Malware Analysis Report

2024-11-13 13:50

Sample ID 240405-3fca2sfc93
Target https://store2.gofile.io/download/direct/d7bffa84-89ff-43a9-9bd7-9513720de243/Teen%20Girl%20Leak%20Porn9.js
Tags
remcos rhadamanthys ads collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://store2.gofile.io/download/direct/d7bffa84-89ff-43a9-9bd7-9513720de243/Teen%20Girl%20Leak%20Porn9.js was found to be: Known bad.

Malicious Activity Summary

remcos rhadamanthys ads collection rat spyware stealer

Remcos

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

NirSoft WebBrowserPassView

NirSoft MailPassView

Nirsoft

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops startup file

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Script User-Agent

NTFS ADS

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 23:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 23:26

Reported

2024-04-05 23:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

sihost.exe

Signatures

Remcos

rat remcos

Rhadamanthys

stealer rhadamanthys

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunBatchFile1.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\ExtractedUtilities1\utility.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 534535.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities2\file.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A
N/A N/A C:\Users\Admin\ExtractedUtilities1\utility.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 5076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store2.gofile.io/download/direct/d7bffa84-89ff-43a9-9bd7-9513720de243/Teen%20Girl%20Leak%20Porn9.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff86b846f8,0x7fff86b84708,0x7fff86b84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16806769923696220732,14689223045955786936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities1\run.bat""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities1\run.bat""

C:\Users\Admin\ExtractedUtilities1\utility.exe

"utility.exe"

C:\Users\Admin\ExtractedUtilities1\utility.exe

"utility.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Users\Admin\ExtractedUtilities1\utility.exe

C:\Users\Admin\ExtractedUtilities1\utility.exe /stext "C:\Users\Admin\AppData\Local\Temp\kinjqpjmylhonesrtjqzd"

C:\Users\Admin\ExtractedUtilities1\utility.exe

C:\Users\Admin\ExtractedUtilities1\utility.exe /stext "C:\Users\Admin\AppData\Local\Temp\ucstrzbomuzbykovducsgbau"

C:\Users\Admin\ExtractedUtilities1\utility.exe

C:\Users\Admin\ExtractedUtilities1\utility.exe /stext "C:\Users\Admin\AppData\Local\Temp\fefmssmhacrgayczmfxuroulqxs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities2\run.bat""

C:\Users\Admin\ExtractedUtilities2\file.exe

"file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities2\run.bat""

C:\Users\Admin\ExtractedUtilities2\file.exe

"file.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities2\run.bat""

C:\Users\Admin\ExtractedUtilities2\file.exe

"file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities2\run.bat""

C:\Users\Admin\ExtractedUtilities2\file.exe

"file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Teen Girl Leak Porn9.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ExtractedUtilities2\run.bat""

C:\Users\Admin\ExtractedUtilities2\file.exe

"file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Teen Girl Leak Porn9.js"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Teen Girl Leak Porn9.js"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Teen Girl Leak Porn9.js"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=675B55F4C68C8CA98A669FA14C5014C5 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2683CBA7ED6E1497E9834C8CC09BCF56 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2683CBA7ED6E1497E9834C8CC09BCF56 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87E6E12960BE05E70A29F5FCAF92DEA9 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17CCB14E02F5CD5E966DE47C44DE75C6 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36841EB40408A348850233F0E4629F1B --mojo-platform-channel-handle=2000 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1A65CF7DB673CECF35B9C6EA803823C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1A65CF7DB673CECF35B9C6EA803823C1 --renderer-client-id=8 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 239.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 172.67.145.129:443 rentry.co tcp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 129.145.67.172.in-addr.arpa udp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 172.67.145.129:443 rentry.co tcp
US 172.67.145.129:443 rentry.co tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 rm.anonbaba.net udp
TR 94.156.8.54:3392 rm.anonbaba.net tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 54.8.156.94.in-addr.arpa udp
TR 94.156.8.54:3392 rm.anonbaba.net tcp
TR 94.156.8.54:3392 rm.anonbaba.net tcp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 172.67.145.129:443 rentry.co tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 114.136.73.23.in-addr.arpa udp
US 172.67.145.129:443 rentry.co tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1b45169ebca0dceadb0f45697799d62
SHA1 803604277318898e6f5c6fb92270ca83b5609cd5
SHA256 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9ffb5f81e8eccd0963c46cbfea1abc20
SHA1 a02a610afd3543de215565bc488a4343bb5c1a59
SHA256 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA512 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

\??\pipe\LOCAL\crashpad_3660_USNYLKKPUKXDMWML

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d2b4b35bba11df64c2188d40f64a7c56
SHA1 e21a1a0b26369a166d90b2df3f9a4cb2fe4687a0
SHA256 87da8febb5044a5a996702455d0ef3274befe803546da6f7f352ca534a1ea8e0
SHA512 dbc1c4ee67fc8a5d7e098519adaba6bf7683291fbcbcc2c13175c3733e7be8a7b788addf8096360a074ca464f30968aa0aa1afb634c16b02db9943d5d360a9cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 534535.crdownload

MD5 c7bf73cc78d26ca413729649513a764f
SHA1 715c72c5f56fe85d435b7890bf02a95c86616fdf
SHA256 dcce666d48359add5a2b3e32717d5990362bde12b0204e999b69026da0d29ca7
SHA512 99bc2056058772f39f7207b1529f95b5e5a86fe758cd46f4624595d9d921d4ef3b3168b247d68f2d8e810c4e47145e0f81c09e4d26b6a3bf6583abce9906e8ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1a5e35b84bfb6c83b6961ea779ddfba
SHA1 63647f18d72e0acba82c7e993b8e261cc8e9fa23
SHA256 9bed8254c27e9687e382940fdbe2ab779c7e6db3d565fed701a78a0832e6fab1
SHA512 161d0833869ce73530f74030f06b7ef95e55070dc81d92cd83675a909784d9671ae43114d86d6feba20a8afdd634d4f9cb0798a3b6fc0d657457d3086e5aea8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 238183b99ab8be5a4697cad1f2e5e7c1
SHA1 90ee1bf2a28172409be9c6d4d3175497a3021b52
SHA256 c307809f03b5e6a679eee51c08dbe276dde365a138397183cf21d9a226539ec8
SHA512 7e900515231de25610ce37b3c7a3cb5f44724ef1d10f23421dce60ffc9c19d5ac4fcf11ca07aeaa93443f4220b237386c3d8dae21a8335156d9e7d2b96cd273f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwwtd2ko.lbw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5244-79-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5244-78-0x000002226A630000-0x000002226A652000-memory.dmp

memory/5244-80-0x000002226A420000-0x000002226A430000-memory.dmp

memory/5244-81-0x000002226A420000-0x000002226A430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempScript.ps1

MD5 5983717fc6d7ee69b9f384c329c7953e
SHA1 12509f1c32fb836185a3c7bf980b6edaa74f962f
SHA256 140ac47d172a0f6660530306468d15cb4b97248a29dd7d68510754158585bf82
SHA512 429e022020fd2d83624bdb8cde17ce20051709ca5371b1d0acc278f60956a07ffa6c4583a79a7aab019be6cc21441a11b562e5c0ea98f3eb6cf0ba8d2377498e

memory/5492-84-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5492-85-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/5492-97-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/5492-96-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/5244-99-0x000002226A420000-0x000002226A430000-memory.dmp

memory/5244-100-0x000002226A6C0000-0x000002226A6D2000-memory.dmp

memory/5244-101-0x000002226A6B0000-0x000002226A6BA000-memory.dmp

C:\Users\Admin\utilities1.zip

MD5 e4c899c07a1cbaaad3e976d4ddba93ad
SHA1 27cb549500048978f671e964a150f24ec9e4c8a3
SHA256 91cb8ec6d5c15b777fac6f9960292af03feaad22b89e4df8e9fed03d8af3c651
SHA512 ca76004c9957f5480575523d6c422ce8b8cbcb6e2547b09b054aed5cce862f89f96440a90e4163241557b7b2f3d07537907574325b06a0edc5036ba0e4811b59

C:\Users\Admin\ExtractedUtilities1\data.bin

MD5 acf3c00362de1bc620b5ea883912deb3
SHA1 71384b0f54b1b5a41061ce14f6f1994f9783d322
SHA256 b50013a2b0c74ed1ca53a8f29eb38e9d5f53855c26aac2a8f848754110bdc056
SHA512 1848d32918564504b3bd77d214d0a51225232ffc36e338b9da928558cc4927c8710f74acb273235bb7076852d2636c662b8112a96275c52a262ec3016eac6648

memory/5804-111-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5804-112-0x0000021569320000-0x0000021569330000-memory.dmp

memory/5244-113-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5804-114-0x0000021569320000-0x0000021569330000-memory.dmp

C:\Users\Admin\ExtractedUtilities1\g2m.dll

MD5 326683813b145cc5469dff1f77c701e3
SHA1 b31eb0e91c6e70719a15dd61e7e374ce2b7782c1
SHA256 93439fe9b45d7b6e9fcdc5e68fd47677ea17025e4eabb6f1468cb9ae98ee8a5b
SHA512 981bf18aa03259a557eed4fc336d27f3f55b3a0421e70b6b59c5ef9753be885b537d5e55f2d58753621b57aa6079708d35732edddd4d97d4891b79600e631fc3

C:\Users\Admin\ExtractedUtilities1\run.bat

MD5 8643f13e3acca9eaebf77126dbb0e5a9
SHA1 830df4340927ce390b330eb97db8c272817e1cff
SHA256 80fb32f8dbf88b78818f619e81a9fc12e3496e2f38a2a8b3a692752c53d38c4d
SHA512 1d48ec6f9d6a3b460a1838080ea7d14088abfcc5670fd070ab4a3873301b03dccfcded97f201b26c3b45f66cfa2ea52603f966d8219234528fff91f096e6e309

C:\Users\Admin\ExtractedUtilities1\utility.exe

MD5 f1b14f71252de9ac763dbfbfbfc8c2dc
SHA1 dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
SHA256 796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
SHA512 636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

memory/6128-150-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-152-0x0000000000720000-0x0000000000796000-memory.dmp

memory/6128-156-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6092-157-0x0000000000500000-0x0000000000580000-memory.dmp

memory/5244-158-0x000002226A420000-0x000002226A430000-memory.dmp

memory/6128-160-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6092-161-0x0000000000500000-0x0000000000580000-memory.dmp

memory/6092-162-0x0000000000500000-0x0000000000580000-memory.dmp

memory/6128-163-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/5244-164-0x000002226A420000-0x000002226A430000-memory.dmp

memory/5192-174-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5192-175-0x000001606D170000-0x000001606D180000-memory.dmp

memory/5192-176-0x000001606D170000-0x000001606D180000-memory.dmp

memory/5492-177-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5492-178-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/6128-180-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/5244-179-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/6128-181-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-182-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-183-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-184-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-187-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/5492-190-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/5192-189-0x000001606D170000-0x000001606D180000-memory.dmp

memory/5492-191-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 367fdca7d3dadbc793710db57784d6a9
SHA1 29c66e793d0b649ae426ba3721fa325009898684
SHA256 c019f476fbbeb3bab98116f8d122d6314f4d924a09eb50bf6b049028b02ebb2e
SHA512 d609b2132262c05798967c18f771969a5438755a45c487d4d0a6ab8c184c9ef3fa2387e7dd8c8ee25dfb730a1a0a4dfeca9f6558fa80b2346ebefd85776da2d8

memory/5932-192-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/6128-207-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/5932-208-0x0000020C7BB90000-0x0000020C7BBA0000-memory.dmp

memory/5932-209-0x0000020C7BB90000-0x0000020C7BBA0000-memory.dmp

memory/5492-222-0x000001DC3A670000-0x000001DC3A680000-memory.dmp

memory/5872-224-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5136-226-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5136-220-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5180-228-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5872-232-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5136-231-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5180-234-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5872-237-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5180-239-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5136-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5180-235-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5804-233-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5804-243-0x0000021569320000-0x0000021569330000-memory.dmp

memory/5872-245-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5872-246-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5136-256-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5932-260-0x0000020C7BB90000-0x0000020C7BBA0000-memory.dmp

memory/5804-258-0x0000021569320000-0x0000021569330000-memory.dmp

memory/5932-261-0x0000020C7BB90000-0x0000020C7BBA0000-memory.dmp

memory/6128-263-0x0000000010000000-0x0000000010019000-memory.dmp

memory/6128-264-0x00000000007A0000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kinjqpjmylhonesrtjqzd

MD5 ec0cf9ff722f9a9259c3338972c40886
SHA1 31bad5285affb58c5ebe0569bbdb9bd1deab245c
SHA256 30190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19
SHA512 bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a

memory/6128-267-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5272-269-0x00000231F8940000-0x00000231F8950000-memory.dmp

memory/6128-270-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5272-271-0x00000231F8940000-0x00000231F8950000-memory.dmp

memory/5272-268-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/6128-272-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/5192-274-0x000001606D170000-0x000001606D180000-memory.dmp

memory/5192-273-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/6128-276-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\utilities1.zip

MD5 b9aff56013d9a86de852a6a1b82fcf9e
SHA1 6625debd422546a59b0907b88e34c997720823a4
SHA256 0de64ba7f686c5fa5118e8544cf0935190c44c8eac3ffa3545be4a67d903b218
SHA512 aea0951369259715a31f1499a7e12ffd1ae03556f4fa2158c42e85d015142366893b92a442575314ba6f762bde1c91e59ddfeb6d214c26af5a5ea6ee732daf0b

C:\Users\Admin\utilities2.zip

MD5 443eef47eecfdb27fe6e1e542930ec7a
SHA1 f566a1c423d2bed7d73d097e28ff8982af36a19a
SHA256 dfb1deb7f195d31ff4b2c8dfe6ff829c7ff7c4db2321c821bad79d7806b13e23
SHA512 3742436af958e207f311526333ea73cef9c4b86ae4c54cfe53a22bcffe77e0c935cd3ed353f5f913c88b366c5c70c27c8f74ba27496f74fb43e72de4b74792c3

memory/5192-290-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5272-293-0x00000231F8940000-0x00000231F8950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\utilities1.zip

MD5 adc96f8fef662b92868a78df1d311c44
SHA1 cfca7e537ddb9c5c29fe55efd221b50f88655b7f
SHA256 e07d39782342766acb5ae2dd5077fb1160fdf0d95fec6de817ed3b5ac6f40d23
SHA512 f3764175bf2f01e89ee66f9db67aa00506da47bcfe4686f6f15b8ff9a3ffc8d355544b1512525aaf5494f54fcdc635ebb517e37870507efa674c7da6bc4ad498

C:\Users\Admin\utilities2.zip

MD5 58da934b0c172e65bc1231ae9639e085
SHA1 a6ffe86523ca2a181e7ab521ac701280cc8af0a8
SHA256 4c9355c5648c7449c57ac3d87bc2d0518cfcacd7d34a5c008f9f9249a510a8a1
SHA512 1d0071026dc60cb9b364bff50879e694d4485cb8bbe80926333c4566388222c0c6b972c020ff176ee923f4bf0efaab5a6e37f8e4e2846768d6594d86a8362115

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e965d0169fe1ac12a27374de36eaa2e
SHA1 9617b89be60c7f5c254911c19a1fee06ca19105d
SHA256 4abf82d097b10fe9883e3869aadf011205d15882ac44d32fca3fff82af141e1c
SHA512 b7536eaad369ea58ede58b4e6764b61d84f8207a4082846c9c93b16f4c364f8c7d83e198bdcd3ee9e72d306d325d69948b54de5d74b75b9357308e77452361d8

C:\Users\Admin\utilities2.zip

MD5 22a0424c83dfa033b6e14b05445c5bab
SHA1 eda7a7e9856373d57a664cc237f652f5711fa983
SHA256 c529cd95c0c85ca18df3e690f840e51d0be33b5b92f8bf1e9f91821eaedac68c
SHA512 45048d0dfda31035be9569110c396c7c78bd1017706cec913c6c217a70aefbc44db188f5bd0ffd8976ca1b49ceb54423e7a70637e5278d63b636ad66dce221c2

memory/5932-307-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

C:\Users\Admin\utilities1.zip

MD5 e643597a964c30d57b473d88befc3b8c
SHA1 a18c66baeb3f2cb1f28d8a1ea131ba181c362b3e
SHA256 7831018af02ed008ad5a420392bdec8b71b2a9042e437f2802edceae48d131a3
SHA512 d8cede2138a1f56f888a44e7399d3f2ad0f0ed422143b46dac55bc647bc61afba2a7abed604bc02517d9b2fb7f6375cb223f9d63ad00a891e9479723696bf5e4

C:\Users\Admin\ExtractedUtilities2\run.bat

MD5 922d706a6ff52cd5f8ff57287aec9907
SHA1 c2093b630f1180bc8b48c71957655182f6a56053
SHA256 12ecd3179026dc979012895d1ba547cdd48b6940d34eb5cca266ef943c990efd
SHA512 eca850162e741141a2a7e62a028cfb3c9ec45baecbdf9a0560fbc82a3aed2ef9fccd108aa8b167002fd1727e0170cdfc29a3d5d4bb574690cdeefa6b2b3e6fb3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33a5582d19d967ee5af5e4faf5b470cd
SHA1 232581ae8550d0bd670e409610aeb831f7d95a08
SHA256 47540bf52bad88f132411bc67d473caecedc3bf329434f006b54710492019405
SHA512 cf064ede82004ac51abfbd9190cf77d3c71438ec3d6759b50e9cb33a18c4ebe79c450bcbf083427dac31cafcf10a366e92c9496cc24ef92e8680cedf4f230d1a

C:\Users\Admin\ExtractedUtilities2\g2m.dll

MD5 eef5e122a610edb4f13115dff624b2b9
SHA1 da324be4ee4c1573fbaedd83307ee888335d9661
SHA256 dd9c9d63a5f4798d3d30ddc7d0eb569c4406b2db7224b936c0721b78b7436940
SHA512 7f2318d222ac172b5aadecb09e19ff121a2648742c4e23fee91a9551a2f50014886fcb9f67f228e43fadd36fe80e71b9e6bd443b6d696533f872a2fb99862556

memory/5492-323-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

C:\Users\Admin\ExtractedUtilities2\data.bin

MD5 364a46c611cd7fead3527533982c616e
SHA1 3b0c8cce7a3a462d8865487f28d68c38de6851c4
SHA256 6963569bfd71c7b642826ac0cd8ac2511510168204b68a7b9940d656059f7df8
SHA512 9bc71ccc5e330b2641ef57c570e49ca944d4d4de633698adf1813e1a1368c4b700d71e63598c8caa55272e4cb310aeac1eb827980a69ee03f7f7d528dddc9f7d

memory/5332-324-0x0000000000060000-0x00000000000C1000-memory.dmp

memory/5804-326-0x0000021569320000-0x0000021569330000-memory.dmp

memory/5804-332-0x0000021569320000-0x0000021569330000-memory.dmp

memory/6128-334-0x00000000007A0000-0x0000000000820000-memory.dmp

memory/6128-335-0x00000000007A0000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a544f3a42aec20fd34799cca9266219
SHA1 19214f41f76c34e09ae62944dd071f3eff3973df
SHA256 87a0ea4f4da4be01a78f17b0bc345b323fa89e23b9c822f5b9fb331041ae5f90
SHA512 30732284cd064f29dd09b6db49c1e6edf6af4e1b0dc7fc31e7a589a7f586e195acfdd12bb56590f191f78ded6a066987928cb6a376891fa58ba6879ba439218e

memory/5804-345-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5332-346-0x0000000003840000-0x0000000003C40000-memory.dmp

memory/5332-348-0x0000000003840000-0x0000000003C40000-memory.dmp

memory/5332-347-0x0000000003840000-0x0000000003C40000-memory.dmp

memory/5332-349-0x00007FFF94DD0000-0x00007FFF94FC5000-memory.dmp

memory/5332-351-0x0000000003840000-0x0000000003C40000-memory.dmp

memory/5972-353-0x0000000000650000-0x0000000000659000-memory.dmp

memory/5332-352-0x0000000077620000-0x0000000077835000-memory.dmp

memory/5972-356-0x00000000024B0000-0x00000000028B0000-memory.dmp

memory/5972-355-0x00000000024B0000-0x00000000028B0000-memory.dmp

memory/5972-357-0x00007FFF94DD0000-0x00007FFF94FC5000-memory.dmp

memory/5272-359-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/5972-361-0x0000000077620000-0x0000000077835000-memory.dmp

memory/5972-360-0x00000000024B0000-0x00000000028B0000-memory.dmp

memory/5972-362-0x00000000024B0000-0x00000000028B0000-memory.dmp

memory/1096-366-0x00007FFF73360000-0x00007FFF73E21000-memory.dmp

memory/1096-369-0x0000021BBEF70000-0x0000021BBEF80000-memory.dmp

memory/5600-412-0x0000000003900000-0x0000000003D00000-memory.dmp

memory/5600-413-0x00007FFF94DD0000-0x00007FFF94FC5000-memory.dmp

memory/5600-416-0x0000000077620000-0x0000000077835000-memory.dmp

memory/2088-419-0x0000000002550000-0x0000000002950000-memory.dmp

memory/2088-421-0x00007FFF94DD0000-0x00007FFF94FC5000-memory.dmp

memory/2088-424-0x0000000077620000-0x0000000077835000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f623cb675b3953f6b334281b1214c46f
SHA1 398c687963e2147bca6a4804318b74094458ef7e
SHA256 c7eee96a62af86d9050317c6deb0e0e396df0060ce58d3c9fd93ab663dafdeb4
SHA512 7784f928c2460f0ece62834b4457aadcc1d05052d055bffe1af20f215d51fdf474013c7ac2769fb00fd201b33eddff1a62089ffa36787b29ec7f82916b40bcef

memory/4296-467-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/4296-468-0x00007FFF94DD0000-0x00007FFF94FC5000-memory.dmp

memory/4296-471-0x0000000077620000-0x0000000077835000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5ab08848d295cdda7440e056d4cf3190
SHA1 864fdaa6dd90df0872705e848900b4a5f81e6591
SHA256 30000c58c6cc67c5cae7b464bdaf5adaeaff36dda44c14a00721ab0cbc63f139
SHA512 761dd54add61d5ef5dbc0f61c2642347ac1ca2c95370b483a520c18d528a2f9ec4b2bec36c5a463304c9f9164d7e1cf0519fe7d6509a9dc529d7c7aa22f8f216

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4650a437d36208105003e67dd6878b04
SHA1 6f9fbc631e73ce3f68e0f2c257682062f5d70696
SHA256 a1b2ce7d76ae74e1a203ce75523ca63ae3133068cc8afdbb07ca19d297746ee0
SHA512 e08184e66c04b73671a00162661ee99eccc9cc941ed1f4fddbd0a13933cbc3952bc2de085b7f85abdd5ca6497f68f1fd194c4952002b88c505b613cbf3bde37e