
SHA1 df4050bdd572d50ddc007e08c1f1242161004f92
SHA256 5dee0aed1987e6dbe1ef42d2601399c6fd58b86cdbe7525ebcea211f691ef33f
SHA512 c0ad7ef01cc9ad19f9336ee0b63d0d1050aa3dba2889be6bc97918535bdc32ed12cb748c3c9fc451fdfa8f9ed73f5b6cb2fd93bd4be1123751e9e805270c9e08

C:\Users\Admin\Downloads\Unconfirmed 996975.crdownload

MD5 57ae72bca137c9ec15470087d2a4c378
SHA1 e4dd10c770a7ec7993ed47a37d1f7182e907e3ed
SHA256 cfeea4ea5121d1e6b1edbd5ca6e575830a0a4cbaf63120bc36639c44e1b89781
SHA512 f80d6732e86a8d38db1ff43c0c5058013bd456c4b86b87018166ca073bc84fb8e7676b55371ae9cec668a77d198e1e7f6854a9a93581ed21a32167e3b9533f6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 accc3cf2286657e5e89ee0d2e79035c0
SHA1 2ffc0d1b23f087f279a58f85b9295c6a0030398c
SHA256 08e3eff1ec1211c0cb7da089d9d5eebbc0799ad122cc401dc303d71f40981ea8
SHA512 ea83d115278c8d32c299652f40a700734320477737b059f516534f285db94f6f9084cb164254ab301f6cbbc0b8e0a82c64d55296df803a0e472a7edb7e3a29d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f0dc50db9c3c7155608399345c16725
SHA1 894018944d51d3696b19328fb9b34434f533b8f3
SHA256 9cf46ca3d54d28193b5c124467040ed5d48b1c5e59ac6f0848024de4889f89f1
SHA512 2a277b1a2048770ffb08c0a24cd7880cb2d4c975ca3a6bafd88ca92abaedbaf8077eab483cefa4139f323d86cbab81f229c7cc2225a84af02c1114ca88f90298

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d40b36c95e973cc343d6df9b3d8c23f8
SHA1 4d3f45e6b4e50c4dc381b297cab43c4a49150688
SHA256 36e9c2435836ef549659c0033bc2576f8a8db80d8642818b2d9894fd2cd97d54
SHA512 f63d10f7c70291b54639bbdc460080b2338715dceac23efc163236e2b2d6029173fc410a4e9446032f6b549525265620c99fa67386c1f5ac3e215bd1684300d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cae22c9f47bcd008b482425dbbfe0491
SHA1 98b0e2eb68aa51937ae7516fe2b742bebbc42fdc
SHA256 81f599fd5df57dd25cdcc9cdfd04c9250ab18db31197f17935549988072a01ed
SHA512 f9ae6e6ef32835dcfe4d83b7bd04e51fe873e54f5c12dbfe0a340a1e769b79951a65cfa7d00fdb000ac25739fb2b73069be72099310a34ec8fefe271fd75d370

memory/5880-502-0x0000000000BB0000-0x0000000000D1B000-memory.dmp

memory/5880-511-0x0000000000BB0000-0x0000000000D1B000-memory.dmp

memory/5504-512-0x0000000001060000-0x0000000001061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe

MD5 10dc710dd495e9078ce79b26e18591e0
SHA1 aef434d6b77158dd2accd746bbc727bbc3367adc
SHA256 be5389a28e952d7ab2d9447c1bdb8eb7d11b24cb02e4b18da367715c2acfdd15
SHA512 959c5cb47b9d1c21ddfe2eaac14e0c99c758aab85036705c072525e70255957abc97412ab0ceadd2adbebc1b176699614f71bf50689cf9ff97891e6216a15dc5

memory/4884-521-0x00000264FE6E0000-0x00000264FEE1F000-memory.dmp

memory/5904-527-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\System32\drivers\hitmanpro37.sys

MD5 55b9678f6281ff7cb41b8994dabf9e67
SHA1 95a6a9742b4279a5a81bef3f6e994e22493bbf9f
SHA256 eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6
SHA512 d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40

memory/3972-548-0x000001C377A90000-0x000001C3781CF000-memory.dmp

memory/3204-561-0x0000000000400000-0x000000000042C000-memory.dmp

memory/5296-575-0x0000000000BB0000-0x0000000000D1B000-memory.dmp