Analysis Overview
SHA256
bb3d8ba65f4589ea9072d6b26ff12145c38d66c9e6cbd2743d2f66cb735d4f2a
Threat Level: Known bad
The file checkers.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
NTFS ADS
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 12:12
Reported
2024-03-15 12:15
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Gozi
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Everything\Everything.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Everything\Everything.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -startup" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Everything\Everything.exe | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Everything\Everything.exe | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File created | C:\Program Files (x86)\Everything\Changes.txt | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File created | C:\Program Files (x86)\Everything\License.txt | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File created | C:\Program Files (x86)\Everything\Everything.lng | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File created | C:\Program Files (x86)\Everything\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe | N/A |
| File created | C:\Program Files (x86)\Everything\Everything.ini.tmp | C:\Program Files (x86)\Everything\Everything.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" \"%1\"" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0 = 4e003100000000006f58c961100054656d7000003a0009000400efbe5a58c9796f58c9612e00000096e10100000001000000000000000000000000000000b3d3ae00540065006d007000000014000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 56003100000000005a58c97912004170704461746100400009000400efbe5a58c9796f58c9612e00000082e10100000001000000000000000000000000000000e7f722014100700070004400610074006100000016000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 78003100000000005a58c9791100557365727300640009000400efbe874f77486f58c9612e000000c70500000000010000000000000000003a0000000000e5e32e0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Everything File List" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon\ = "C:\\Program Files (x86)\\Everything\\Everything.exe, 1" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\NodeSlot = "2" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 = 50003100000000006f58a56110004c6f63616c003c0009000400efbe5a58c9796f58c9612e00000095e101000000010000000000000000000000000000000b8722004c006f00630061006c00000014000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.efu | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{C5CC267E-969D-46E9-B025-046C250443D4} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -edit \"%1\"" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 50003100000000005a584180100041646d696e003c0009000400efbe5a58c9796f58c9612e00000077e10100000001000000000000000000000000000000ce62ac00410064006d0069006e00000014000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\ = "Everything.FileList" | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 161611.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Everything\Everything.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\checkers.exe
"C:\Users\Admin\AppData\Local\Temp\checkers.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
"C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe" Taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
"C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe" explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbd8846f8,0x7ffbbd884708,0x7ffbbd884718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe
"C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe"
C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe
"C:\Users\Admin\Downloads\Everything-1.4.1.1024.x86-Setup.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe
"C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
C:\Program Files (x86)\Everything\Everything.exe
"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
C:\Program Files (x86)\Everything\Everything.exe
"C:\Program Files (x86)\Everything\Everything.exe" -svc
C:\Program Files (x86)\Everything\Everything.exe
"C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
C:\Program Files (x86)\Everything\Everything.exe
"C:\Program Files (x86)\Everything\Everything.exe"
C:\Users\Admin\AppData\Local\Temp\checkers.exe
"C:\Users\Admin\AppData\Local\Temp\checkers.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7934817924518374805,1846936313287324731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.195.244.4:80 | checkip.amazonaws.com | tcp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 4.244.195.54.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | ntp.srv.lan | udp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| GB | 92.123.128.190:443 | www.bing.com | tcp |
| GB | 92.123.128.190:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 190.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | arc.srv.lan | udp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.186:443 | th.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 186.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.64:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | www.voidtools.com | udp |
| US | 162.211.80.236:443 | www.voidtools.com | tcp |
| US | 162.211.80.236:443 | www.voidtools.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 162.211.80.236:443 | www.voidtools.com | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 236.80.211.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ntp.srv.lan | udp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.176:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 176.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.python.org | udp |
| GB | 151.101.60.223:443 | www.python.org | tcp |
| GB | 151.101.60.223:443 | www.python.org | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | media.ethicalads.io | udp |
| US | 172.67.71.230:443 | media.ethicalads.io | tcp |
| GB | 216.58.213.10:443 | ajax.googleapis.com | tcp |
| US | 172.67.71.230:443 | media.ethicalads.io | tcp |
| GB | 216.58.213.10:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.60.101.151.in-addr.arpa | udp |
| GB | 216.58.213.10:443 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | ntp.srv.lan | udp |
| US | 8.8.8.8:53 | console.python.org | udp |
| US | 159.89.245.108:443 | console.python.org | tcp |
| US | 159.89.245.108:443 | console.python.org | tcp |
| US | 8.8.8.8:53 | 2p66nmmycsj3.statuspage.io | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | udp |
| GB | 18.165.160.69:443 | 2p66nmmycsj3.statuspage.io | tcp |
| US | 8.8.8.8:53 | 232.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.71.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.245.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| BE | 74.125.206.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 69.160.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.206.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.10.230.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s3.dualstack.us-east-2.amazonaws.com | udp |
| US | 52.219.179.97:443 | s3.dualstack.us-east-2.amazonaws.com | tcp |
| US | 52.219.179.97:443 | s3.dualstack.us-east-2.amazonaws.com | tcp |
| US | 52.219.179.97:443 | s3.dualstack.us-east-2.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 97.179.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
Files
memory/3544-0-0x0000000000230000-0x000000000023C000-memory.dmp
memory/3544-1-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/3544-2-0x0000000002C70000-0x0000000002C8A000-memory.dmp
memory/3544-3-0x0000000005340000-0x0000000005350000-memory.dmp
memory/3544-4-0x0000000002C50000-0x0000000002C5A000-memory.dmp
memory/3544-5-0x0000000005350000-0x00000000053E2000-memory.dmp
memory/3544-6-0x00000000059A0000-0x0000000005F44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
memory/3544-10-0x000000000B050000-0x000000000BC50000-memory.dmp
memory/4236-11-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-13-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-12-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-17-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-18-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-19-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-20-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-21-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-22-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/4236-23-0x000001F4F4820000-0x000001F4F4821000-memory.dmp
memory/3544-24-0x0000000011DD0000-0x0000000012A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
C:\Users\Admin\AppData\Local\Temp\zv3mtwsr.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/4236-39-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp
memory/4236-40-0x000001F4EEE90000-0x000001F4EEE91000-memory.dmp
memory/4236-41-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp
memory/4236-43-0x00007FF63DA50000-0x00007FF63DB80000-memory.dmp
memory/3544-45-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/4236-44-0x00007FFBD8A50000-0x00007FFBD91E0000-memory.dmp
memory/4236-46-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp
memory/4236-49-0x000001F4EEE70000-0x000001F4EEE78000-memory.dmp
memory/3448-56-0x000000000DFA0000-0x000000000DFA8000-memory.dmp
memory/3544-59-0x0000000005340000-0x0000000005350000-memory.dmp
memory/3448-58-0x000000000DFA0000-0x000000000DFA8000-memory.dmp
memory/3448-60-0x000000000DFA0000-0x000000000DFA8000-memory.dmp
memory/3544-66-0x0000000007CC0000-0x0000000007CD2000-memory.dmp
memory/3544-67-0x0000000008680000-0x00000000086E6000-memory.dmp
memory/3544-68-0x000000000B020000-0x000000000B02A000-memory.dmp
memory/3544-69-0x000000000E540000-0x000000000E54A000-memory.dmp
memory/3544-70-0x0000000005340000-0x0000000005350000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e0811105475d528ab174dfdb69f935f3 |
| SHA1 | dd9689f0f70a07b4e6fb29607e42d2d5faf1f516 |
| SHA256 | c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c |
| SHA512 | 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852 |
memory/3544-77-0x00000000098D0000-0x00000000098DC000-memory.dmp
memory/3544-78-0x00000000098F0000-0x00000000098F8000-memory.dmp
\??\pipe\LOCAL\crashpad_4292_IXRHWYUGEXVJCRIE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 47b2c6613360b818825d076d14c051f7 |
| SHA1 | 7df7304568313a06540f490bf3305cb89bc03e5c |
| SHA256 | 47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac |
| SHA512 | 08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 027f2ea23aa584da133f2960f0126d6e |
| SHA1 | 1b1cd5d8e35855f74486b1a061a93dde93fb071f |
| SHA256 | cece61898228f00d5ea355bf93fcb95ecb9fdeb113188779256f554a4aa9ce5f |
| SHA512 | 3e8e1fb6cea42399ab4122de959356e49e8c087cff835d13964d1f8d35f42c1b9bcfbd8122bed108e0fbfcdb4a85a90e023ae0f26b3b277a4cbb2aeb40c37fd1 |
C:\Users\Admin\AppData\Roaming\Gongle\a0WS87B1AN\xh4b7nwe.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | 5df88d5e6f363f9b5f0d82413ac239bd |
| SHA1 | 9d6cd9ff91aa7e6f9bc57de11a06bb9966482eae |
| SHA256 | 0c9024cb581a4f2850c4df78a4ec890bf2319781f3d4b03fdaa046d14ac0d4c9 |
| SHA512 | 0fcdefcf990afd09779bfd17ca76049bc4d9f472c73aa9992f7a361fae7d36c2064c2722d32be45240d7f9b699f663b2ddae2cc5081f6b887dd9a04b11724143 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\LOG
| MD5 | 11582d640a97e69e81724ff360f7d3fa |
| SHA1 | ce2435cbb25e5f5c44ea7512f249166f2ce5ef9c |
| SHA256 | 6c7ea31b859a964762d349ff47b03e21dd3246128f9a6ee5c02765cc51bbafc1 |
| SHA512 | 8f4c1dd1ef6b7f3c2768062643442e80676bf9857cd95c9ffa61f4ea33d3fe54ffc8a923f69ec223194b4fb0f6a7c882c5dbd7acc8ee2a79a2fad0d0005a746b |
C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\LOG.old
| MD5 | 9eaac6c0045dadbd0052cf59495112bc |
| SHA1 | 91cf50239622b89e2fdaddb076b2d29157373645 |
| SHA256 | 51918329d1ba79313f28fca4718eff912e2acac8586ef86a1bc7e80777522dc3 |
| SHA512 | c3e145d585c836e32e37fdd28f05f712261f3f0bca7cd9d390cf09512c0eb790c659cddadf8030eeed3e6cd2d7cddbe2c3d6de48e15372c56ff60bbbd5e32118 |
C:\Users\Admin\AppData\Roaming\Gongle\aSPQE9DVQI\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 69c09ba6afc247eec85ef9ed046bd89e |
| SHA1 | bf33c856e84eeaaf30f7168153dd5271c26a70bf |
| SHA256 | 1a9babd2372e1af40d9980cca2aa69b093514778446933548a0be925f726ce55 |
| SHA512 | 4bd093cb0ac4f6369ab27d7459c089f480e9be85856ed268031631a33926ca43345a37a9459652133cae538c6294fdc67e1b48c57e26ca3df7023943a4e08d48 |
memory/3544-235-0x0000000006AF0000-0x0000000006BA2000-memory.dmp
memory/3544-236-0x0000000006C00000-0x0000000006C22000-memory.dmp
memory/3544-237-0x0000000009900000-0x0000000009976000-memory.dmp
memory/3544-238-0x0000000008F80000-0x0000000008F9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aQDVFOJ2PV\LOG.old
| MD5 | fbbfdf1ea94daf96bfaca4bee6c18996 |
| SHA1 | f4d0b631a1e00ed723ddcd03b2e0454697976d3a |
| SHA256 | 5d38e29bb7156be68cb00b1cc72da0abef961f4457c68ce4a119d07e9b0455f1 |
| SHA512 | 47759dc33f95d828f30ad09df85718ba90d13e49713f34744fb66f2bc5b52e9e849cf642085647c6a2a1d8a5ee3e09e3f9f454f9052e606cab3deb3b0d4184e1 |
memory/3544-246-0x0000000009D90000-0x0000000009DE0000-memory.dmp
memory/3544-247-0x0000000009DE0000-0x0000000009E4A000-memory.dmp
memory/3544-248-0x0000000009E50000-0x000000000A1A4000-memory.dmp
memory/3544-251-0x000000000A1B0000-0x000000000A1FC000-memory.dmp
memory/3544-281-0x000000000A250000-0x000000000A28C000-memory.dmp
memory/3544-282-0x000000000A210000-0x000000000A231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8367dae0ec8b48de8d77f6255f1ad914
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\b74f5552d5ed433aac6127a7336d7ebf
| MD5 | 6184cbc7bb8e40bfe87e17be82664733 |
| SHA1 | eba8374f100cf6f4b9077973dcbe59d8aadb728a |
| SHA256 | acef186cb3fc58c06890e9689c37366475afb8e3f751bf870067b80c637beb4b |
| SHA512 | 58ab20c11a2c610d3058b314c8440f145f82b45222b50e86959b207b3b7ceed893700c2e5abb4b3d6ea6c73ea773bb2f3cfce2a92ef18432a28f7fdd41942054 |
memory/3544-301-0x000000000A2D0000-0x000000000A2DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 093e97f41e5ec177c8f630b6af2e08bb |
| SHA1 | 38f129ce78fd392e3bbcfe7a1649dfd0e665b891 |
| SHA256 | fd189bed462bdae6e45562f5e79387617edcf75895596eeb5fa78a18e5522b50 |
| SHA512 | 0c4c259a1873f05b196f68a750b82b53459dfe4b8489f93894a61fc0b760da1619f7363e6898530a765187e367de389cbda3418ffcaf2221dd15797ee84315f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 47f970e61a00ade9c6f29c7f23f74989 |
| SHA1 | d6f43426942c5a753659ffa537e40a6c6400d496 |
| SHA256 | 2e2e283c9afd9ee2e62f4b0262c3143db1fb4b155128265182b59c6770f5ab69 |
| SHA512 | bb2a641968c741ff60fb4c9bd18cd751968bd882a077c6e1d78b53441c12fafe3159b5dd8d2074a82b0544afa34dad7f154cd7dd1f6da171437cec1d75dda5f8 |
C:\Users\Admin\Downloads\Unconfirmed 161611.crdownload
| MD5 | f55d52d5d690a8e1b2df9217bc3ddfdf |
| SHA1 | 0e45d3a28cc096dc7edc1208f7428d66335df11a |
| SHA256 | 59f57803fa5235075c3e470e1006905a61236e491bb75a599d862cafcfbb529f |
| SHA512 | 4101015760dd2b1d9cbf9586802e610bbe6f74b73bc5dbb4391417afe8fa20762a84b04cd15019b54107d8ad0e4fc523f25403482431dd53aec3d07a4b217941 |
C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\InstallOptions.dll
| MD5 | ece25721125d55aa26cdfe019c871476 |
| SHA1 | b87685ae482553823bf95e73e790de48dc0c11ba |
| SHA256 | c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf |
| SHA512 | 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480 |
C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\LangDLL.dll
| MD5 | 68b287f4067ba013e34a1339afdb1ea8 |
| SHA1 | 45ad585b3cc8e5a6af7b68f5d8269c97992130b3 |
| SHA256 | 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026 |
| SHA512 | 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini
| MD5 | e2808f4be298a32ae279ee9ebacd0a0c |
| SHA1 | b7929c346ba7a7aa690a766e4f70bc1d44f75460 |
| SHA256 | 99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52 |
| SHA512 | a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini
| MD5 | a6634dd375de49a06ff7c8c65f03bb42 |
| SHA1 | 2834f907bb17d0916cfd1285718695f866e319d6 |
| SHA256 | caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d |
| SHA512 | c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 804ff81e40f6f7e5ba63437b32a7e40e |
| SHA1 | 515378f71a0bb8219c7004d825b5a2edeac423c6 |
| SHA256 | 851edb24ab9b90ea1c98c87f3698da1ae0dc9c43f2570b219ca90e019c09b527 |
| SHA512 | 5923f533abb6acd2871caa568e1215bc3e53f0040704215632e58e44f50ba37f9d8ebec1f77778f825cb97648d44300a20a65351b284608475aaa925d5fe3efa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fd283b3119c2df5a809cde483b9311e9 |
| SHA1 | 7ca5c11be398732844118126a0e10eb7c543057e |
| SHA256 | 52cf7959695f52cc914fec841a3aa3da393f0aaefad4577a83c7013f64838f8c |
| SHA512 | cb0ac1e574e7cdf0b8204e4860d33883c2286ebd56aa32f856b8bb8ed016d3c321cbb5cdaee93e2062337fe14cf7a7a7ac2deff1a3715bfa4598345462779df6 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini
| MD5 | aebae476c32a2194a4106787c85be4c5 |
| SHA1 | 855dbdc549d1363be7d717a4df797712630d0b60 |
| SHA256 | c95d3cdea91589bf2ba60b5adabcd71c0349c5c0d847a1469c754e969a9d3269 |
| SHA512 | aa37062b0527e5ca25df2c5746e141a8fdcc33e592a0cb9e2bc6f03411cf090bbe750c149ce767409cf5fbaa40d554e3979aa11012d9d46d08f4ac586d768803 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions.ini
| MD5 | 748d4a28af9eced3a058b88e4e6ebea8 |
| SHA1 | 78c7c679a5d7fdd4cf4a1a7ba0917001b52f219c |
| SHA256 | 19770a409e6d9e8006a338d95c53c22a9a6218b296bd0d96e3db6a545500e61e |
| SHA512 | aaec5157182cec482649337977ec5003668746773557a203857cddd2586f2bd6fcd2a4b69d6eb3a1ea11a2a9b2754b301d0ae4572da28a8e5ea9b701c7c0b20a |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini
| MD5 | 951bebf9d1eff9f6dc2db9d93fded632 |
| SHA1 | 9a1e9a35d133d6e81485941ccb88de053345a09e |
| SHA256 | 364684138a27db4f0e3a9c7860aed1895f677bd5da8650f136c84e2fad28dadd |
| SHA512 | 38db0b72aa9c9e6e250715e6b70bc792cb03c3026fbe5fc3136fe0a2a53fdc8044252d2d439f222b0398e814577c8eb1385a1b21bbb7378ebc49b4cdb8ba1748 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini
| MD5 | 5ac32782a47385b9d065cee2f75cc8d7 |
| SHA1 | d4582bb905697c78a417bc7ce1d1ead664346ec3 |
| SHA256 | e786d7c45a5dd02262985957b8c5620cea90ad9a4268f71da99c97f174f79592 |
| SHA512 | e81b8bf35310a6d458186d22a37e10e9ad4e5a5c18b66b8efba3763d1a86c4942706a100bd6c9364432611e2f1cbdab42d56361451ed42715048bb11306033be |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\InstallOptions2.ini
| MD5 | a30932406169a73658bec4de6db01a10 |
| SHA1 | bb51c1927a974125d6d9dacdf6862a2a9890c6a6 |
| SHA256 | f41319be9c203fe61c30eb758194b976a40d51787e5488f62404df0788d3f7fc |
| SHA512 | 7e859a98a7a39cd891b922419c2c6bab58283a6b925676647c4bf590f281b499ceb256dac2a6a4480080d5e8371d9ed9d3016bc1ca51f1de794de25040dd6d72 |
memory/3544-910-0x0000000005340000-0x0000000005350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.exe
| MD5 | a7067594451cab167a4f463be9d0209c |
| SHA1 | 1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5 |
| SHA256 | d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581 |
| SHA512 | 8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Everything.lng
| MD5 | ba118bdf7118802beea188727b155d5f |
| SHA1 | 20fe923ec91d13f03bdb171df2fe54772f86ebba |
| SHA256 | 270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471 |
| SHA512 | 01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\License.txt
| MD5 | 2d8c6b891bea32e7fa64b381cf3064c2 |
| SHA1 | 495396d86c96fb1cfdf56cae7658149138056aa9 |
| SHA256 | 2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b |
| SHA512 | 03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Uninstall.exe
| MD5 | fc3732ef603b36055209652f749c1080 |
| SHA1 | bd8b0806abecf983c89814ab4dcbd3300a78fe88 |
| SHA256 | 0deee0d9d6e140226de19047c0ab160ec957a6e4bf63bb1c058bac9f09c47874 |
| SHA512 | 98ee82dfe67fa3d5fe2ae3977b959b0fb1277e5bdb320e7eca347771cd4ef8d8b99c6b3cefc0466347e8f49644386cc2d0f5f7a63eb5404a8371182bd880286f |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\Everything\Changes.txt
| MD5 | 1ebb92ac516db5077a0c851565b7a2cf |
| SHA1 | 9adabfbb11b070169429fd43a250285ee8881213 |
| SHA256 | e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6 |
| SHA512 | 3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de |
C:\Program Files (x86)\Everything\Everything.ini
| MD5 | b2b308d8c164f75bc11bccf7baf3df67 |
| SHA1 | 6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d |
| SHA256 | f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5 |
| SHA512 | 5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\ioSpecial.ini
| MD5 | b4f507587121347f820974c94f6229a4 |
| SHA1 | b1045e86984b0b049bf294e425973dd9d3577d01 |
| SHA256 | 860b01c8fa9364f6fb0fc61386d379773a7efc92d9205269225c52ad71d4930c |
| SHA512 | 160d3dfd55913a4bae1d5d252ab85a495c7965df1ab2403443d8d7e25d976ca13b5ce5953a78eba15b3428c74b78da4ac6ddc71049f43db12a07654e396a4aaf |
C:\Users\Public\Desktop\Everything.lnk
| MD5 | a3c1b4682b70a1cbeb8c2ce1863ccc20 |
| SHA1 | eda33f2a8fe4be9e688ec0d5fc4fb4effa3c5710 |
| SHA256 | f60ce7095348b4a1ec976046e68c7cac84040c97bc14f6adaf601f0381300015 |
| SHA512 | e2e897c7e57a5d98e82be63725d187702955e863dfc1e58a2e57e7d177953f389b0a8bc8543638b73120753b229e92ff6b031d32354f088086509eb9713127e3 |
C:\Users\Admin\AppData\Local\Temp\nsb2E41.tmp\ioSpecial.ini
| MD5 | 3826e0771762e50b03bd057c470682ed |
| SHA1 | 3923f1523857a456b939afce2b8d426bacf29c1f |
| SHA256 | 3d9d833b802a91c3513a7de112982124c3e65d58f1a96a9d7ffc8f3bcb11815a |
| SHA512 | 09388e1e6f4b7c59fc8fa978ae2e2b30633e11066799dc2fa8dd273d991d45346c6bcc5cef4f102ef02f75ce3ce283e68bef6c31d7b3a3fd8ef0039bf6850637 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | af28460dee4e2d4874145438104c3d06 |
| SHA1 | eee26d2d15884c449c92f765b0a4f4136bf93c1a |
| SHA256 | 918b5d67117fa982ef8478ace1ffffb6dad2352a4a6e187898706e06419c986b |
| SHA512 | 44fc601fa30bd07ef5bc338b29f8564f3c574c7c364ff0f1fd68f238ef18655c9e31e35b94fba3f85fffdc4f04a29fe65aac70503590bab6fc6f72fba95d839b |
C:\Users\Admin\AppData\Roaming\Everything\Everything.ini
| MD5 | 49b6ff446eddaf88ea08a7c16792952e |
| SHA1 | c0dc334f467d867f0e1d3fabd555ebcac395fc8b |
| SHA256 | 2fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580 |
| SHA512 | 77caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk
| MD5 | 1297d062306ebcdca9ac178eac7576c9 |
| SHA1 | 5458e12c74922365e9c32d706bc568e0582ad107 |
| SHA256 | 94297aff8bc90926e42c48317755ab40fd7c8cea8fc020911fecc519a20463af |
| SHA512 | c6c9cc4127c83aee6a52c313b7686dfbe4569652301486092192f3c582fd7f2341ff2101c93268d8b7722133a36ff9d90a595eff7a5f169ca2d867682642b99b |
memory/544-1084-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/544-1085-0x0000000005240000-0x0000000005250000-memory.dmp
memory/544-1090-0x0000000075290000-0x0000000075A40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b25788ba321fcf3451c0f124ef163078 |
| SHA1 | 072ffe4fcdf12c2521d7b6b7cb81b83685bb04f6 |
| SHA256 | b22fe49fa454b6c7a10fea952c87d15f8997372042873491136575fdd8eba83e |
| SHA512 | 529293a00feda60c3097d7d59f39bee0e68fd9ae37907575199e7fc4a650b2861e231d484b3ad7629fca13792a56f2f75480ba09e3d0e7061c0fd81da6e952f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 60ebcf54ecb5b2d5a3deed825e2fa8c3 |
| SHA1 | 42a10b8315301528bb22e682cd1f0683b95c743f |
| SHA256 | 28016ac7f4ea34280a7e43f366ac8cf3da2623b735f2245505f0fbe138f591b5 |
| SHA512 | ff48424e89fca4266d5f6c408980a2a3760e6182f14698b0d51cd373d6debf753b6d29a64f58953a7e7680f373d967cd1d0337115e9709a1bad58c32dcf3dfe6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 7ce98a9e46d9b2682f63b940e6e7f022 |
| SHA1 | b3cead7b5c2e266495334e961c2c527caa975897 |
| SHA256 | bb3f80cd1caaca7a6e874376464b6d1a1dde28f4673871a5db4a2c05e080a52e |
| SHA512 | a7e042a006e1ac173e03e8a050ec8d572967e197ab124e447baf3977f7c6459ec660e34af5f8b7012dc4e778287dcabfdbe25eb8b240d68317743868107c43bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | d123640e4489ba9b9e03078e2fdc4aa1 |
| SHA1 | 416dfe8c6f45deb1b797a18062e8c8dc9b83b7f4 |
| SHA256 | 9973ad4815ac7c73d9108fa2b6de0c7122af623fb89d423e831a56b9a55b23ff |
| SHA512 | f3f0ef5d092ae8d2ffdd9d4a43a2284352bc8a25d4c9cc62adf812a525060d8727e231569afef71c1801926743ea84efd54877173a027870d0fd46cf904249a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 88a552e6be1ac3978c49143983276b3a |
| SHA1 | dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423 |
| SHA256 | 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5 |
| SHA512 | 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 76a3f1e9a452564e0f8dce6c0ee111e8 |
| SHA1 | 11c3d925cbc1a52d53584fd8606f8f713aa59114 |
| SHA256 | 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c |
| SHA512 | a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 74e33b4b54f4d1f3da06ab47c5936a13 |
| SHA1 | 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c |
| SHA256 | 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287 |
| SHA512 | 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 24a16440d5b663d0d87263e812e3fd90 |
| SHA1 | 0ffec5a540218892b440703dfbf04bf1252def68 |
| SHA256 | c3af8b6de514fe12fef4987e8a1a9c6294ea0ebf46d0537bf02d18595abbe799 |
| SHA512 | 9845ca0adcbdf6e77a021073f5f01c6b0ecc0593d2c7e13d58b7717368d466d69f74c51934c77f21aaaf0704815fdefdf285748aa3e17441b700ba092a6df9cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0bfe25f4337f720136f073c2911da50f |
| SHA1 | 0356c710ca2da21db86ca2087cd834d414f0cce1 |
| SHA256 | 0f2b1cf16fbd7cafb4c12f510920989744c7b0c8c811c2858a14aa08a9f6d433 |
| SHA512 | 096f14afb2d11b248aef86415657e9600bdd5ed42119d12e34e8a8d3651fa1c9940d43bc92471f353c3dbf39bcd25d9fa4a36307fc966ecbdd533e6ca8556648 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
| MD5 | b582b2eca79a750948dbb3777aeaaadb |
| SHA1 | bf0ea1c8a7b4a55779cbb3df1f1d75cc19910e9f |
| SHA256 | 04c7f19e1ae294cc641f6c497653b5c13c41b258559f5f05b790032ccca16c82 |
| SHA512 | 35cfd88afe4e4e8091d3a5c53f0f3e2dcd92aa58b7544b94d4d9d7cdf508d429c5292aa97b813c9c8ad18e4d121d4e6595c49f5ddafbeab7b39f3a7c9d0b58dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
| MD5 | 33411bb179575dfc40cc62c61899664f |
| SHA1 | d03c06d5893d632e1a7f826a6ffd9768ba885e11 |
| SHA256 | 274befc7b39609fed270e69335bc92b3d8251545594636eb408d5d93e0ae1a4f |
| SHA512 | dc830766c928ac84df16d094fc92586b9c2c25f819123dc9b5ec259220b4b1c45e2af28c89a710f047c00c9dcf7df8dd859a9a7a2d2228703f616df13caef2c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3e853acbedeb080c610064d6e0bd2b46 |
| SHA1 | 0c07719d2b8b4e0a3ad9553ca952c30542c5ca5a |
| SHA256 | f4fae5395a1ab0732243e8ffe414dcdd8c1687fdddf747738d8397b91750c83e |
| SHA512 | 1bd3806749ca34cf47c410607320b2255a1de00274ef9497f4fff7ede236cab95cc531f79d40166c14ee453e921671d5d8154c8f28a8ff6ca6556ccefd526719 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593b4a.TMP
| MD5 | 05f41dec5c3896f78c1a7e53c05de397 |
| SHA1 | 84ca53d6f94455b32cd6e361ea0481341af0ccad |
| SHA256 | f1d2e9ede3947c28602b9e96597dac68bcbcdb862091a7301db143e8e6e9f527 |
| SHA512 | ad85a5208c69afddbef8fa85d9da2b55da03ad34bf23531b1064c0d111b0d434a5b98463629f4351b53680e5d3e717d134843538b6aaee46a7bb6b8d34445ba5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3e8b93afa865d00c8058cba0ef05e22d |
| SHA1 | 76891d8ca17c80efc45421a4caaa29ab01a2235c |
| SHA256 | 609899244b33a36e2e26a838600e89cf1e38f5e1d859e24a0fe5250853492da7 |
| SHA512 | b24fe35ccec58ebb159fea89c4da4dd423dbe0219fe003ad7b2eb05ce4061c607a3ef7b07e20c5a7e7a7402291cb4776c04df24f5f7dcc5fa369fdd390bd4e07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | bbc7e5859c0d0757b3b1b15e1b11929d |
| SHA1 | 59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d |
| SHA256 | 851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2 |
| SHA512 | f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
| MD5 | bc9faa8bb6aae687766b2db2e055a494 |
| SHA1 | 34b2395d1b6908afcd60f92cdd8e7153939191e4 |
| SHA256 | 4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed |
| SHA512 | 621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4 |