Malware Analysis Report

2025-01-22 18:50

Sample ID 240315-pdlj2sab24
Target checkers.exe
SHA256 bb3d8ba65f4589ea9072d6b26ff12145c38d66c9e6cbd2743d2f66cb735d4f2a
Tags
gozi banker discovery isfb persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb3d8ba65f4589ea9072d6b26ff12145c38d66c9e6cbd2743d2f66cb735d4f2a

Threat Level: Known bad

The file checkers.exe was found to be: Known bad.

Malicious Activity Summary

gozi banker discovery isfb persistence spyware stealer trojan

Gozi

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

NTFS ADS

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 12:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 12:12

Reported

2024-03-15 12:15

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Everything\Everything.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -startup" C:\Program Files (x86)\Everything\Everything.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Everything\Everything.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Everything\Everything.exe C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File opened for modification C:\Program Files (x86)\Everything\Everything.exe C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Changes.txt C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\License.txt C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Everything.lng C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Everything.ini.tmp C:\Program Files (x86)\Everything\Everything.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0 = 4e003100000000006f58c961100054656d7000003a0009000400efbe5a58c9796f58c9612e00000096e10100000001000000000000000000000000000000b3d3ae00540065006d007000000014000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 56003100000000005a58c97912004170704461746100400009000400efbe5a58c9796f58c9612e00000082e10100000001000000000000000000000000000000e7f722014100700070004400610074006100000016000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 78003100000000005a58c9791100557365727300640009000400efbe874f77486f58c9612e000000c70500000000010000000000000000003a0000000000e5e32e0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Everything File List" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon\ = "C:\\Program Files (x86)\\Everything\\Everything.exe, 1" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\NodeSlot = "2" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 = 50003100000000006f58a56110004c6f63616c003c0009000400efbe5a58c9796f58c9612e00000095e101000000010000000000000000000000000000000b8722004c006f00630061006c00000014000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.efu C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{C5CC267E-969D-46E9-B025-046C250443D4} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -edit \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 50003100000000005a584180100041646d696e003c0009000400efbe5a58c9796f58c9612e00000077e10100000001000000000000000000000000000000ce62ac00410064006d0069006e00000014000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\ = "Everything.FileList" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 161611.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 4880 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 4880 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 4248 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 4248 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 4248 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 2984 wrote to memory of 2624 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2624 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2624 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3544 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
PID 3544 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 3544 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
PID 3544 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\checkers.exe C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5008 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\system32\taskmgr.exe
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 4292 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3448 wrote to memory of 4292 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4292 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\checkers.exe

"C:\Users\Admin\AppData\Local\Temp\checkers.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe

"C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe" Taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe

"C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe" explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbd8846f8,0x7ffbbd884708,0x7ffbbd884718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8

C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe

"C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe"

C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe

"C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe

"C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -svc

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe"

C:\Users\Admin\AppData\Local\Temp\checkers.exe

"C:\Users\Admin\AppData\Local\Temp\checkers.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 textpubshiers.top udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 172.67.146.76:443 textpubshiers.top tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.195.244.4:80 checkip.amazonaws.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 8.8.8.8:53 4.244.195.54.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
GB 92.123.128.190:443 www.bing.com tcp
GB 92.123.128.190:443 www.bing.com tcp
US 8.8.8.8:53 190.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 arc.srv.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.186:443 th.bing.com tcp
GB 92.123.128.146:443 r.bing.com tcp
GB 92.123.128.146:443 r.bing.com tcp
GB 92.123.128.186:443 th.bing.com tcp
US 8.8.8.8:53 186.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 146.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.64:443 login.microsoftonline.com tcp
US 8.8.8.8:53 www.voidtools.com udp
US 162.211.80.236:443 www.voidtools.com tcp
US 162.211.80.236:443 www.voidtools.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 162.211.80.236:443 www.voidtools.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 236.80.211.162.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.176:443 th.bing.com tcp
US 8.8.8.8:53 176.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.python.org udp
GB 151.101.60.223:443 www.python.org tcp
GB 151.101.60.223:443 www.python.org tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 media.ethicalads.io udp
US 172.67.71.230:443 media.ethicalads.io tcp
GB 216.58.213.10:443 ajax.googleapis.com tcp
US 172.67.71.230:443 media.ethicalads.io tcp
GB 216.58.213.10:443 ajax.googleapis.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 223.60.101.151.in-addr.arpa udp
GB 216.58.213.10:443 ajax.googleapis.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 console.python.org udp
US 159.89.245.108:443 console.python.org tcp
US 159.89.245.108:443 console.python.org tcp
US 8.8.8.8:53 2p66nmmycsj3.statuspage.io udp
GB 142.250.180.8:443 ssl.google-analytics.com udp
GB 18.165.160.69:443 2p66nmmycsj3.statuspage.io tcp
US 8.8.8.8:53 232.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 230.71.67.172.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 8.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 108.245.89.159.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
BE 74.125.206.154:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 69.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.206.125.74.in-addr.arpa udp
US 8.8.8.8:53 71.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 s3.dualstack.us-east-2.amazonaws.com udp
US 52.219.179.97:443 s3.dualstack.us-east-2.amazonaws.com tcp
US 52.219.179.97:443 s3.dualstack.us-east-2.amazonaws.com tcp
US 52.219.179.97:443 s3.dualstack.us-east-2.amazonaws.com tcp
US 8.8.8.8:53 97.179.219.52.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp

Files

memory/3544-0-0x0000000000230000-0x000000000023C000-memory.dmp

memory/3544-1-0x0000000075290000-0x0000000075A40000-memory.dmp

memory/3544-2-0x0000000002C70000-0x0000000002C8A000-memory.dmp

memory/3544-3-0x0000000005340000-0x0000000005350000-memory.dmp

memory/3544-4-0x0000000002C50000-0x0000000002C5A000-memory.dmp

memory/3544-5-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/3544-6-0x00000000059A0000-0x0000000005F44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs

MD5 a34267102c21aff46aecc85598924544
SHA1 77268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256 eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA512 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

memory/3544-10-0x000000000B050000-0x000000000BC50000-memory.dmp

memory/4236-11-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-13-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-12-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-17-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-18-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-19-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-20-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-21-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-22-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/4236-23-0x000001F4F4820000-0x000001F4F4821000-memory.dmp

memory/3544-24-0x0000000011DD0000-0x0000000012A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll

MD5 6f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1 fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA256 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512 fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/4236-39-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp

memory/4236-40-0x000001F4EEE90000-0x000001F4EEE91000-memory.dmp

memory/4236-41-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp

memory/4236-43-0x00007FF63DA50000-0x00007FF63DB80000-memory.dmp

memory/3544-45-0x0000000075290000-0x0000000075A40000-memory.dmp

memory/4236-44-0x00007FFBD8A50000-0x00007FFBD91E0000-memory.dmp

memory/4236-46-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp

memory/4236-49-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp

memory/3448-56-0x000000000DFA0000-0x000000000DFA8000-memory.dmp

memory/3544-59-0x0000000005340000-0x0000000005350000-memory.dmp

memory/3448-58-0x000000000DFA0000-0x000000000DFA8000-memory.dmp

memory/3448-60-0x000000000DFA0000-0x000000000DFA8000-memory.dmp

memory/3544-66-0x0000000007CC0000-0x0000000007CD2000-memory.dmp

memory/3544-67-0x0000000008680000-0x00000000086E6000-memory.dmp

memory/3544-68-0x000000000B020000-0x000000000B02A000-memory.dmp

memory/3544-69-0x000000000E540000-0x000000000E54A000-memory.dmp

memory/3544-70-0x0000000005340000-0x0000000005350000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0811105475d528ab174dfdb69f935f3
SHA1 dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256 c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA512 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

memory/3544-77-0x00000000098D0000-0x00000000098DC000-memory.dmp

memory/3544-78-0x00000000098F0000-0x00000000098F8000-memory.dmp

\??\pipe\LOCAL\crashpad_4292_IXRHWYUGEXVJCRIE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 47b2c6613360b818825d076d14c051f7
SHA1 7df7304568313a06540f490bf3305cb89bc03e5c
SHA256 47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA512 08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 027f2ea23aa584da133f2960f0126d6e
SHA1 1b1cd5d8e35855f74486b1a061a93dde93fb071f
SHA256 cece61898228f00d5ea355bf93fcb95ecb9fdeb113188779256f554a4aa9ce5f
SHA512 3e8e1fb6cea42399ab4122de959356e49e8c087cff835d13964d1f8d35f42c1b9bcfbd8122bed108e0fbfcdb4a85a90e023ae0f26b3b277a4cbb2aeb40c37fd1

C:\Users\Admin\AppData\Roaming\Gongle\a0WS87B1AN\xh4b7nwe.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 5df88d5e6f363f9b5f0d82413ac239bd
SHA1 9d6cd9ff91aa7e6f9bc57de11a06bb9966482eae
SHA256 0c9024cb581a4f2850c4df78a4ec890bf2319781f3d4b03fdaa046d14ac0d4c9
SHA512 0fcdefcf990afd09779bfd17ca76049bc4d9f472c73aa9992f7a361fae7d36c2064c2722d32be45240d7f9b699f663b2ddae2cc5081f6b887dd9a04b11724143

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\LOG

MD5 11582d640a97e69e81724ff360f7d3fa
SHA1 ce2435cbb25e5f5c44ea7512f249166f2ce5ef9c
SHA256 6c7ea31b859a964762d349ff47b03e21dd3246128f9a6ee5c02765cc51bbafc1
SHA512 8f4c1dd1ef6b7f3c2768062643442e80676bf9857cd95c9ffa61f4ea33d3fe54ffc8a923f69ec223194b4fb0f6a7c882c5dbd7acc8ee2a79a2fad0d0005a746b

C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\LOG.old

MD5 9eaac6c0045dadbd0052cf59495112bc
SHA1 91cf50239622b89e2fdaddb076b2d29157373645
SHA256 51918329d1ba79313f28fca4718eff912e2acac8586ef86a1bc7e80777522dc3
SHA512 c3e145d585c836e32e37fdd28f05f712261f3f0bca7cd9d390cf09512c0eb790c659cddadf8030eeed3e6cd2d7cddbe2c3d6de48e15372c56ff60bbbd5e32118

C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 69c09ba6afc247eec85ef9ed046bd89e
SHA1 bf33c856e84eeaaf30f7168153dd5271c26a70bf
SHA256 1a9babd2372e1af40d9980cca2aa69b093514778446933548a0be925f726ce55
SHA512 4bd093cb0ac4f6369ab27d7459c089f480e9be85856ed268031631a33926ca43345a37a9459652133cae538c6294fdc67e1b48c57e26ca3df7023943a4e08d48

memory/3544-235-0x0000000006AF0000-0x0000000006BA2000-memory.dmp

memory/3544-236-0x0000000006C00000-0x0000000006C22000-memory.dmp

memory/3544-237-0x0000000009900000-0x0000000009976000-memory.dmp

memory/3544-238-0x0000000008F80000-0x0000000008F9E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gongle\aQDVFOJ2PV\LOG.old

MD5 fbbfdf1ea94daf96bfaca4bee6c18996
SHA1 f4d0b631a1e00ed723ddcd03b2e0454697976d3a
SHA256 5d38e29bb7156be68cb00b1cc72da0abef961f4457c68ce4a119d07e9b0455f1
SHA512 47759dc33f95d828f30ad09df85718ba90d13e49713f34744fb66f2bc5b52e9e849cf642085647c6a2a1d8a5ee3e09e3f9f454f9052e606cab3deb3b0d4184e1

memory/3544-246-0x0000000009D90000-0x0000000009DE0000-memory.dmp

memory/3544-247-0x0000000009DE0000-0x0000000009E4A000-memory.dmp

memory/3544-248-0x0000000009E50000-0x000000000A1A4000-memory.dmp

memory/3544-251-0x000000000A1B0000-0x000000000A1FC000-memory.dmp

memory/3544-281-0x000000000A250000-0x000000000A28C000-memory.dmp

memory/3544-282-0x000000000A210000-0x000000000A231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8367dae0ec8b48de8d77f6255f1ad914

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\b74f5552d5ed433aac6127a7336d7ebf

MD5 6184cbc7bb8e40bfe87e17be82664733
SHA1 eba8374f100cf6f4b9077973dcbe59d8aadb728a
SHA256 acef186cb3fc58c06890e9689c37366475afb8e3f751bf870067b80c637beb4b
SHA512 58ab20c11a2c610d3058b314c8440f145f82b45222b50e86959b207b3b7ceed893700c2e5abb4b3d6ea6c73ea773bb2f3cfce2a92ef18432a28f7fdd41942054

memory/3544-301-0x000000000A2D0000-0x000000000A2DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 093e97f41e5ec177c8f630b6af2e08bb
SHA1 38f129ce78fd392e3bbcfe7a1649dfd0e665b891
SHA256 fd189bed462bdae6e45562f5e79387617edcf75895596eeb5fa78a18e5522b50
SHA512 0c4c259a1873f05b196f68a750b82b53459dfe4b8489f93894a61fc0b760da1619f7363e6898530a765187e367de389cbda3418ffcaf2221dd15797ee84315f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 47f970e61a00ade9c6f29c7f23f74989
SHA1 d6f43426942c5a753659ffa537e40a6c6400d496
SHA256 2e2e283c9afd9ee2e62f4b0262c3143db1fb4b155128265182b59c6770f5ab69
SHA512 bb2a641968c741ff60fb4c9bd18cd751968bd882a077c6e1d78b53441c12fafe3159b5dd8d2074a82b0544afa34dad7f154cd7dd1f6da171437cec1d75dda5f8

C:\Users\Admin\Downloads\Unconfirmed 161611.crdownload

MD5 f55d52d5d690a8e1b2df9217bc3ddfdf
SHA1 0e45d3a28cc096dc7edc1208f7428d66335df11a
SHA256 59f57803fa5235075c3e470e1006905a61236e491bb75a599d862cafcfbb529f
SHA512 4101015760dd2b1d9cbf9586802e610bbe6f74b73bc5dbb4391417afe8fa20762a84b04cd15019b54107d8ad0e4fc523f25403482431dd53aec3d07a4b217941

C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini

MD5 e2808f4be298a32ae279ee9ebacd0a0c
SHA1 b7929c346ba7a7aa690a766e4f70bc1d44f75460
SHA256 99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52
SHA512 a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini

MD5 a6634dd375de49a06ff7c8c65f03bb42
SHA1 2834f907bb17d0916cfd1285718695f866e319d6
SHA256 caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d
SHA512 c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 804ff81e40f6f7e5ba63437b32a7e40e
SHA1 515378f71a0bb8219c7004d825b5a2edeac423c6
SHA256 851edb24ab9b90ea1c98c87f3698da1ae0dc9c43f2570b219ca90e019c09b527
SHA512 5923f533abb6acd2871caa568e1215bc3e53f0040704215632e58e44f50ba37f9d8ebec1f77778f825cb97648d44300a20a65351b284608475aaa925d5fe3efa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fd283b3119c2df5a809cde483b9311e9
SHA1 7ca5c11be398732844118126a0e10eb7c543057e
SHA256 52cf7959695f52cc914fec841a3aa3da393f0aaefad4577a83c7013f64838f8c
SHA512 cb0ac1e574e7cdf0b8204e4860d33883c2286ebd56aa32f856b8bb8ed016d3c321cbb5cdaee93e2062337fe14cf7a7a7ac2deff1a3715bfa4598345462779df6

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini

MD5 aebae476c32a2194a4106787c85be4c5
SHA1 855dbdc549d1363be7d717a4df797712630d0b60
SHA256 c95d3cdea91589bf2ba60b5adabcd71c0349c5c0d847a1469c754e969a9d3269
SHA512 aa37062b0527e5ca25df2c5746e141a8fdcc33e592a0cb9e2bc6f03411cf090bbe750c149ce767409cf5fbaa40d554e3979aa11012d9d46d08f4ac586d768803

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini

MD5 748d4a28af9eced3a058b88e4e6ebea8
SHA1 78c7c679a5d7fdd4cf4a1a7ba0917001b52f219c
SHA256 19770a409e6d9e8006a338d95c53c22a9a6218b296bd0d96e3db6a545500e61e
SHA512 aaec5157182cec482649337977ec5003668746773557a203857cddd2586f2bd6fcd2a4b69d6eb3a1ea11a2a9b2754b301d0ae4572da28a8e5ea9b701c7c0b20a

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini

MD5 951bebf9d1eff9f6dc2db9d93fded632
SHA1 9a1e9a35d133d6e81485941ccb88de053345a09e
SHA256 364684138a27db4f0e3a9c7860aed1895f677bd5da8650f136c84e2fad28dadd
SHA512 38db0b72aa9c9e6e250715e6b70bc792cb03c3026fbe5fc3136fe0a2a53fdc8044252d2d439f222b0398e814577c8eb1385a1b21bbb7378ebc49b4cdb8ba1748

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini

MD5 5ac32782a47385b9d065cee2f75cc8d7
SHA1 d4582bb905697c78a417bc7ce1d1ead664346ec3
SHA256 e786d7c45a5dd02262985957b8c5620cea90ad9a4268f71da99c97f174f79592
SHA512 e81b8bf35310a6d458186d22a37e10e9ad4e5a5c18b66b8efba3763d1a86c4942706a100bd6c9364432611e2f1cbdab42d56361451ed42715048bb11306033be

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini

MD5 a30932406169a73658bec4de6db01a10
SHA1 bb51c1927a974125d6d9dacdf6862a2a9890c6a6
SHA256 f41319be9c203fe61c30eb758194b976a40d51787e5488f62404df0788d3f7fc
SHA512 7e859a98a7a39cd891b922419c2c6bab58283a6b925676647c4bf590f281b499ceb256dac2a6a4480080d5e8371d9ed9d3016bc1ca51f1de794de25040dd6d72

memory/3544-910-0x0000000005340000-0x0000000005350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe

MD5 a7067594451cab167a4f463be9d0209c
SHA1 1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5
SHA256 d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581
SHA512 8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.lng

MD5 ba118bdf7118802beea188727b155d5f
SHA1 20fe923ec91d13f03bdb171df2fe54772f86ebba
SHA256 270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471
SHA512 01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\License.txt

MD5 2d8c6b891bea32e7fa64b381cf3064c2
SHA1 495396d86c96fb1cfdf56cae7658149138056aa9
SHA256 2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b
SHA512 03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Uninstall.exe

MD5 fc3732ef603b36055209652f749c1080
SHA1 bd8b0806abecf983c89814ab4dcbd3300a78fe88
SHA256 0deee0d9d6e140226de19047c0ab160ec957a6e4bf63bb1c058bac9f09c47874
SHA512 98ee82dfe67fa3d5fe2ae3977b959b0fb1277e5bdb320e7eca347771cd4ef8d8b99c6b3cefc0466347e8f49644386cc2d0f5f7a63eb5404a8371182bd880286f

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Changes.txt

MD5 1ebb92ac516db5077a0c851565b7a2cf
SHA1 9adabfbb11b070169429fd43a250285ee8881213
SHA256 e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6
SHA512 3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

C:\Program Files (x86)\Everything\Everything.ini

MD5 b2b308d8c164f75bc11bccf7baf3df67
SHA1 6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d
SHA256 f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5
SHA512 5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\ioSpecial.ini

MD5 b4f507587121347f820974c94f6229a4
SHA1 b1045e86984b0b049bf294e425973dd9d3577d01
SHA256 860b01c8fa9364f6fb0fc61386d379773a7efc92d9205269225c52ad71d4930c
SHA512 160d3dfd55913a4bae1d5d252ab85a495c7965df1ab2403443d8d7e25d976ca13b5ce5953a78eba15b3428c74b78da4ac6ddc71049f43db12a07654e396a4aaf

C:\Users\Public\Desktop\Everything.lnk

MD5 a3c1b4682b70a1cbeb8c2ce1863ccc20
SHA1 eda33f2a8fe4be9e688ec0d5fc4fb4effa3c5710
SHA256 f60ce7095348b4a1ec976046e68c7cac84040c97bc14f6adaf601f0381300015
SHA512 e2e897c7e57a5d98e82be63725d187702955e863dfc1e58a2e57e7d177953f389b0a8bc8543638b73120753b229e92ff6b031d32354f088086509eb9713127e3

C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\ioSpecial.ini

MD5 3826e0771762e50b03bd057c470682ed
SHA1 3923f1523857a456b939afce2b8d426bacf29c1f
SHA256 3d9d833b802a91c3513a7de112982124c3e65d58f1a96a9d7ffc8f3bcb11815a
SHA512 09388e1e6f4b7c59fc8fa978ae2e2b30633e11066799dc2fa8dd273d991d45346c6bcc5cef4f102ef02f75ce3ce283e68bef6c31d7b3a3fd8ef0039bf6850637

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 af28460dee4e2d4874145438104c3d06
SHA1 eee26d2d15884c449c92f765b0a4f4136bf93c1a
SHA256 918b5d67117fa982ef8478ace1ffffb6dad2352a4a6e187898706e06419c986b
SHA512 44fc601fa30bd07ef5bc338b29f8564f3c574c7c364ff0f1fd68f238ef18655c9e31e35b94fba3f85fffdc4f04a29fe65aac70503590bab6fc6f72fba95d839b

C:\Users\Admin\AppData\Roaming\Everything\Everything.ini

MD5 49b6ff446eddaf88ea08a7c16792952e
SHA1 c0dc334f467d867f0e1d3fabd555ebcac395fc8b
SHA256 2fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580
SHA512 77caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk

MD5 1297d062306ebcdca9ac178eac7576c9
SHA1 5458e12c74922365e9c32d706bc568e0582ad107
SHA256 94297aff8bc90926e42c48317755ab40fd7c8cea8fc020911fecc519a20463af
SHA512 c6c9cc4127c83aee6a52c313b7686dfbe4569652301486092192f3c582fd7f2341ff2101c93268d8b7722133a36ff9d90a595eff7a5f169ca2d867682642b99b

memory/544-1084-0x0000000075290000-0x0000000075A40000-memory.dmp

memory/544-1085-0x0000000005240000-0x0000000005250000-memory.dmp

memory/544-1090-0x0000000075290000-0x0000000075A40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b25788ba321fcf3451c0f124ef163078
SHA1 072ffe4fcdf12c2521d7b6b7cb81b83685bb04f6
SHA256 b22fe49fa454b6c7a10fea952c87d15f8997372042873491136575fdd8eba83e
SHA512 529293a00feda60c3097d7d59f39bee0e68fd9ae37907575199e7fc4a650b2861e231d484b3ad7629fca13792a56f2f75480ba09e3d0e7061c0fd81da6e952f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60ebcf54ecb5b2d5a3deed825e2fa8c3
SHA1 42a10b8315301528bb22e682cd1f0683b95c743f
SHA256 28016ac7f4ea34280a7e43f366ac8cf3da2623b735f2245505f0fbe138f591b5
SHA512 ff48424e89fca4266d5f6c408980a2a3760e6182f14698b0d51cd373d6debf753b6d29a64f58953a7e7680f373d967cd1d0337115e9709a1bad58c32dcf3dfe6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7ce98a9e46d9b2682f63b940e6e7f022
SHA1 b3cead7b5c2e266495334e961c2c527caa975897
SHA256 bb3f80cd1caaca7a6e874376464b6d1a1dde28f4673871a5db4a2c05e080a52e
SHA512 a7e042a006e1ac173e03e8a050ec8d572967e197ab124e447baf3977f7c6459ec660e34af5f8b7012dc4e778287dcabfdbe25eb8b240d68317743868107c43bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 d123640e4489ba9b9e03078e2fdc4aa1
SHA1 416dfe8c6f45deb1b797a18062e8c8dc9b83b7f4
SHA256 9973ad4815ac7c73d9108fa2b6de0c7122af623fb89d423e831a56b9a55b23ff
SHA512 f3f0ef5d092ae8d2ffdd9d4a43a2284352bc8a25d4c9cc62adf812a525060d8727e231569afef71c1801926743ea84efd54877173a027870d0fd46cf904249a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 88a552e6be1ac3978c49143983276b3a
SHA1 dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 74e33b4b54f4d1f3da06ab47c5936a13
SHA1 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA512 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 24a16440d5b663d0d87263e812e3fd90
SHA1 0ffec5a540218892b440703dfbf04bf1252def68
SHA256 c3af8b6de514fe12fef4987e8a1a9c6294ea0ebf46d0537bf02d18595abbe799
SHA512 9845ca0adcbdf6e77a021073f5f01c6b0ecc0593d2c7e13d58b7717368d466d69f74c51934c77f21aaaf0704815fdefdf285748aa3e17441b700ba092a6df9cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0bfe25f4337f720136f073c2911da50f
SHA1 0356c710ca2da21db86ca2087cd834d414f0cce1
SHA256 0f2b1cf16fbd7cafb4c12f510920989744c7b0c8c811c2858a14aa08a9f6d433
SHA512 096f14afb2d11b248aef86415657e9600bdd5ed42119d12e34e8a8d3651fa1c9940d43bc92471f353c3dbf39bcd25d9fa4a36307fc966ecbdd533e6ca8556648

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 b582b2eca79a750948dbb3777aeaaadb
SHA1 bf0ea1c8a7b4a55779cbb3df1f1d75cc19910e9f
SHA256 04c7f19e1ae294cc641f6c497653b5c13c41b258559f5f05b790032ccca16c82
SHA512 35cfd88afe4e4e8091d3a5c53f0f3e2dcd92aa58b7544b94d4d9d7cdf508d429c5292aa97b813c9c8ad18e4d121d4e6595c49f5ddafbeab7b39f3a7c9d0b58dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 33411bb179575dfc40cc62c61899664f
SHA1 d03c06d5893d632e1a7f826a6ffd9768ba885e11
SHA256 274befc7b39609fed270e69335bc92b3d8251545594636eb408d5d93e0ae1a4f
SHA512 dc830766c928ac84df16d094fc92586b9c2c25f819123dc9b5ec259220b4b1c45e2af28c89a710f047c00c9dcf7df8dd859a9a7a2d2228703f616df13caef2c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3e853acbedeb080c610064d6e0bd2b46
SHA1 0c07719d2b8b4e0a3ad9553ca952c30542c5ca5a
SHA256 f4fae5395a1ab0732243e8ffe414dcdd8c1687fdddf747738d8397b91750c83e
SHA512 1bd3806749ca34cf47c410607320b2255a1de00274ef9497f4fff7ede236cab95cc531f79d40166c14ee453e921671d5d8154c8f28a8ff6ca6556ccefd526719

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593b4a.TMP

MD5 05f41dec5c3896f78c1a7e53c05de397
SHA1 84ca53d6f94455b32cd6e361ea0481341af0ccad
SHA256 f1d2e9ede3947c28602b9e96597dac68bcbcdb862091a7301db143e8e6e9f527
SHA512 ad85a5208c69afddbef8fa85d9da2b55da03ad34bf23531b1064c0d111b0d434a5b98463629f4351b53680e5d3e717d134843538b6aaee46a7bb6b8d34445ba5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e8b93afa865d00c8058cba0ef05e22d
SHA1 76891d8ca17c80efc45421a4caaa29ab01a2235c
SHA256 609899244b33a36e2e26a838600e89cf1e38f5e1d859e24a0fe5250853492da7
SHA512 b24fe35ccec58ebb159fea89c4da4dd423dbe0219fe003ad7b2eb05ce4061c607a3ef7b07e20c5a7e7a7402291cb4776c04df24f5f7dcc5fa369fdd390bd4e07

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 bbc7e5859c0d0757b3b1b15e1b11929d
SHA1 59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d
SHA256 851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2
SHA512 f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 bc9faa8bb6aae687766b2db2e055a494
SHA1 34b2395d1b6908afcd60f92cdd8e7153939191e4
SHA256 4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512 621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4