Malware Analysis Report

2025-08-10 22:41

Sample ID 250127-sckg5svkcq
Target setup.exe
SHA256 f0a221bcb58c14f705bc35c5f86026d3fc50ecf72fb000ad36bab13c5f7d52bf
Tags
discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f0a221bcb58c14f705bc35c5f86026d3fc50ecf72fb000ad36bab13c5f7d52bf

Threat Level: Likely malicious

The file setup.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Enumerates connected drives

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 14:58

Reported

2025-01-27 15:00

Platform

win7-20240708-en

Max time kernel

110s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Teardown\unins000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp
PID 1688 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe
PID 1688 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe
PID 1688 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe
PID 1688 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 1688 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp C:\Users\Admin\Desktop\Teardown\unins000.exe
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 2100 wrote to memory of 2984 N/A C:\Users\Admin\Desktop\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp" /SL5="$4010A,5388498,140800,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe

"C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe"

C:\Users\Admin\Desktop\Teardown\unins000.exe

"C:\Users\Admin\Desktop\Teardown\unins000.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\Desktop\Teardown\unins000.exe" /FIRSTPHASEWND=$4020E /VERYSILENT

Network

N/A

Files

memory/2852-2-0x0000000000401000-0x0000000000417000-memory.dmp

memory/2852-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VF7MD.tmp\setup.tmp

MD5 ae9890548f2fcab56a4e9ae446f55b3f
SHA1 e17c970eebbe6d7d693c8ac5a7733218800a5a96
SHA256 09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449
SHA512 154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb

memory/1688-8-0x0000000000400000-0x0000000000579000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\idp.dll

MD5 af555ac9c073f88fe5bf0d677f085025
SHA1 5fff803cf273057c889538886f6992ea05dd146e
SHA256 f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb
SHA512 c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

memory/1688-21-0x0000000001EF0000-0x0000000001F05000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\ISDone.dll

MD5 63dc27b7bc65243efaa59a9797a140ba
SHA1 22f893aefcebecc9376e2122a3321befa22cdd73
SHA256 c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74
SHA512 3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e

memory/1688-25-0x0000000007580000-0x00000000075E5000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\wintb.dll

MD5 9436df49e08c83bad8ddc906478c2041
SHA1 a4fa6bdd2fe146fda2e78fdbab355797f53b7dce
SHA256 1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435
SHA512 f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

memory/1688-63-0x0000000011000000-0x000000001104C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\BASS.dll

MD5 8005750ec63eb5292884ad6183ae2e77
SHA1 c83e31655e271cd9ef5bff62b10f8d51eb3ebf29
SHA256 df9f56c4da160101567b0526845228ee481ee7d2f98391696fa27fe41f8acf15
SHA512 febbc6374e9a5c7c9029ccbff2c0ecf448d76927c8d720a4eae513b345d2a3f6de8cf774ae40dcd335af59537666e83ce994ec0adc8b9e8ab4575415e3c3e206

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\CallbackCtrl.dll

MD5 f07e819ba2e46a897cfabf816d7557b2
SHA1 8d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA256 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA512 7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

memory/1688-68-0x0000000008DA0000-0x0000000008DAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\MusicButton.png

MD5 473a683962d3375a00f93dd8ce302158
SHA1 1c0709631834fd3715995514eef875b2b968a6be
SHA256 7f4ad4d912cdabdfbb227387759db81434e20583687737f263d4f247326f0c1a
SHA512 24ffe03b5de8aec324c363b4be1d0ae4c8981176a9f78a359f140de792251e4f2e3e82e2a6f3c19ff686de5588e8665409ddc56fc9532418f6d476869f3f1f9e

memory/1688-74-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2852-75-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-81-0x0000000008DA0000-0x0000000008DAF000-memory.dmp

memory/1688-80-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-79-0x000000006B080000-0x000000006B08D000-memory.dmp

memory/1688-78-0x0000000007580000-0x00000000075E5000-memory.dmp

memory/1688-77-0x0000000001EF0000-0x0000000001F05000-memory.dmp

memory/1688-82-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-88-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-95-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-91-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1688-102-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-109-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-116-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-112-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1688-123-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-119-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1688-131-0x0000000008DA0000-0x0000000008DAF000-memory.dmp

memory/1688-130-0x0000000011000000-0x000000001104C000-memory.dmp

memory/1688-126-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1688-127-0x0000000001EF0000-0x0000000001F05000-memory.dmp

memory/1688-133-0x0000000000400000-0x0000000000579000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\FlushFileCache.exe

MD5 df77f2b6126f4f258f2e952b53b22879
SHA1 fedda8401ebfe872dd081538deec58965e82f675
SHA256 a4cc6683393795f7b84d0b49eea2d7d7fbe1392bb7612cf39896af6832ffe0b8
SHA512 623c5a2b3382b610bf2a2812db94ea77e52051f307fd1ba7767927719277a7d99e844f9286a52549f888ad818c4d4d09759c031a8ab6dbc58911257987028a37

C:\Users\Admin\AppData\Local\Temp\is-QOQNN.tmp\CLS.ini

MD5 bf10c6fe273bfc0e1f00a8e55430fb3e
SHA1 f58e31a719538311a305c67e2ffb74b99477ba8f
SHA256 455a798bf87193a70b4fa8ae7a3bf30557ffcdcb3b22b27f1e0cb4f9c9bf0df1
SHA512 750af8758c47fb54ae20bf83cc5496c39756decd5771c2ebd7ab93ab84d59b13329c6fc06669ca15e9745f36b4e562120b53b4c92f557f419c800cc723559590

\Users\Admin\Desktop\Teardown\unins000.exe

MD5 f68e6d1645d16e4ef9265eead160b460
SHA1 f7dab5d6378c621c3998e5949a488750e363bb5e
SHA256 d79c145efc7798b7b785af565d3b79c7d7260b3c5ad9202ee91a2d420b01ef41
SHA512 d63a430e2eabe8a4307be6c545e7878571d567eef7bd0cbfb4dfeb5e3ba608c63e30c50b6394744da3821cacf2ad14e9bb7aecf76ed82db8fd299cc1313b0b6c

C:\Users\Admin\Desktop\Teardown\unins000.dat

MD5 a6c940499f1e16ab41addbbe334ca816
SHA1 955439092667d058d4864c456238e74201ac2608
SHA256 2530cc01b1b9adf97ffbdd16ca795249d6c0539e48211d7a1fe0243e51671d44
SHA512 9699b6239baca3476f23e6ca867c63be1ad0dd04d3b065d8e87099cf33772b4bc8b41266c4b42e272b5ab8227bc58e7725fb5b09d11f6546a35405f7b82539fe

C:\Users\Public\Desktop\Teardown.lnk

MD5 4a03946798dbd6671654b510ac3c3395
SHA1 4cd55c4bc29836afaea7301cd98f8daa4a32fad8
SHA256 2f7c2f07fd21f0e25769c1b40e046570533636120c1c57840df0141989810bd7
SHA512 a343ead4c55be6521e92165c03c32fdeea8c0af25d2267c6d05e984c766d7a8ccc7a46ea6253f56854666a4966a9af153f14f5e02aa197008cf2e77a0a9ae508

C:\Users\Admin\Desktop\Teardown\_Redist\dxwebsetup.exe

MD5 56d52c503adf02184f19eee4767ef60a
SHA1 ca133f67a286f4f20282e19837b53b38a27a1caa
SHA256 ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494
SHA512 246f35664a9af548d402878a3e6ce6d8901a0978477b145db5fd4e5857021efc4016369e9e02e709a27cf5c84f44a32e106008668ba96e2b45d4d06599090d8f

C:\Users\Admin\Desktop\Teardown\_Redist\QuickSFV.EXE

MD5 4b1d5ec11b2b5db046233a28dba73b83
SHA1 3a4e464d3602957f3527727ea62876902b451511
SHA256 a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c
SHA512 fcd653dbab79dbedca461beb8d01c2a4d0fd061fcfba50ffa12238f338a5ea03e7f0e956a3932d785e453592ce7bb1b8a2f1d88392e336bd94fb94a971450b69

C:\Users\Admin\Desktop\Teardown\_Redist\QuickSFV.ini

MD5 c5c28798bca6e9ed5d84fa67b656065a
SHA1 4b6fa3465f1b393e22e9f083b177462028a48e93
SHA256 74ca5a42469197eded04f5a0bf34ca251c72f7cc06a3416ac035230cb8e81629
SHA512 c06baa4b31e2866fc3f298826930f43fb1d9c2de24e0984594e41f72f022a9090712b478e84d3cb46e0cb0f45d4e81d6c6443b69c7513775340324d9eda92963

C:\Users\Admin\Desktop\Teardown\_Redist\fitgirl.md5

MD5 6afdefdd42b7b96cd04b8ac36598c03d
SHA1 2f7f549a70b3ff11bca57f67705e8ea2f4e8e3e1
SHA256 b045c0c68573fda2aa709a015bec39b5ea8ffe903bcc5043935508e460cb5f37
SHA512 7c95e1d7f7fda393e39e6028e77f1442cdf9d403da72ccc8882a585e8bfad5f77a97bdf47548734d9b65820f39df9025189997b1b0b44a933757fc43f53021d6

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 14:58

Reported

2025-01-27 15:01

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.backup C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.backup C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.rollback C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts.check C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe N/A
N/A N/A F:\Games\Teardown\unins000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\Games\Teardown\unins000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp
PID 2204 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp
PID 2204 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp
PID 552 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe
PID 552 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe
PID 552 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe
PID 552 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp F:\Games\Teardown\unins000.exe
PID 552 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp F:\Games\Teardown\unins000.exe
PID 552 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp F:\Games\Teardown\unins000.exe
PID 3600 wrote to memory of 2256 N/A F:\Games\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 3600 wrote to memory of 2256 N/A F:\Games\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 3600 wrote to memory of 2256 N/A F:\Games\Teardown\unins000.exe C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
PID 552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4776 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe
PID 4776 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe
PID 4776 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 3448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2416 wrote to memory of 3448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp" /SL5="$80054,5388498,140800,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f4 0x240

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe

"C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe"

F:\Games\Teardown\unins000.exe

"F:\Games\Teardown\unins000.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="F:\Games\Teardown\unins000.exe" /FIRSTPHASEWND=$301EE /VERYSILENT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bit.ly/fitgirl-repacks-site

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\host.cmd"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff307846f8,0x7fff30784708,0x7fff30784718

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepacks.in 109.94.209.70 # Fake FitGirl site

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepacks.in 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepacks.co 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks.cc 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks.to 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repack.com 109.94.209.70 # Fake FitGirl site

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks.website 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepack.games 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepacks.co 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repacks.cc 109.94.209.70 # Fake FitGirl site

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,636543990817415691,7793473114386088257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repacks.to 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repack.com 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repacks.website 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add ww9.fitgirl-repacks.xyz 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepack.games 109.94.209.70 # Fake FitGirl site

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add *.fitgirl-repacks.xyz 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks.xyz 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repack.net 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repack.net 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlpack.site 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlpack.site 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repack.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repack.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepacks.pro 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepacks.pro 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepack.games 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepack.games 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks-site.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repacks-site.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirls-repacks.com 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepack.cc 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirlrepacks.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirls-repacks.com 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepack.cc 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirlrepacks.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirltorrent.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirltorrent.org 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add fitgirl-repacks.net 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe add www.fitgirl-repacks.net 109.94.209.70 # Fake FitGirl site

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

hosts.exe rem fitgirl-repacks.site

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 bit.ly udp
US 67.199.248.10:80 bit.ly tcp
US 67.199.248.10:80 bit.ly tcp
US 8.8.8.8:53 fitgirl-repacks.site udp
AE 190.115.31.179:80 fitgirl-repacks.site tcp
US 8.8.8.8:53 fitgirl-repacks.site udp
AE 190.115.31.179:443 fitgirl-repacks.site tcp
US 8.8.8.8:53 10.248.199.67.in-addr.arpa udp
US 8.8.8.8:53 179.31.115.190.in-addr.arpa udp
US 8.8.8.8:53 stats.wp.com udp
US 8.8.8.8:53 i7.imageban.ru udp
RU 62.109.19.95:443 i7.imageban.ru tcp
RU 62.109.19.95:443 i7.imageban.ru tcp
RU 62.109.19.95:443 i7.imageban.ru tcp
US 8.8.8.8:53 i7.imageban.ru udp
US 8.8.8.8:53 i6.imageban.ru udp
RU 80.87.200.35:443 i6.imageban.ru tcp
RU 62.109.19.95:443 i7.imageban.ru tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 fitgirl-repacks.site udp
US 8.8.8.8:53 i5.imageban.ru udp
US 8.8.8.8:53 i4.imageban.ru udp
US 8.8.8.8:53 i2.imageban.ru udp
US 8.8.8.8:53 i1.imageban.ru udp
FR 142.250.75.238:443 www.youtube.com tcp
FR 142.250.75.238:443 www.youtube.com tcp
RU 62.109.5.15:443 i5.imageban.ru tcp
RU 80.87.200.35:443 i6.imageban.ru tcp
RU 92.63.103.84:443 i1.imageban.ru tcp
RU 92.63.103.84:443 i1.imageban.ru tcp
RU 62.109.31.142:443 i2.imageban.ru tcp
RU 62.109.31.142:443 i2.imageban.ru tcp
RU 37.230.117.113:443 i4.imageban.ru tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 i5.imageban.ru udp
US 8.8.8.8:53 i4.imageban.ru udp
US 8.8.8.8:53 i2.imageban.ru udp
US 8.8.8.8:53 i1.imageban.ru udp
RU 62.109.5.15:443 i5.imageban.ru tcp
RU 37.230.117.113:443 i4.imageban.ru tcp
RU 62.109.31.142:443 i2.imageban.ru tcp
US 8.8.8.8:53 www.youtube.com udp
RU 92.63.103.84:443 i1.imageban.ru tcp
FR 172.217.18.206:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i0.wp.com udp
US 8.8.8.8:53 stats.wp.com udp
FR 142.250.75.246:443 i.ytimg.com tcp
US 192.0.76.3:443 stats.wp.com tcp
US 192.0.77.2:443 i0.wp.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i0.wp.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 172.217.20.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 246.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.76.0.192.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.192.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 172.217.20.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 172.217.20.198:443 static.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
FR 216.58.214.74:443 jnn-pa.googleapis.com tcp
FR 216.58.214.74:443 jnn-pa.googleapis.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 216.58.215.33:443 yt3.ggpht.com tcp
FR 216.58.215.33:443 yt3.ggpht.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.179.106:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 play.google.com tcp
FR 216.58.214.174:443 play.google.com tcp
US 8.8.8.8:53 194.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 198.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 33.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2204-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2204-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QQQEJ.tmp\setup.tmp

MD5 ae9890548f2fcab56a4e9ae446f55b3f
SHA1 e17c970eebbe6d7d693c8ac5a7733218800a5a96
SHA256 09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449
SHA512 154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb

memory/552-7-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\idp.dll

MD5 af555ac9c073f88fe5bf0d677f085025
SHA1 5fff803cf273057c889538886f6992ea05dd146e
SHA256 f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb
SHA512 c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

memory/552-21-0x0000000003260000-0x0000000003275000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\ISDone.dll

MD5 63dc27b7bc65243efaa59a9797a140ba
SHA1 22f893aefcebecc9376e2122a3321befa22cdd73
SHA256 c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74
SHA512 3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e

memory/552-28-0x0000000003380000-0x00000000033E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\wintb.dll

MD5 9436df49e08c83bad8ddc906478c2041
SHA1 a4fa6bdd2fe146fda2e78fdbab355797f53b7dce
SHA256 1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435
SHA512 f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\BASS.dll

MD5 8005750ec63eb5292884ad6183ae2e77
SHA1 c83e31655e271cd9ef5bff62b10f8d51eb3ebf29
SHA256 df9f56c4da160101567b0526845228ee481ee7d2f98391696fa27fe41f8acf15
SHA512 febbc6374e9a5c7c9029ccbff2c0ecf448d76927c8d720a4eae513b345d2a3f6de8cf774ae40dcd335af59537666e83ce994ec0adc8b9e8ab4575415e3c3e206

memory/552-69-0x0000000011000000-0x000000001104C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\CallbackCtrl.dll

MD5 f07e819ba2e46a897cfabf816d7557b2
SHA1 8d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA256 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA512 7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

memory/552-78-0x00000000069A0000-0x00000000069AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\MusicButton.png

MD5 473a683962d3375a00f93dd8ce302158
SHA1 1c0709631834fd3715995514eef875b2b968a6be
SHA256 7f4ad4d912cdabdfbb227387759db81434e20583687737f263d4f247326f0c1a
SHA512 24ffe03b5de8aec324c363b4be1d0ae4c8981176a9f78a359f140de792251e4f2e3e82e2a6f3c19ff686de5588e8665409ddc56fc9532418f6d476869f3f1f9e

memory/552-85-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2204-86-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-92-0x00000000069A0000-0x00000000069AF000-memory.dmp

memory/552-91-0x0000000011000000-0x000000001104C000-memory.dmp

memory/552-90-0x000000006B080000-0x000000006B08D000-memory.dmp

memory/552-89-0x0000000003380000-0x00000000033E5000-memory.dmp

memory/552-88-0x0000000003260000-0x0000000003275000-memory.dmp

memory/552-93-0x0000000011000000-0x000000001104C000-memory.dmp

memory/552-94-0x0000000000400000-0x0000000000579000-memory.dmp

memory/552-100-0x0000000011000000-0x000000001104C000-memory.dmp

memory/552-96-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\CLS.ini

MD5 3f51da190fac6042e2d80cea9c399d2b
SHA1 174ad36d756f690d5d870847958bb2f4f2f766cf
SHA256 b7014f33f10c5bbc54304c7ced5692767dafbc319cbcf7f69deefcc0bf477058
SHA512 7dfdc3ca918d58718bbe5c2e483fd2ccab4eeefb07b6f7e08f1477754a3b9f05045e2478113499767f602f3f287cc937b3c4723a148ef3461e792c208e0aa28f

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\FlushFileCache.exe

MD5 df77f2b6126f4f258f2e952b53b22879
SHA1 fedda8401ebfe872dd081538deec58965e82f675
SHA256 a4cc6683393795f7b84d0b49eea2d7d7fbe1392bb7612cf39896af6832ffe0b8
SHA512 623c5a2b3382b610bf2a2812db94ea77e52051f307fd1ba7767927719277a7d99e844f9286a52549f888ad818c4d4d09759c031a8ab6dbc58911257987028a37

memory/2232-131-0x0000000000400000-0x0000000000410000-memory.dmp

memory/552-134-0x0000000003380000-0x00000000033E5000-memory.dmp

memory/552-137-0x00000000069A0000-0x00000000069AF000-memory.dmp

memory/552-136-0x0000000011000000-0x000000001104C000-memory.dmp

memory/552-133-0x0000000003260000-0x0000000003275000-memory.dmp

memory/552-132-0x0000000000400000-0x0000000000579000-memory.dmp

F:\Games\Teardown\unins000.exe

MD5 f68e6d1645d16e4ef9265eead160b460
SHA1 f7dab5d6378c621c3998e5949a488750e363bb5e
SHA256 d79c145efc7798b7b785af565d3b79c7d7260b3c5ad9202ee91a2d420b01ef41
SHA512 d63a430e2eabe8a4307be6c545e7878571d567eef7bd0cbfb4dfeb5e3ba608c63e30c50b6394744da3821cacf2ad14e9bb7aecf76ed82db8fd299cc1313b0b6c

F:\Games\Teardown\unins000.dat

MD5 a470271fa0fbb2ba6fe8ca4ed4df28e7
SHA1 d3162d30f301c0bfd49f1620f98ed0b1dbb15b64
SHA256 5d426c363f6b55bad3a7638599db3571bd8aece3bcaafa875f0be7cb39add3ff
SHA512 798ff91e6a05e08bea2924f2bfaf81a379650b619974088488a01c4f02cfb9ff6b87a605c69b044855704e3c75c263d2cd4eae62bd433a702469d3629ea38e6a

C:\Users\Admin\AppData\Local\Temp\is-DSCSG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Public\Desktop\Teardown.lnk

MD5 c7a4718fdf237b10f0af5f4d7567086a
SHA1 2dd4feb9566736e7bfdea36fdb40280a000f4c38
SHA256 dedcb5d8f349096e32dd9dc21eba2304534e3f4399339f0d8fd785722d8cc97f
SHA512 c75200a241e2d1a6b371fe84839d57733531953220c98e7f998787534ac2a84a454a254ca78cd649e857525486e4e26be4e0c48caf48d5263e6410c60ddd0a51

F:\Games\Teardown\_Redist\dxwebsetup.exe

MD5 56d52c503adf02184f19eee4767ef60a
SHA1 ca133f67a286f4f20282e19837b53b38a27a1caa
SHA256 ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494
SHA512 246f35664a9af548d402878a3e6ce6d8901a0978477b145db5fd4e5857021efc4016369e9e02e709a27cf5c84f44a32e106008668ba96e2b45d4d06599090d8f

F:\Games\Teardown\_Redist\QuickSFV.EXE

MD5 4b1d5ec11b2b5db046233a28dba73b83
SHA1 3a4e464d3602957f3527727ea62876902b451511
SHA256 a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c
SHA512 fcd653dbab79dbedca461beb8d01c2a4d0fd061fcfba50ffa12238f338a5ea03e7f0e956a3932d785e453592ce7bb1b8a2f1d88392e336bd94fb94a971450b69

F:\Games\Teardown\_Redist\QuickSFV.ini

MD5 c5c28798bca6e9ed5d84fa67b656065a
SHA1 4b6fa3465f1b393e22e9f083b177462028a48e93
SHA256 74ca5a42469197eded04f5a0bf34ca251c72f7cc06a3416ac035230cb8e81629
SHA512 c06baa4b31e2866fc3f298826930f43fb1d9c2de24e0984594e41f72f022a9090712b478e84d3cb46e0cb0f45d4e81d6c6443b69c7513775340324d9eda92963

F:\Games\Teardown\_Redist\fitgirl.md5

MD5 6afdefdd42b7b96cd04b8ac36598c03d
SHA1 2f7f549a70b3ff11bca57f67705e8ea2f4e8e3e1
SHA256 b045c0c68573fda2aa709a015bec39b5ea8ffe903bcc5043935508e460cb5f37
SHA512 7c95e1d7f7fda393e39e6028e77f1442cdf9d403da72ccc8882a585e8bfad5f77a97bdf47548734d9b65820f39df9025189997b1b0b44a933757fc43f53021d6

memory/3600-157-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2256-160-0x0000000000400000-0x0000000000579000-memory.dmp

memory/552-164-0x0000000003380000-0x00000000033E5000-memory.dmp

memory/552-166-0x0000000011000000-0x000000001104C000-memory.dmp

memory/552-163-0x0000000003260000-0x0000000003275000-memory.dmp

memory/552-162-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\host.cmd

MD5 9cbcf73cde92b6f1508dc226328c0930
SHA1 f746836a3a204c320d62bb17425ea342b2ae0567
SHA256 df561db34a991da4ffa311ecba0ca2af44266ecc6f580626829fccd91f7f20de
SHA512 3c60d62e09b783885fe10f46f1731ac1950f58682f5613ad26dfd5b9a49599496fff0b960313c7edc23d3cd1193ecdcd0425d184bd7508994822b459ac579c88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

C:\Users\Admin\AppData\Local\Temp\is-SJPGJ.tmp\hosts.exe

MD5 a7f30bb876775a914422675a13dd56b3
SHA1 3ea28fe66a04ebbad2507a7dfdebf1622c701d43
SHA256 49bdf4c437cf51ed0b369db9935d2f09883859d96a64593247c89c70e6840119
SHA512 6decbf54a3b62cfe549f1e45d1e5e99b2c33c792a67e9f29b9be3cb51d7e89ff0238cc4479f4a004d2b70989517531ccbbd6e420675fd3d37949cc20c90a6656

memory/552-179-0x0000000000400000-0x0000000000579000-memory.dmp

memory/552-180-0x0000000003260000-0x0000000003275000-memory.dmp

memory/552-183-0x0000000011000000-0x000000001104C000-memory.dmp

memory/4968-190-0x0000000000D30000-0x0000000000D3E000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 008fba141529811128b8cd5f52300f6e
SHA1 1a350b35d82cb4bd7a924b6840c36a678105f793
SHA256 ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA512 80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1dc98762ddd1941f627b8e5be9ef22ee
SHA1 2dcb5f5f8d02839da471f10748323badcf229861
SHA256 d86fb4e02c2766a583a3cf302c18d33dc57fc4f167e9018f18b2135ec0f7b49b
SHA512 59345b27ebfcf3b58998e13025c49cab1759a58f944ea94f528051e8392eeb4038c49ac708228ac654b8af6f80a031144c646ae9f122def53721a868d6ea23df

\??\pipe\LOCAL\crashpad_2416_YCTTUWSCAEGHXUGK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\system32\drivers\etc\hosts

MD5 58c038bdfa1029309ac8934d58dabc67
SHA1 a5c07b734be2e1f22a88d88c303146eb419f96a7
SHA256 09a37ae03d23e382c5c07d8bf8bad4eb426ca9abc37a2e74d1547c425a7a5171
SHA512 efc8a28931256ccdd8adc1f6b7105059d015aab030ad2de43a319d46c6fe3a7118f0747767769c73259bc03d695389ac7f1340cbdb1852d00d063d25953ed370

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hosts.exe.log

MD5 f8ec7f563d06ccddddf6c96b8957e5c8
SHA1 73bdc49dcead32f8c29168645a0f080084132252
SHA256 38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed
SHA512 8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

C:\Windows\system32\drivers\etc\hosts

MD5 b05b62045ed529ecb9b6ebda9c7a03ca
SHA1 863d797d748b9e21ca61f29104353f5030070adf
SHA256 3be6bd7ba208511027f993fa34267df2381e66ac0cc0588081a52336ba975406
SHA512 e087677905998ee05faa64bcc4b1f1f35db6e18303353c3b4d9f85b8d5dfb3824f70bac91f1448a87790d6c0036bc091f32c2a392de20216612bfcb9ed2f60e0

C:\Windows\system32\drivers\etc\hosts

MD5 90098a89e470bd12f2ab7e3e46190346
SHA1 5ea45e12a80ab1cbb560be1823dc68260cacd84d
SHA256 f5a2d2df78c0920e4a3917939f169f39aa31be1df429404336341d3fa0efe6dc
SHA512 7e75c1775c840b0f7c4cc29ec69c5b72be84d008979cedcab243f32fde18286479ef7ca2efe607edbc73a7d328166d99b1948738261cb5c0139a20e135ff1970

C:\Windows\system32\drivers\etc\hosts

MD5 29476e3e293379d1bf00cb5cca2867cb
SHA1 0df705b8f203736cba3d2fbb7938e87867f9eeb0
SHA256 7a06a579c327934bec75b39bca99d09969f210e323946817ac257ad80c24959d
SHA512 5986b1b5086158917308d88aae7695f84d363fa93711b959d69be5d91447b7cd3faa1f09bfa6ed217d9b52c235f7a4d3eb9d95d231d68dc682a6d4962c3edf77

C:\Windows\system32\drivers\etc\hosts

MD5 4dfdcceb3a21e723d5eff18a6d1504f2
SHA1 6860f1e5d159ce202dd104db7d288b23f3580222
SHA256 5ed94bc1c5b7cd111711306682ee9ddfaaa71967e2626d936d87755be7cbb96b
SHA512 934b303382ae250deb838de9c13852555e6862ca9ef4d9c18ac7d2d53e520111d928fa5c7e7026864490028f2d8b38bad00a809557fd19bf6147261ed6f59731

C:\Windows\system32\drivers\etc\hosts

MD5 9fb2798481ae865b8b50c179bdbca26e
SHA1 f8f17fc83ab37645eeeb698c3cf81b46a245b656
SHA256 2468e5f2ffde0f1c564257a2cdcfe9f3a02dc61566879c16c1cde32826f3ea16
SHA512 175e60002fa666c9e0404fe8413ca9b8699c32ff15c573c5954ef466ebfc128b74c2ac401ecc62303d61dc84b826bb725dfbc5676513f4f7e6ed9dcc577c75bd

C:\Windows\system32\drivers\etc\hosts

MD5 d4311f9afc2b6a3abdac082a777b863e
SHA1 ad58b01cabc00391fadd177fbd2619b44ea510c5
SHA256 52abe4e9a74d2129d860536fac246f8b3746b0d3636348bcb1bf4b8ced0858b5
SHA512 3c482ec2e2760f16409dca398b1a1a6d9959716805bb0df5969858697ac581231d57701997ac70f28b9344ea93eb0c45fa94be52a68d09cf78402c471bb0f9a1

C:\Windows\System32\drivers\etc\hosts

MD5 e503bbdc60f908008d2b48c11f8fa4b7
SHA1 52d54408cf1bd659f18f03583ec006b034e030c6
SHA256 420f4ab3460810eb2297082d96e197b57fbcb916de7b207e7617e4c53d3303a5
SHA512 593843f1dc1fbeb2ba82afebf4c7b7603155b24c2aafd98347dcbbb1b646bfaf941d0c392bedd765db76cbe50392f793b23be481e1cea984ada02206e9c9eb0e

C:\Windows\System32\drivers\etc\hosts

MD5 a191caf190dade435e0855c3abd9eef4
SHA1 5923f980f3a0f21d02f9a94b85bdfd6001d67d32
SHA256 45b2d1d6aa2aa63746d5fd7caf5faa05602c4e2339fb366ddd29cc1404a45189
SHA512 cabfbfed58b2866ced3d9f002cf1be253a259bdf0535ef4eb56abb25f6c270897cd003fb872a0f4721320d4decdfda8217e2e332f2d36c9c2cd08177f431ad6b

C:\Windows\System32\drivers\etc\hosts

MD5 76df54f2193b02a222ad9c85f8d7fb55
SHA1 fd053ecf306d42937fd89b141c1f01bbb858ff17
SHA256 20eedea1fb760160310acfa78346d539fa75339788ae09a5d9718fb5a5031af2
SHA512 12e1ddfa8d3fe3d406eaa95e2038a6c79e01c6ebb1369f0dc39886c5644769c96ea66d6fdd771278dc7870297fdb2288ee83d13f3fc90a60977da69228261cd0

C:\Windows\System32\drivers\etc\hosts

MD5 2822640948756371fc7d41952cd2914b
SHA1 0abcc59e9d1bd629d2449f31ea881984b2803a98
SHA256 938cbcb2c9eb962234c88692dc36305675f0e3ddd65fce639c52478cc7aba1d9
SHA512 95bc2e034a1151b71dbd505eef4122a1ff39b1fa6697a9a1346e5aa2c344c914aa7d3ee2a7c71d014257d58de3ba97f49c43d8df9e1ef6f26470005e595e995b

C:\Windows\System32\drivers\etc\hosts

MD5 b1472a2418ef16f2b5a082c36d0e4539
SHA1 ea1cd76485753e4ad9a4ba42beed90a9c50701b5
SHA256 8ca1133d16ea6da99d4dc459989548000f71a577a331e0003acfc693f834b676
SHA512 3d673f2627e5c14047d78e987f5ff86666eaeef8c53eff0d5138a66968186f2a250fbf96df9988f9672386b89e31c3aa04e139e22a0a964b19f3b46ab48fd235

C:\Windows\System32\drivers\etc\hosts

MD5 e0d5ba1421bdbf0e8ed19776dab4906f
SHA1 d7677d5210503b57b03f6eea3cff77346664d7bc
SHA256 00a54adedbd15a9eb9853471cf73ada6c78cd9e0cb4d98ef9d43ae6b2dea0929
SHA512 bb2bad26f9e426f62f1c7427367e8b07b2255b81fd230830a073447536d191ba317f2fa2ec79e38e63e1e3c3f040bb3f8e5e066ff4d84b18362e1d0a8be64b0b

C:\Windows\System32\drivers\etc\hosts

MD5 211fe2f4e71ca39dfbcf0d79b43148f7
SHA1 12e7d7ff8e756e37c40ac172f02c7309b5a662cb
SHA256 9103a290520f7c5406fb7555e966dbab3c8cdb6fe7a124ff4701aeb6a25dca1f
SHA512 d0decb780d69e42041b1fd3272690bd3d444ce238e0b9a23a300e08d0b9c8dc8c3aa8908c795fe1dc6f844e59f78346f2d57899146ba265637fb082100e5f566

C:\Windows\System32\drivers\etc\hosts

MD5 93e729b4bc2fc026b71b18f841223989
SHA1 513f9adbb6187777116be09cd2f189fac642c864
SHA256 baa5bbe19aa526b4fac48a2e6a503362636de53383488f1641f8766ab988b297
SHA512 e4db33a49632d31bd6fabbddb6ff36d86ddf7be5e3587d2e94a897f21d1fd72a9a40d44c131cff198046dc686aac98d168882df49814c47877b00e378ee7af0a

C:\Windows\System32\drivers\etc\hosts

MD5 fcec3c2f63d28e0f995391847a02e3bd
SHA1 0eb30a2a47e9177e8f7572d195d3a6f221d29ffa
SHA256 71d20326a8b0e88c8448021a416347bc1c40a0c81f7140a34fc3002ca5101bdf
SHA512 ac3237e9fafcb807d84adc264a5b43c07de4631f474f2434adf78feaf0d316dea1af95502dede8244a48e1b48382366fd98cd1397a031a6d8efaceec19425f7b

C:\Windows\System32\drivers\etc\hosts

MD5 519e62881f5eaa09c16af033030ba086
SHA1 28b1a28b52ad1a6a1bfdcfd5cfdda9800edc135d
SHA256 1e1a0e89f981895cce68048909755f8d17206849abca463f1c7151d0e1803eed
SHA512 9657dce76076fed08ae7edcba81456fb953275f0a66e3c863879c32e16830097b4ad9ff5a5ca6f6b48baaf65ad3eb5fbea9a6ddae19bb41e125e2bde57740a51

C:\Windows\System32\drivers\etc\hosts

MD5 7357db4494953d7a4dc08dd13be6dec2
SHA1 71f5d54a92ccbaf26dc90c511c8de43cbb22c67c
SHA256 ac61544e425542a5c65c8848b456963f1d43ed21a0a7af8f0fade617e9a4da3f
SHA512 1ccc280c94ecac7000935052c0cf1eb5b87b994dd9750fd7d719894ee056691bc97e6f9b4d7bd6a4fb98799d77c4072ac7821cc07a36f065116b2b54ce3c072e

C:\Windows\System32\drivers\etc\hosts

MD5 516d1c9d12d27b729e71a85137ed2a8a
SHA1 62add540fe1942ec35f140c6261e459e1c9f202f
SHA256 54017016430ee9e73e0f4effba0ea42ab79a616d298c9c8f58aea831ff5ae9f9
SHA512 abdbcca96350998bb44f8b53d9d41411a7e1f6d0d3969f4d013a14b3527da8d53c4a92753852722525a61c9b62b8b4265053658255280f4821b6bc514434d9c4

C:\Windows\System32\drivers\etc\hosts

MD5 107d5fdfd4f0c67b26834412433b7d39
SHA1 bbb941aa8d31d27a0657a84a0397b7d3bb8243fe
SHA256 25610f6f2903c87db96ceca42e32663775818f613cb2f5c637c9046dbac9361d
SHA512 fb7a9c62dd417bbb283acc2bc23b0d1e4fc23452181163924413cc3ef29fc52e77585eb02a7cacef39fa9d62d321a8cdb2362ba7ed0317e5de630dc7f7e2942c

C:\Windows\System32\drivers\etc\hosts

MD5 11b5b4d5fbb345ab5ceef9127a61ae91
SHA1 312287fdc581bf407663100c7bae684788347eef
SHA256 01a77f7ac70f2ec57b38af5cb6ba4c5479c84a5b71255822827357c7e514a34b
SHA512 78c98c3df04f9da34bbb32981d71ea13a1ed2e3355efee3bd2b0fa035ffbb872b578a7cab9a51e412b42e0ad154e42d805dfeb0258f4fa046bda872dd4283fa9

C:\Windows\System32\drivers\etc\hosts

MD5 080176bff0af04f5bdda4a0d558c6845
SHA1 98c938c1b51649e5f3a3c2cf26113d31424519cd
SHA256 76e799aa7a88dcf6bd789162f7a6f668743e7b353b283681f8b69d47e0623107
SHA512 ee68b9d9dfe0f18aa15fff84fde1bfcd8efa4d4797960e18c14b9c8f62fdc8322c9347645e1defe475b62c64727461f3fbb9d5a59e5a7ad8bd49e026078f5299

C:\Windows\System32\drivers\etc\hosts

MD5 6486971e585b5252c28923c73248e85c
SHA1 ec56bc2e02a983e4f8c8cd954aa326b8a9e44cc1
SHA256 23ea9e134c8ee044a71e2ae6ca9fcac898e557c240eeebc97ee0e7ab83fa60dc
SHA512 b5645a678ad693f5eb1a94fc13c33cc20987e955f34cc065f3c0f1d71b333cdee5453332c02694f0f42a42a431698b54d3068d638cac608bf82a88a7bc801bc5

C:\Windows\System32\drivers\etc\hosts

MD5 2d481bc9b6f4a83a12f8ff72b0bc9408
SHA1 57e2dfe41f2129eec999a93cd88a1f7d9c6e399f
SHA256 e82fb9f563c54471f9693c2fed9f669aac49d8d5757494b2e79840a609893ddf
SHA512 15605cebe0242fccdc17d8ade676b2304e90b95cc758769236c9c667fdf709b9bc6a6ecd8a722549a0ca05a34c08c2c48e9f706f7431f69b5f42e709de47d536

C:\Windows\System32\drivers\etc\hosts

MD5 9030e04eb87183f5c6478d196ffbca03
SHA1 6c2b23573c9fb478677c7f2c6f969a9db9f5da38
SHA256 434e6b0732c8f6c5b2b195f070df3120ae97a9200e0fbbd9861757b72bcd69a5
SHA512 460426fd122b757a1d5182a4d795a51dfdb636eb6e0f6fc73ca7242d55afc70add57a6eb55ff1519bb7bdd3ccd1c717cff6927a3136ea06607fb556f53d834d1

C:\Windows\System32\drivers\etc\hosts

MD5 54fdfe4ec9a151d60e3ff6ae44725611
SHA1 6ebde179c3d522cd7785018f6e13d778c8c92394
SHA256 9eae8581c570abd862dfab2b015dedfc0bb38992f20a4ff6df5451c2d0aa969f
SHA512 67fc9148363577ed79244b3d01ebe5e5783aaa77a7a8a5097a570ca0d9e1835c461ca3f7e9e1648a89d2d57439a994c4983ef2185cc2b26134c53a2b6523a81c

C:\Windows\System32\drivers\etc\hosts

MD5 3fc7eefdff00c7a7bdd085e1823f49a5
SHA1 338da77198978d459a3a00e1a6917d1875586614
SHA256 1d83347f973eb17133ae6608ceafd11671a4c94889045e281f03fdc73d298e4a
SHA512 50bf54c36cd6041f0516a40a44389721b0797887e624f6e8c6e77ed78a9632c25fcb178a3dc64e6d3eedcbd39fb145362cf6ea30018e2f8dbe8e94baeb07c090

C:\Windows\System32\drivers\etc\hosts

MD5 1cecb88f69db1af17ad0f22766ecd52d
SHA1 99372c5a29960e58d2bde3b201350acab7d5698e
SHA256 b9e43be80669649658171addaada81690a875065550a60b68e0a0c1a2144016c
SHA512 83c564e9c12d366fd7b8711a4ce51f3102d4a2accebea6316e097c56e183edab2c45c1810113fad6c2dbbdf6b237155fabd7b51d62326f263f132122da0bb73a

C:\Windows\System32\drivers\etc\hosts

MD5 f94a379ed86b60cb8b8ba966419e5967
SHA1 dcca4b8e1a4b72772adf178621972ecda0cdf3c4
SHA256 ed731814edf71b4f087db97ff6d04c0c9f6b63029f43281e8913a668ea3630b8
SHA512 aa9c543a8c2150236fa68b990bc83befafa112c4c40dc3bba0661acf7d62ab46d2731b35c22e60c9d69f84b6d2f5cfd8abedcbeb7989d51934389fb0438ac218

C:\Windows\System32\drivers\etc\hosts

MD5 f925192c8929f09c8d3e11374f63f983
SHA1 3f7415b9946fb001e4328497a8dadb98f8377471
SHA256 d75d245e0bfe14b2728e918e7c29f6854a5f52dae958829e3e9ab95f4a616915
SHA512 a3ac929644b572cab4f31328fdef67ec85cd43be1edadd81e66c2f7c5e875116a593c4a3d5f96b308aa73cd338744cf4fde51aefe0f0b011180af83e40d55e35

C:\Windows\System32\drivers\etc\hosts

MD5 64cafabe01b2c0196c51434dc3a46ae3
SHA1 746d4d01422db302ff2548684ad7de77daaf9794
SHA256 bf680deda88e82bf4e968c47722ad2f9a1feb5bc3d9e2c59cf48cb563dc11509
SHA512 fb4cefc08c9b115acf116170a4bb19c9e17be1970cb3b0fdc85e4cb1b200ed9e6c2865b5ec3c50fe9edaeadea66c00ea36817d6937a7dba48b28572e20b7dfa5

C:\Windows\System32\drivers\etc\hosts

MD5 08733cc4d8cb3e0b4a65e1d9e0f7a5c2
SHA1 1338035dbfd1067ac04c7b5590c0159a5c42f41f
SHA256 be681aee294a39f009a455657ee64b78d1c467ffc9be7c76b85225cc71e17d2a
SHA512 917e7434df12195d5fece8e79416dad39d341d357cb33f0c5a2b85e465c6695fcf446f658357a65e1cbf9b793a01500eb66ef1d69745ab07ce735c1dac11b106

C:\Windows\System32\drivers\etc\hosts

MD5 16c7e95fd977c491af3095ffba8cc9d9
SHA1 ebb9a4f04e9f5f826d9c68191b810d04458a142e
SHA256 c114f1b45c72a19740e53f730a074a872f0bbcda1bab5b08ff0fdc123ad46138
SHA512 0c9d5c4bb48ada707441ec9136308f80ce92b45aa5f5effc009a3d7ba06420d0f7f608d09ab813ad7c4e9ba354da4a4ebb42d4c327c1872abc8169fe92f9e7b4

C:\Windows\System32\drivers\etc\hosts

MD5 7174525f7a07eae4269d87a74cb67615
SHA1 9ac21bd667861283bba076463854a9316a620e35
SHA256 9f91f8411f8378084780f452cd4de6367f14486357a248e0feebd46a0fac5740
SHA512 df18ed41ded1c78467b3213a07c5a392273c7fa860f1c9b37ff81a79364be61d3cfddb399e70f08233a324b1fb48bc6874088e457ef9efea0901ec916cb77327

memory/552-628-0x0000000000400000-0x0000000000579000-memory.dmp

memory/552-632-0x0000000011000000-0x000000001104C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4044a6c18036c1095126125da6370c8e
SHA1 6f639ee2303666dad4d101c0011b162b3ac1866e
SHA256 a0fc38aec2bef7134e4c3e804cfb2032ec0789c8e21b0620d811c66d2802ac16
SHA512 239312d0f972612cbb98283b0452b4d3ba8c975b2f809420d0357315279e0ce48b223f1d8ad1423031480a6e6af9af5ea04be4fdccc9a5214e96737f5e7d9eb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 edb7369b50299f02fdb467eb346cf5dc
SHA1 2c18cf44bdbb570f0cafb5b26280dd01eaa5ecd4
SHA256 176b5e6d801382872b937dca42fdfd0ea156c8857ba278657b6e8d1867903009
SHA512 da59fd5ced435f9a2a8970c7926ed0288196b893c7565e0ee08451c0ac19a3acfddadfe290bab4f4b4fbaeb32aa37b8d223807fd182c38a42c538e276c32ebd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a2f2d36db255e177f0ecd0f594b87ddf
SHA1 ad80da1916093543f188ebab90333bd427bc4e3e
SHA256 8140c962c6efae8d66dcec0f24520f7ab51e31627fe79257dc5fb713ecf9602c
SHA512 360cb6317bbb6acc93a7506adf2489b52a5f25889d8ce988c3c1869d9b02ed2ada3d073b18d73269b188c039672f32ff62204f5b618ea732e7ed8aca426e7b14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 11e9225d15116df696df134f89bbeace
SHA1 39137c456aa76946bfd5341dfe9bf9c759d577f0
SHA256 c73ed8d5af7063a1da8dcfd068dbb99c6f0dcb65d6ec452610e85d9f42f4070d
SHA512 b87ef3b46fb205dad485b4772e17f8fdc5fca2b78d73060271e12814566c0fed02f51c536e48c46ffd9063977f23b371abc68cf18df733b825c86ce077f62861

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ff20eb028df78b26163c3c0b3c380030
SHA1 131da2d78aa0a57217bf6093e3fa4b7ab0fb5a55
SHA256 4d25af9102e47c23783da5ac1703a49da9dce8fcb3e321474fb4d5a1e5558e5e
SHA512 ae815eb22d680bab65e7f2e2404f90bcc34bf7682306c33f98114be31c15c25256813c88955a5566b8c331e5fd5c9f980bece80911399d48f3e22416d734c11e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b46915b9477d9fc88392ed632f4c7b8d
SHA1 19995a07d76ed7e9948f0e9ea8b90f7d61a99b72
SHA256 6b5f6720bef84121c538c4fdc2fbe6cc4a4d8d643c7099ef80b9ead8a22ac58b
SHA512 dc960c01a85605e685fef1857e2ab92d93e84206c01aa66e6641b28fe314d22f944b05566fa44e92f6dc743c7d0c0e1d2412700fbc577922d345d72f41e53186

memory/552-790-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2204-791-0x0000000000400000-0x000000000042D000-memory.dmp