Malware Analysis Report

2025-04-14 07:04

Sample ID 230911-yny3kaag51
Target e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe
SHA256 e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer persistence ransomware spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1

Threat Level: Known bad

The file e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer persistence ransomware spyware themida trojan

RedLine

SmokeLoader

Amadey

Djvu Ransomware

Detected Djvu ransomware

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Themida packer

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-11 19:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-11 19:56

Reported

2023-09-11 20:26

Platform

win10v2004-20230831-en

Max time kernel

57s

Max time network

1740s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3BC0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3311.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43B0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5095.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3611.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5095.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5095.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67DA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\28b6645d-7a48-46ae-b550-006733e6e105\\3311.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3311.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 448 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 set thread context of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3736 set thread context of 4940 N/A C:\Users\Admin\AppData\Local\Temp\37B8.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5044 set thread context of 4320 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 1260 set thread context of 3364 N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe C:\Users\Admin\AppData\Local\Temp\43B0.exe
PID 2644 set thread context of 3544 N/A C:\Users\Admin\AppData\Local\Temp\5095.exe C:\Users\Admin\AppData\Local\Temp\5095.exe
PID 3428 set thread context of 3852 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\43B0.exe
PID 504 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe C:\Users\Admin\AppData\Local\Temp\5E05.exe
PID 4072 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe C:\Windows\SysWOW64\WerFault.exe
PID 4884 set thread context of 2888 N/A C:\Users\Admin\AppData\Local\Temp\5095.exe C:\Users\Admin\AppData\Local\Temp\5095.exe
PID 4652 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7857.exe C:\Users\Admin\AppData\Local\Temp\7857.exe
PID 5056 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\5E05.exe C:\Users\Admin\AppData\Local\Temp\5E05.exe
PID 4992 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\67DA.exe C:\Windows\System32\mousocoreworker.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\IESettingSync N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 680 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 680 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 680 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 680 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe
PID 680 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe
PID 680 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 2020 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3311.exe C:\Users\Admin\AppData\Local\Temp\3311.exe
PID 680 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\3611.exe
PID 680 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\3611.exe
PID 680 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\3611.exe
PID 680 wrote to memory of 3736 N/A N/A C:\Users\Admin\AppData\Local\Temp\37B8.exe
PID 680 wrote to memory of 3736 N/A N/A C:\Users\Admin\AppData\Local\Temp\37B8.exe
PID 680 wrote to memory of 3736 N/A N/A C:\Users\Admin\AppData\Local\Temp\37B8.exe
PID 680 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe
PID 680 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe
PID 680 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe
PID 2984 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1744 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1744 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\3BC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2984 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\system32\DllHost.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3611.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\34C8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3552 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4204 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4204 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 680 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe
PID 680 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43B0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\3311.exe

C:\Users\Admin\AppData\Local\Temp\3311.exe

C:\Users\Admin\AppData\Local\Temp\34C8.exe

C:\Users\Admin\AppData\Local\Temp\34C8.exe

C:\Users\Admin\AppData\Local\Temp\3311.exe

C:\Users\Admin\AppData\Local\Temp\3311.exe

C:\Users\Admin\AppData\Local\Temp\3611.exe

C:\Users\Admin\AppData\Local\Temp\3611.exe

C:\Users\Admin\AppData\Local\Temp\37B8.exe

C:\Users\Admin\AppData\Local\Temp\37B8.exe

C:\Users\Admin\AppData\Local\Temp\3BC0.exe

C:\Users\Admin\AppData\Local\Temp\3BC0.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\28b6645d-7a48-46ae-b550-006733e6e105" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\43B0.exe

C:\Users\Admin\AppData\Local\Temp\43B0.exe

C:\Users\Admin\AppData\Local\Temp\3311.exe

"C:\Users\Admin\AppData\Local\Temp\3311.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\46CE.exe

C:\Users\Admin\AppData\Local\Temp\46CE.exe

C:\Users\Admin\AppData\Local\Temp\4A69.exe

C:\Users\Admin\AppData\Local\Temp\4A69.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4E33.dll

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DebugUnpublish.DVR-MS"

C:\Users\Admin\AppData\Local\Temp\5326.exe

C:\Users\Admin\AppData\Local\Temp\5326.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4320 -ip 4320

C:\Users\Admin\AppData\Local\Temp\5095.exe

C:\Users\Admin\AppData\Local\Temp\5095.exe

C:\Users\Admin\AppData\Local\Temp\43B0.exe

"C:\Users\Admin\AppData\Local\Temp\43B0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\43B0.exe

"C:\Users\Admin\AppData\Local\Temp\43B0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5E05.exe

C:\Users\Admin\AppData\Local\Temp\5E05.exe

C:\Users\Admin\AppData\Local\Temp\5095.exe

C:\Users\Admin\AppData\Local\Temp\5095.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4E33.dll

C:\Users\Admin\AppData\Local\Temp\5E05.exe

C:\Users\Admin\AppData\Local\Temp\5E05.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3852 -ip 3852

C:\Users\Admin\AppData\Local\Temp\67DA.exe

C:\Users\Admin\AppData\Local\Temp\67DA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 568

C:\Users\Admin\AppData\Local\Temp\5095.exe

"C:\Users\Admin\AppData\Local\Temp\5095.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7161.dll

C:\Users\Admin\AppData\Local\Temp\5095.exe

"C:\Users\Admin\AppData\Local\Temp\5095.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2888 -ip 2888

C:\Users\Admin\AppData\Local\Temp\7857.exe

C:\Users\Admin\AppData\Local\Temp\7857.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7161.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\60C5.exe

C:\Users\Admin\AppData\Local\Temp\60C5.exe

C:\Users\Admin\AppData\Local\Temp\43B0.exe

C:\Users\Admin\AppData\Local\Temp\43B0.exe

C:\Users\Admin\AppData\Local\Temp\3311.exe

"C:\Users\Admin\AppData\Local\Temp\3311.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5E05.exe

"C:\Users\Admin\AppData\Local\Temp\5E05.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7857.exe

C:\Users\Admin\AppData\Local\Temp\7857.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5E05.exe

"C:\Users\Admin\AppData\Local\Temp\5E05.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4072 -ip 4072

C:\Users\Admin\AppData\Roaming\stuuiad

C:\Users\Admin\AppData\Roaming\stuuiad

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 568

C:\Users\Admin\AppData\Local\Temp\7857.exe

"C:\Users\Admin\AppData\Local\Temp\7857.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7857.exe

"C:\Users\Admin\AppData\Local\Temp\7857.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2896 -ip 2896

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 568

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 380

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=37619 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff97c09758,0x7fff97c09768,0x7fff97c09778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1280 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1684 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=37619 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2008 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2544 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3148 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3308 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2488 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:1

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3636 --field-trial-handle=1520,i,4155451672699030803,5867350917671590020,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x45c 0x304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=23430 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff97ac46f8,0x7fff97ac4708,0x7fff97ac4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1504 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1868 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=23430 --allow-pre-commit-input --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,7064196065489036970,2461861632871711464,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=audio --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=3272 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff97ac46f8,0x7fff97ac4708,0x7fff97ac4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7fff97ac46f8,0x7fff97ac4708,0x7fff97ac4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8664241676681797088,17044773052270840693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8664241676681797088,17044773052270840693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3817621286785063424,14066154598277027030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\28b6645d-7a48-46ae-b550-006733e6e105\3311.exe

C:\Users\Admin\AppData\Local\28b6645d-7a48-46ae-b550-006733e6e105\3311.exe --Task

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\dfrgui.exe

"C:\Windows\system32\dfrgui.exe"

C:\Users\Admin\AppData\Local\28b6645d-7a48-46ae-b550-006733e6e105\3311.exe

C:\Users\Admin\AppData\Local\28b6645d-7a48-46ae-b550-006733e6e105\3311.exe --Task

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\stuuiad

C:\Users\Admin\AppData\Roaming\stuuiad

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
UZ 195.158.3.162:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
UZ 195.158.3.162:80 colisumy.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
UZ 195.158.3.162:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:80 194.169.175.232 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 i4.ytimg.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
GB 216.58.208.110:443 i4.ytimg.com tcp
NL 142.250.179.150:443 i.ytimg.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
NL 142.250.179.150:443 i.ytimg.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.250.179.150:443 i.ytimg.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 potunulit.org udp
US 172.67.181.144:80 potunulit.org tcp
US 8.8.8.8:53 144.181.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/4216-0-0x0000000004020000-0x0000000004035000-memory.dmp

memory/4216-1-0x0000000002770000-0x0000000002779000-memory.dmp

memory/4216-2-0x0000000000400000-0x000000000240B000-memory.dmp

memory/680-3-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

memory/4216-4-0x0000000000400000-0x000000000240B000-memory.dmp

memory/4216-7-0x0000000004020000-0x0000000004035000-memory.dmp

memory/4216-8-0x0000000002770000-0x0000000002779000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3311.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\3311.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\34C8.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/2020-20-0x0000000004070000-0x0000000004109000-memory.dmp

memory/2020-21-0x0000000004110000-0x000000000422B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C8.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/5024-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3311.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\3611.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/5024-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3611.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

C:\Users\Admin\AppData\Local\Temp\37B8.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

C:\Users\Admin\AppData\Local\Temp\37B8.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

C:\Users\Admin\AppData\Local\Temp\3BC0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3BC0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2616-47-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1340-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1340-49-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/2616-50-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/1340-51-0x0000000005AB0000-0x00000000060C8000-memory.dmp

memory/2616-57-0x0000000005750000-0x0000000005760000-memory.dmp

memory/1340-56-0x0000000005480000-0x0000000005490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43B0.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/1340-60-0x0000000005390000-0x00000000053CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43B0.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/1340-55-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

memory/1340-52-0x00000000055A0000-0x00000000056AA000-memory.dmp

memory/5024-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3311.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\46CE.exe

MD5 391298d133c097bc3ab942651550ea6d
SHA1 2b5f651e5830cbda30cbff223966ff48f9f57866
SHA256 e3d9f8ba97638457de7a931a527421bd4390c055d302968b1e17fb998dc08937
SHA512 91e869af5a1b0e32d6d162990b3e33d55e3503673eabfea18c9c142cad22753610f14f2eefa8cf3eee988008ca8241e25f0e7c5040def63ff75487f634dea467

C:\Users\Admin\AppData\Local\Temp\46CE.exe

MD5 391298d133c097bc3ab942651550ea6d
SHA1 2b5f651e5830cbda30cbff223966ff48f9f57866
SHA256 e3d9f8ba97638457de7a931a527421bd4390c055d302968b1e17fb998dc08937
SHA512 91e869af5a1b0e32d6d162990b3e33d55e3503673eabfea18c9c142cad22753610f14f2eefa8cf3eee988008ca8241e25f0e7c5040def63ff75487f634dea467

memory/1712-72-0x000002AAB7250000-0x000002AAB72E4000-memory.dmp

memory/1712-76-0x00007FFF95F10000-0x00007FFF969D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A69.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/3364-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1712-89-0x000002AAB8EF0000-0x000002AAB8F00000-memory.dmp

memory/4320-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3364-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4E33.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

C:\Users\Admin\AppData\Local\Temp\5095.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\5095.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\4A69.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

C:\Users\Admin\AppData\Local\Temp\5326.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5326.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3296-108-0x0000000010000000-0x000000001021E000-memory.dmp

memory/3296-109-0x0000000001600000-0x0000000001606000-memory.dmp

memory/2644-113-0x0000000004010000-0x00000000040AE000-memory.dmp

memory/2644-114-0x00000000040F0000-0x000000000420B000-memory.dmp

memory/3544-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3544-118-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43B0.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/1340-122-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/3364-119-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/3544-125-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-124-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5095.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/3544-115-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4E33.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/4320-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4940-85-0x0000000005170000-0x0000000005180000-memory.dmp

memory/1260-88-0x000000000265C000-0x00000000026EE000-memory.dmp

memory/3364-82-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3311.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/5044-79-0x0000000003F30000-0x0000000003FC5000-memory.dmp

memory/4320-83-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43B0.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/3852-133-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43B0.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\60C5.exe

MD5 391298d133c097bc3ab942651550ea6d
SHA1 2b5f651e5830cbda30cbff223966ff48f9f57866
SHA256 e3d9f8ba97638457de7a931a527421bd4390c055d302968b1e17fb998dc08937
SHA512 91e869af5a1b0e32d6d162990b3e33d55e3503673eabfea18c9c142cad22753610f14f2eefa8cf3eee988008ca8241e25f0e7c5040def63ff75487f634dea467

memory/3852-142-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60C5.exe

MD5 391298d133c097bc3ab942651550ea6d
SHA1 2b5f651e5830cbda30cbff223966ff48f9f57866
SHA256 e3d9f8ba97638457de7a931a527421bd4390c055d302968b1e17fb998dc08937
SHA512 91e869af5a1b0e32d6d162990b3e33d55e3503673eabfea18c9c142cad22753610f14f2eefa8cf3eee988008ca8241e25f0e7c5040def63ff75487f634dea467

memory/4396-144-0x00007FFF95F10000-0x00007FFF969D1000-memory.dmp

memory/1340-147-0x0000000005480000-0x0000000005490000-memory.dmp

memory/1340-146-0x00000000057D0000-0x0000000005862000-memory.dmp

memory/1340-145-0x00000000056B0000-0x0000000005726000-memory.dmp

memory/2808-158-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67DA.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/2808-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4940-159-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67DA.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/4940-161-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/2808-154-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1712-162-0x00007FFF95F10000-0x00007FFF969D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\67DA.exe

MD5 f189233803f0affe98826af70412f4be
SHA1 f1b6eabf8aba468f2dbb6fc1fa1846fd0c7d2b0e
SHA256 526b87dce7d3d4b90a94abf934acd37426c087cb07e44961cc1da2cdab821489
SHA512 9ff2d80050e72301f4e62085704c1c3821fd6c5d871256c9a97ab5e4f3f19496f70b3ea3fb86fd550d931f29cffb6831ed6b204317de23026db9ae7cbd53dd7d

memory/3544-165-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5095.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/4940-171-0x0000000005170000-0x0000000005180000-memory.dmp

memory/1340-174-0x0000000006790000-0x0000000006952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7161.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/4884-178-0x0000000004110000-0x00000000041B0000-memory.dmp

memory/1340-177-0x0000000008D40000-0x000000000926C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7161.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

C:\Users\Admin\AppData\Local\Temp\5095.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/2888-184-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-195-0x00007FFFA63F0000-0x00007FFFA6424000-memory.dmp

memory/4340-197-0x00007FFF91650000-0x00007FFF91904000-memory.dmp

memory/4340-199-0x00007FFFA6BB0000-0x00007FFFA6BC8000-memory.dmp

memory/2888-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-191-0x00007FF614170000-0x00007FF614268000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7857.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\7857.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/2888-188-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-176-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/1712-173-0x000002AAB8EF0000-0x000002AAB8F00000-memory.dmp

memory/2616-170-0x00000000066A0000-0x00000000066F0000-memory.dmp

memory/504-152-0x0000000004060000-0x0000000004100000-memory.dmp

memory/4396-151-0x000001EEFDBE0000-0x000001EEFDBF0000-memory.dmp

memory/1340-149-0x0000000006B70000-0x0000000007114000-memory.dmp

memory/2616-148-0x0000000005750000-0x0000000005760000-memory.dmp

memory/3852-134-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/3428-128-0x0000000002520000-0x00000000025B7000-memory.dmp

memory/1712-73-0x000002AAB8F00000-0x000002AAB8F1A000-memory.dmp

memory/4940-67-0x0000000072A80000-0x0000000073230000-memory.dmp

memory/4340-200-0x00007FFFA6470000-0x00007FFFA6487000-memory.dmp

memory/4340-201-0x00007FFF9E2C0000-0x00007FFF9E2D1000-memory.dmp

memory/2808-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-209-0x00007FFF97E20000-0x00007FFF97E3D000-memory.dmp

memory/4340-206-0x00007FFF97E40000-0x00007FFF97E51000-memory.dmp

memory/4340-210-0x00007FFF973C0000-0x00007FFF973D1000-memory.dmp

memory/4120-215-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4652-213-0x0000000003FEC000-0x000000000407D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/5056-221-0x0000000003F0C000-0x0000000003F9E000-memory.dmp

memory/4340-214-0x00007FFF913D0000-0x00007FFF915D0000-memory.dmp

memory/4120-212-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7857.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\5E05.exe

MD5 71b26c3e1818f1c3dc157385fecc42b4
SHA1 7717ee25397543cbc27081b756d935917b95c080
SHA256 0fc04875c109acf2566bfd708360a59d6331f4853a78b81334c5bf1b266fd354
SHA512 d9dd5e9019f01e0af68a0b75c2669c6176877652d2ba782a941bc860b4cb1f8ee27276ee696d14dc9e25d868d27e300af815f216336f97556c9023bf2967f409

memory/4340-203-0x00007FFF9D870000-0x00007FFF9D887000-memory.dmp

C:\Users\Admin\AppData\Roaming\stuuiad

MD5 0f96b59d9e6cb78c85ee220b194a7cee
SHA1 5053da7243448f77a941f6f4f7dd2a60fa59f9f1
SHA256 e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1
SHA512 c33652f33383604215b062f34e9d6dfdd6ae8289274e545a9dee53ff1aa47c130defe00c6d616bded0ecb26eb35c1f8a38f4933ccc625e215bbb6629742086a1

memory/1644-288-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7857.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/4120-293-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4120-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1644-294-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/2208-295-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/1676-298-0x00000000025A0000-0x0000000002637000-memory.dmp

memory/4024-296-0x0000000000C00000-0x0000000000C06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7857.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1340-300-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\AppData\Roaming\stuuiad

MD5 0f96b59d9e6cb78c85ee220b194a7cee
SHA1 5053da7243448f77a941f6f4f7dd2a60fa59f9f1
SHA256 e5a1c853297478d724f1f3380dc016de2bfdd7c208685a2f367759c451fc51f1
SHA512 c33652f33383604215b062f34e9d6dfdd6ae8289274e545a9dee53ff1aa47c130defe00c6d616bded0ecb26eb35c1f8a38f4933ccc625e215bbb6629742086a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/4396-314-0x00007FFF95F10000-0x00007FFF969D1000-memory.dmp

memory/4940-313-0x0000000072A80000-0x0000000073230000-memory.dmp

C:\Users\Admin\Desktop\JoinPublish.7z

MD5 92f6cbd770f8c91a3de9b4f9b7ebc464
SHA1 8e242e196df875d98baa1b675473f9cb5582d66e
SHA256 666eb16b2ee3e5df1b5dcf443da13baa7d4d61b01a4fbc72f894bbdc0e08b961
SHA512 a97939d7d4e057d604a2b71707066349a03ce51efd8b5354eb97e73fa2587c6b319cbb8a95a95c515bb6c238f19f79a6a88efe708ca55a25d93a4031af70af63

C:\Users\Admin\Desktop\JoinNew.ps1

MD5 7ccfc7a6f2292ec41f0d54f37efefbf8
SHA1 45beff092a18c97c8aea7cc816540f9c304fdd99
SHA256 625dc103b33f23661e7e78b28fdc1325a44e1cdb1bf50a7e42e4cb45f975cc4b
SHA512 0f7102083f582de148b7a2d0c9a094373f13b6112edea7a66464299a7d3f26db0d69379c26e5d6693858b006fc154453a00d8e020dfa6e4b7e253d44d43345aa

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 b8e2c906c844e0b56ace3307f0434c85
SHA1 f41315f4741d0b910297586edf7b864d55b62cae
SHA256 abb998959f0c49173d73878b8db3cf1da9d594f7a19f89a0162428e8fc521318
SHA512 b0927d3a0d4277acad891464f3b182174f8d946d7a92189e08ad5909adcc3540e24441fb5b3158406620c59a9ee4ffa86f68ece926dcf8132d0388af171882a2

C:\Users\Admin\Desktop\InvokeFind.sql

MD5 ea7d4d102a57d0c18ba8c30eb12469cb
SHA1 400bf52bbca6a3070abdbbf0d3b4f8ba157356b0
SHA256 173b2a6ea5ca5bff1003b171a1ca6e18987b128c126fe537920a97ccc9b1c43e
SHA512 7ce6b5a8cdde629521bcb009b85376076a9e964638f8d565fbbd60ef0c7f45188d0e84cbbf7459f3d85a0af43b5c06e3d872d7fe74f45d76a38756fb5224f250

C:\Users\Admin\Desktop\InitializeDismount.cfg

MD5 7d5a1eb6b77b7cca274079b289f47fd4
SHA1 9f706324ce09b77fb0263ced6784d7b3f1ee70aa
SHA256 92fb2f23889d00b2fa7e7d1ad90a98c9990c4e774d9fd715f00646a5f323778b
SHA512 3096237147abb59a4b5e899a2cc45424df6d7287e5da6805f4557984dfab969266b901dfbaad953f1d59a94aecb4e38ccec195064be5c3f4d9eca9b661fd0ea9

memory/4340-362-0x0000000000EF0000-0x000000000145D000-memory.dmp

C:\Users\Admin\Desktop\GetRename.mpp

MD5 8a7dc749835359722d026ddbd789e277
SHA1 9ba8c68186752fb0307314d5391695f6bd81db96
SHA256 27f15c5acb609add606f65dfb5dfbc5129c454ce6ebfb421a3515ee6c901afef
SHA512 de40df92fae40be5134941a3e71c8dfb471ade4255595a580e62e9a3e18a901c0ba206723d445bb6613a26bb607cc28c8574d68f807f94f7673ca9d34b7db081

C:\Users\Admin\Desktop\DismountApprove.doc

MD5 28f74bbc61829bb8e0c9667df3932366
SHA1 12314de48387e1edc581a252384cfd916e52d797
SHA256 58130e481504221fcb8ca2f0f1a825897d3ff493394008cef39dfcdc37e3f66a
SHA512 1dc8b2c1dbe19fae883760e72564dcd3ea47226e368307e0e9b556d7d4952c270aa8993fa7095ca202c564e795ead32f0de5d2059dacda1f070beaba2a38c6a3

C:\Users\Admin\Desktop\ConnectTest.aiff

MD5 7afe74d0bf73cc0240c7ea0bd005162c
SHA1 9fe4d3f928d81df0f3ceedcdaf09f068b4ae1fbe
SHA256 4a35be2d6a1ddafc12ad3e9618b18349f95695c17a081dfbe5494476ee279769
SHA512 0897fa02d3b919d08d944e4fdcf74465caba9543d587ebf33785d85dbc555c7b481d0fa86ee2a4b347019a52012a473f6097dfcc99e8671af0aa31563605de16

C:\Users\Admin\Desktop\ConnectLimit.css

MD5 1c7a820f75f4337d8afc00042d1849d1
SHA1 2c7cb0c59028b10d866c8854786472998c092da5
SHA256 e588e98178489451c16cfa43b6aef4da0590f97688939d6e82bcd2848b8c4009
SHA512 374c0f39f04b06bf7bb3cadfaa0bef9e88c80515465f8dd6ebd44a20bb08c1c1ef3a609a65143afa6fb5026cd2941093d41bb56318e9a8ecf1c57c81aa2edd32

C:\Users\Admin\Desktop\CompleteDebug.gif

MD5 f823a16451344fe3f32aa9cbb4aef840
SHA1 f923ba64486ca5925c3f1f4db3e8af0c952dc8e1
SHA256 fd4d16ec37a1f2d5c090434eaf74763cfe026fbf0985a15d98f159460463955f
SHA512 a3431f7b75134a8d958850e22093f937fd528ae3450128ee9e7634e1c00b82f7fa18bba28146c2c1d16dde0219577d30b46d75293e45e9da1dba13ac5ba229fe

C:\Users\Admin\Desktop\BackupSearch.xls

MD5 01682d873a32dfdef05cb565d3e18e31
SHA1 d01a5684fc469356876df4c38cc9a2bd870328c6
SHA256 eac75431ced46c2c6032e3c70daa3b29e46f1c87925bccf6b6943695075837bc
SHA512 8119d1e939702be64fd3e8aa8a79d54990ea18ddf245d012818d891b43c0110d6f60f53fbb3ab5edb1b3b59502e41aaadc962f02e252603cf763919224e5218c

C:\Users\Admin\Desktop\ApproveGroup.xml

MD5 711f637bfc0cd1fa56b638a852f0c46f
SHA1 989bc822436f4812ecb00b4de7ef84d7bd150573
SHA256 7224e37d5390862be6c58e9f67f6c2460cdad659f8c492ab7ff66749084f8bbc
SHA512 d1e5e4ccd64f30d125467441c3e43850bcca5f1ce27baf09ac14a8f86b4addb5aba63cff34862d13a40930363574d2c6b9b99502b120e554462f21875cab150a

C:\$Recycle.Bin\S-1-5-21-2474409663-2236862430-1045297337-1000\$I1542RX.mov

MD5 f6fc90cb32611d91c1e416335650ba74
SHA1 da65fddfe891ae28f44c11f1ff74f2d9591c758d
SHA256 29e252806fdfae49716a43a0152dbd586c84d7cbc904d537d95ddd783f3580cd
SHA512 df40e3e2f2b9e08509801a78c62bf6bf0a02d83157ccbb428da9db83a231bfc6c1d7d7205c550145134187f51416b831b550b3d8d76ca4da40b963feaf97bbf7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8dffd199ed37617e795db0f322918583
SHA1 2e1492dfbe77ab4fe12764cb17709120fdb98ee3
SHA256 06b66f034c515d02a00a12348bd2579728a03609cf9c6da62ab3777c3f40f86c
SHA512 fb470c85f9d4267153192599214b582b6a7a857210b947df77908d9e75aa5a90c33beb35518d54893b6821496e5774264932bf7c1fd0985a630287d0fbb6ff4d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e0c858d81f7c809dada9f3b9b14031db
SHA1 3bc80d70179ae232510eb678357e64a919ac94dd
SHA256 aab8aa92a79dbb896811d102daaae1ef4a02d7b837de4533fcd5a45fe4e26ec4
SHA512 bbc39b8d50f8851d283f45e0d0eb9a61f7df096f6868372e08316fc422b0251b349852d6494a9cc00e9ee174a1c05fd3e6dfd65bf449e30096284158c7951f97

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe597bdd.TMP

MD5 17acddcbe21db8c41dc2b3f575d82dea
SHA1 3ce01695fcaf097b9e8af37b92baed3bddc7a6af
SHA256 d6249db2120c5a14f1535d58b81669fdbafdb5f8e51d095bc0f2fc91eda96587
SHA512 f5d85436a1cd160ded59e01a6b758f4a6a9a99967fa689bf13b1cd94a289c03f08c48d83eba764b8e1856b681315c8f446fffe80a635c70cfd41bda69aed4eac

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Code Cache\js\index-dir\the-real-index

MD5 e8ad4a30db52404c4a2754fd53eacd3d
SHA1 c3bf4130454ea41d76224a4b92a24412f8cb85d3
SHA256 db3230f8a2cedd19dce938a4cc10e514c266028e4623d8053c6a2fc7a099eb2e
SHA512 bfb5b23a5d06d166d235d7cccce7bcf12f39ce5d6823a1eda2b18b715c88fc6b666f85136fb2eb9ef9400b29075d43e8b7b47513dad2f75304c42468adf61810

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3cf23ffa-1b3d-4a92-95dc-0fcceee236d2\index-dir\the-real-index

MD5 c123bb50c6d511440cc7f9dcf7b2b545
SHA1 899c289f6f331022a86b42a78d80a2de57119163
SHA256 a638e63ee41d95c0fa769f5dc2264f4fcd44cf96258e02ecda26ce882048a1bb
SHA512 2cdb1844dd3e2919f273c448162fe0b8f98cbea7fc5a0889f77942fb1962e0881a28f8f9a5ad22f3fccef75560f6da214e4fb8237175aff55336996c3df504b8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 9d693c852e520164d4f4b07205978b89
SHA1 e20f16328c8660ed58f363e8d015406c56929874
SHA256 e83e00b9549a2acbdaf75a6741f650349ef6e8ff8dbf2e4e15417f10917036dd
SHA512 234347124add52b15bb978800894db514bc53b0dc546cb9dcecb1903225e3449519d07a2e445e8a7d39de33b3aa9918ccaadabc2cf570fd5698b874afd2be5bd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3cf23ffa-1b3d-4a92-95dc-0fcceee236d2\index-dir\the-real-index~RFe5988ce.TMP

MD5 2a32dfce62fada351c73e962822f8d97
SHA1 127e3a9df557e7eef9c9681ee9f84845e244dc37
SHA256 11711d1cacd3ca25ed20615557a3541e663910a1c45876722c2904aa20cf97f4
SHA512 35cc7626257363e0ab1662f43ff4bf0a7e31b2da46233b485a3974c454204be6c3fe08599cd92528e451111d9360c7845752806fae84df8112c06bcabfcaf9b4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5988ae.TMP

MD5 4fb4ce7ebe2ff4233de7621eaa0f73d5
SHA1 9407a5900496b6d7dfe11951e2d26042e0120c55
SHA256 0cc66a7fdfcc9dfb0eeb8989952cb4b432894007ee362bd35e94213757c8eb20
SHA512 957223cd87ec94e98f7e104e06f5d3a34e7962572a5ae909cb487d99a568bb3a73adba3cb4b7df436b627e3ed862038f59f60a376b3672da7c0bcf1b79a72004

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Code Cache\js\index-dir\the-real-index~RFe5988be.TMP

MD5 42a5458e8e7ca6c7a992864e317422e2
SHA1 4423974d289410d552ef47ae1d1ab5eedab9405b
SHA256 68ed3ed00ec533248f86b7c1646b75f20a5ef7239f129715e07747fbd5768b00
SHA512 9426c10f6e6220ba5acf06e670b705a8e27e17363744f29613b50024c9a1925f786edbd14d77ad805a8b3204af4e7252e9ace54478d4e40bb6936b0e46eaab82

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b3281400d744d05f0f8640f82ca8b1f5
SHA1 048c16375cbbc5b6ac0c4fbf6b90e43541d33048
SHA256 d31e58c968ec69918f38ca2b1ac41b7e8015140897521ce424efc5b8930de62e
SHA512 2843c7617766cfaaf5295e9531a17e0b9122b767258899739a31e83207ac7380ea7ae2940be2c42d7ee75ea3c9838a42dc769c7c02c1c080d5c51d0d2ab51c29

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUPR12\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Cache\f_000002

MD5 5f8b9aae1f703a3c7d57413f61e49b9c
SHA1 16256938c1dbde3f4b409eab44396748ae79de89
SHA256 b96a83a77cb54c5b6dd9007fd6907ef74da36f7b5e84e08093a155f48dac2503
SHA512 c546fb80122cf80a2fb52c07279ff5c5037822a3b558320167515487e1017e3354370f6abd671979c919fd0946a3eb1466cd5671603fd55094255e18cf288140

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Cache\f_000008

MD5 00804ca3c5e5d6eaa401f929f9dfbfbc
SHA1 30dffb3a4ea8de2189ea748b1c10464dca62a777
SHA256 9d7205d37451dbcba8be31fdcacab4dd7df1b47d850a9d058c349343712dd06a
SHA512 4befe28e715738578d79ec4e731db1314c62b5dac9a6345025a55e539053d41b5cdad2577fe6334ad8dbf1ac62968b49d7b87c9f26e2758c8b2da5931e7d0b01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 04e7008d535315de1b4309c8b698c86e
SHA1 64fabb6c49ee4e23f538800e36913948eb9f04b3
SHA256 f95db9e7022dbf54c1be6fe6faf7c312118c6417c0abbd1c39a640de7a612b46
SHA512 1d3991631c7ecd946274cadd0aaee886026f2a44bb10271224c987d942f14f81ac5d76a87f5082a6f9d4ad73e60f69f2802936c5bb62b006298e478f14dd3868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b6040999402f5d5913de1742a7e8601e
SHA1 7c9b8bdb1e742378afbc016653a3a268feeb54c2
SHA256 2b33cfd63a2b5f1570f69aa20b5299aa7508f53aa68adca31264315843252d3d
SHA512 decdbd780953c6d50655836ee5823fe05ef501e34bdf6a6452d1f4efb4abbcf05a519107719bbd20ddaecaf0be7b7e12cb511499d82be358365c91b723cfa7eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 530f763d4324239c6f28d98e263d9053
SHA1 48d560c5b9c3fe5cae3dda8c225dd34b88ab8a7a
SHA256 97027697a30dfe53dc37066cdb74030f164eb6b746b768278c2e34d7c116a4b5
SHA512 c81e27803bea89cd2a60b300ebafa471509e09dc45a94da75d271390814c648ec6b5c9145f5aef068bd8a46ff2a6f3d245817e94f19bb093b4618c5eba671194

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 febca06c4ca1357a4d0ca524f88fe5ba
SHA1 ef1a984f96efc6ab02bc4fa6799aa2a07b3dd541
SHA256 14270a0ca8dcac2d8ef2b2f67834fb4450a1c543109da00b29f60366a662ba67
SHA512 2464626354b16be04a33006581c331a43d455b1c83cf00a7637e1139a4cbdfaddee7c41bb4c90ffdcb0dda1b27c0411b0ce99b2b8b77252f14f0e2e989a76028

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6d7ad3322e87c3009cf8d9b7486e7149
SHA1 abf08066c37cddc5f55015214d4702dddbb8d6cc
SHA256 90e92f328559a903997ec2a27585e2005edc17f9e6daa14f09615e726a364f28
SHA512 95bad69a31be6324430984f5bc55259116a26ae680ee8e5814426184a973ed44f677028c5b685def50acec44f291fedf7991564a2225acce52ac31c74c6a9d39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Cache\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\94495b49-0049-4b31-b1a7-f353e3777855\index-dir\the-real-index

MD5 4c7b4433f80a9d97e00a8cb2e972adea
SHA1 25e770598c602dd39b6c3cf9c1bf1e1db63936c5
SHA256 654a74c99bd1e94bc54ba32160d1e2ab77e5dc20ad37bfd283e805b4d1940c8d
SHA512 5aa62b8e2866ba9c2c3d7040c0d4f028aa70fe8617601ea8ff7b728f029fefc21dfc583dd5da18e9bf8166214b30cafee268277655efde31394347154fd84e22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Cache\f_000012

MD5 99a408704e3388f98fc51a32f61c0f06
SHA1 4040f7747e0fa277ca41ed5affe608100da6240c
SHA256 8f5def30c95503876baf6156e05ac3165fce7dd656280efad15c536e8bcf7b37
SHA512 d295c945ed44e873a1de962bd709f85f56187f1dc97bf9f876af1b435c4afaf369413364629d2a3f39c9541fd83bee53e62f1a174ef1e0d3f8b4ed85541980cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\94495b49-0049-4b31-b1a7-f353e3777855\index-dir\the-real-index~RFe59d5f4.TMP

MD5 20e960efc71733ecbc5f3059128cc95f
SHA1 1c7d6e0ff130c3f405b45400f546e8adbcbca225
SHA256 da97294f6fe05bf7cd7b665c1291a953679f03afde51509ed7623eb78b96521a
SHA512 150fd01382e4e891af2c0b18e02ccf79cc9af8573b7faa82dff3b9627977e1e23451d14f71a0224df0fa7974b5bfc4084de6c2bb09c7e329a8ab521b6b3490d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e9596f7a537def76326cfa30267abb3d
SHA1 3d62eec2ceb81ec2612af2f0df836f7b246d6627
SHA256 393d396033fd0ae73c2f5321efa8d1edc6052eedc60cb6599456dddb682fcc05
SHA512 eb25fe6ae3f010a3c1cce1ebc523e3ce143f4f7988ed18d71b8f724ae5f1e004a4a09591d78fd44a0c52b27718a257c69127b2837ee1860993eca674377321e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Code Cache\js\index-dir\the-real-index

MD5 bf7cc2941575e876bad1f928c7b51c62
SHA1 3cdb0793016b9a3dbb0c3fee142fd78a7a203339
SHA256 a3a00ec6290b8eab7338132976724a27830cedea2b8302b55d20ca2d16e9904c
SHA512 ed8c69c4c42c1bac286db4e266d3d48313f6f96938bb197a1e3c2641e6156c9ed32304d24bfd79a85180751be7e5abcfe60d4231a56426bc7a94da969c4dc390

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Code Cache\js\index-dir\the-real-index~RFe59d5f4.TMP

MD5 81dbe5ed1ba3fa11315faa19b7642df9
SHA1 48481d8ce5350cad7624fe9c817dd20e31c9dc56
SHA256 e37300cc6370139ff5dc1f198c7bfdca7cc8ea7cc7e1caee6c53571d0b65fd13
SHA512 046b89beaaa3ec186930c75ad03528b4a5e8cc61f2c8aed8dc083de691976d5c8772840f1d1813c9476b0cbf2c33aba185288105c57c0c9fc1bfc648902c37d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 e1709842fddc0266023ff77ec5b5a58c
SHA1 0cd18e4afaba416d19a1d4854266eb0257962c05
SHA256 18403bb70acbfa7a3c0afc2726ab1ea0c7fd1787f42270dd61beebbfe31fd09d
SHA512 537c41d7c66fb3a4bfd0b7bc076a64e44eca244b046c63e43312188c95f6606ebef2e14695d9ad964ae8f8b169372fd162443c75d20d6bd3418fc429de353b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataJ2BD8\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d5f4.TMP

MD5 2bc6a2196bb89c912d7dbf63a883525d
SHA1 bc0123760d7761dea53dcc2e20266e57e302360d
SHA256 bc51b47733cc4b739fdd0b1170f5b651f02edfcb2edb16f64f4000c1f1ced239
SHA512 d937a7563d75e0ae832d9748536cef68520d43fae374bebc90eee2d2c622db16f3ebc74f8ca656153388c0d031a4c65999f70ea0c3201e699c569a3122ab7aa6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d8294073f3582e3c0a607a60b6d6ca48
SHA1 3ee881f415563afd0c8265f37eb78235aae909bd
SHA256 31900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA512 8c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 866c76efbba37aabc77f0d7a79b97b21
SHA1 a40eb71f4b5c1bedcde980130a11fcde0a102c91
SHA256 7874f30222c448c32d7ecd0a9420405ed12c80952d44b1976b120f2393d0ec1a
SHA512 a405bbcb282cfe448d4e09cdc96f70cd3efc72e5c786ae6adbc6f130c052e422cf053fbf26a52a45420c1adcac95543f8b86136c631f5efcd8709f2decd7d87a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 79c21bede9d5a372ec88d04a07ce319f
SHA1 9e81e5a261d9f5c80dc3bf0006eeef3cecbeab8b
SHA256 f18c90f7e7a5a2f1ce50883bb3bd8282a5ce53b7ff7e0c1b3beae00601bb90b0
SHA512 5472caf37a17c07242656a54702c78e8eb24ef20fb6e30703be96f44fccce748f9af3b62169f9bb9df5e1a0433d9b0e82e955b05aed0f477c80c9bffb46f8970

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d94a0989fb6b02d1bf33b9f8397da5fd
SHA1 66ad8bd8f155d7d78caf696aad79e3400b9a79dd
SHA256 bf36f324ede7f778faac22d748826e42d77dd0142ac96500828bf91e335e4e2a
SHA512 c71fc86dfdc3169a07857effb4218b057a33b3061b5fa70582be431a57a6cdcf177b78da256f8486277fb49960c619e2ad9d81d5a52108692abc333e05798d35

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 776c601920bd2a93fc4d0ac085260caf
SHA1 16c717a8e0a3133c517cc619e09c4906b5ffa040
SHA256 20a00afe90c07709ae33ce0dffdceaa4bbfab1b7556ba503ffcf9f41aa114625
SHA512 5021eefd5f9281187ddcce6f10f5f78dc8745df6181ddc967675dbe02edb41ef71c332795ea32c9bd49d9e0fd393f39cea6c116f3660790f8f1bf666346233de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5911f98dae6d97c4bf9724fa3ad0898e
SHA1 b050119cb81c1d6278bf35e9e2950a3dd18ba7aa
SHA256 c98200c0450dfff44b0d847df78630895b4436320739f9ef01b3a3fe6e9fc198
SHA512 60960c1394c1a28f52d4087299fc663b741a139a0a4182e5ca805322de662d89171787793b0fe906aae913d7457ccdb6559eda8ad9c6126a704985b63240e1e2

C:\Program Files (x86)\Microsoft\Edge\Application\New Microsoft Excel Worksheet.xlsx

MD5 307e5221acf62019c0e2544c9d8c657f
SHA1 4695d149624310a8bebd2721c401232571b6448d
SHA256 fcb6de162d5b21851cea2ceb7297b79263b8b8d7a47ec378d9000e151ebfb0e3
SHA512 1a223ddca4ed49f1d65a7ad9fbbc7c81ac322a88f7865a21a7380581374431c0cbf58468d3180ffb2d64e78776edda0403e1ac66895dff04f7ae782ec43d299d

C:\Program Files (x86)\Microsoft\Edge\Application\New Microsoft Excel Worksheet.xlsx

MD5 c0edcc68ba60d6bcbf77bc5132bf2a5d
SHA1 ea713f5a70ee1516addb18a96614c44582e9625d
SHA256 4a51286a29368a60ab9b8c76dfc4f96903588c986caee9309e3fc1eb8e5fc5c3
SHA512 3b1aa09495d278746ca4ca184452c5a4dddc2e1eda2c82484ac17a4614b3e51e7642ad5b72d4a5e6b0615583379aa62104bc767f6443bcb11646862d5f8ba4c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a221a310fe73a3746def93a146bcacc8
SHA1 fba29d8ebe326c1ed348373434c5b4d63a9cfe2d
SHA256 03da3313338c10603d45415433a133e342add989eee5bae1b7a1115508fdbfc5
SHA512 4910acd702d4360ef8cbaeca0b100e7b5200cee75c1851f3d00955afd5e57c0a666b47be441ea76afb86ad5c7ddfd149cbfd2d6ff14884b325e2aeb3e62a56e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 687294c1b569dca564492d8ef5e00d8b
SHA1 706771a5b8c25bb64da6adead78e4dbd84196bb8
SHA256 256ad3a6343bfae709d98b6f533174f803325884b3bd808e04e8541c9a395aae
SHA512 f9d065a176d222a22e5f87d4013b184b8074e4a377ef6d9abd4e0e38a857cd6b83aba1b6c262c6dedef72aa87941c9cfaa0f63b76f616d9eecbc3c6fc5d700a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 c6d244d7db589011227e7fb6d97b66f4
SHA1 abf52aac72414f187b580b0cd031dad3adc10af3
SHA256 80ed29c0fa694f648c9e1bb7aa326567bf3157fe7cb5e2a1c963c740095d171f
SHA512 a05a6a24ec7256b95e33420100f3395c13383d13a9f24720bd6733b947c377f7c78056d3d4a27273e2890833e9f658dd2ef4d398ac03f0772cc5f38213d9c85f