Malware Analysis Report

2025-05-05 23:29

Sample ID 240504-r9esgsha2t
Target configureStealChecker.png
SHA256 3bc027a50eb8aa85e590e120d203bec009069f23e8637145916b0de4827209ff
Tags
zgrat discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc027a50eb8aa85e590e120d203bec009069f23e8637145916b0de4827209ff

Threat Level: Known bad

The file configureStealChecker.png was found to be: Known bad.

Malicious Activity Summary

zgrat discovery rat spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Detect ZGRat V1

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

NTFS ADS

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 14:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 14:53

Reported

2024-05-04 14:56

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\configureStealChecker.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\configureStealChecker.png

Network

N/A

Files

memory/1336-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 14:53

Reported

2024-05-04 14:58

Platform

win10v2004-20240419-en

Max time kernel

308s

Max time network

304s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4660 created 3452 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-17203666-93769886-2545153620-1000\{4E9A2A28-282A-4B6D-B827-64905B61A428} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 921864.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 173262.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 2676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 3252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 3252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1376 wrote to memory of 940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\configureStealChecker.png

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7d3f46f8,0x7fff7d3f4708,0x7fff7d3f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:8

C:\Users\Admin\Downloads\winrar-x64-701b1.exe

"C:\Users\Admin\Downloads\winrar-x64-701b1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 /prefetch:2

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\8261f2c7eede4a1d967cf75f31ffd8e2 /t 2112 /p 5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14588098516780270736,10949037255237857808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8

C:\Users\Admin\Downloads\winrar-x64-700.exe

"C:\Users\Admin\Downloads\winrar-x64-700.exe"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\6e4ca27ac3e4468f9e7aad0d70d96e90 /t 1460 /p 1956

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap979:72:7zEvent23125

C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe

"C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 4483934

C:\Windows\SysWOW64\findstr.exe

findstr /V "unemploymentibmrecoveredfarm" Tall

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4483934\o

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif

4483934\Tight.pif 4483934\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe

C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe

"C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 4484914

C:\Windows\SysWOW64\findstr.exe

findstr /V "unemploymentibmrecoveredfarm" Tall

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4484914\o

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4484914\Tight.pif

4484914\Tight.pif 4484914\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe

"C:\Users\Admin\Desktop\CeleryX\Cel3ry.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 4485114

C:\Windows\SysWOW64\findstr.exe

findstr /V "unemploymentibmrecoveredfarm" Tall

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4485114\o

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4485114\Tight.pif

4485114\Tight.pif 4485114\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ryosx.cc udp
CZ 89.187.188.226:443 ryosx.cc tcp
CZ 89.187.188.226:443 ryosx.cc tcp
US 8.8.8.8:53 226.188.187.89.in-addr.arpa udp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com tcp
US 104.16.113.74:443 www.mediafire.com tcp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 translate.google.com udp
GB 172.217.16.238:443 translate.google.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
DE 18.64.108.175:443 cdn.amplitude.com tcp
US 8.8.8.8:53 translate.googleapis.com udp
GB 216.58.201.106:443 translate.googleapis.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
GB 216.58.204.67:443 www.google.co.uk tcp
BE 64.233.167.154:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 232.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 175.108.64.18.in-addr.arpa udp
US 8.8.8.8:53 68.2.66.18.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
BE 64.233.167.154:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 54.184.235.130:443 api.amplitude.com tcp
GB 216.58.204.67:443 www.google.co.uk udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 download2390.mediafire.com udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 154.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 130.235.184.54.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 199.91.155.131:443 download2390.mediafire.com tcp
US 199.91.155.131:443 download2390.mediafire.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 131.155.91.199.in-addr.arpa udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
GB 216.58.201.106:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 23.62.61.75:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.75:443 r.bing.com tcp
US 216.239.32.36:443 region1.analytics.google.com udp
GB 216.58.201.106:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 40.126.31.71:443 login.microsoftonline.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.rarlab.com udp
DE 51.195.68.162:443 www.rarlab.com tcp
DE 51.195.68.162:443 www.rarlab.com tcp
US 8.8.8.8:53 162.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 89.33.18.104.in-addr.arpa udp
DE 51.195.68.162:443 www.rarlab.com tcp
DE 51.195.68.162:443 www.rarlab.com tcp
US 8.8.8.8:53 www.win-rar.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 KJoFONIMgPTTNrOAY.KJoFONIMgPTTNrOAY udp
NL 109.107.157.17:15866 tcp
US 8.8.8.8:53 17.157.107.109.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 KJoFONIMgPTTNrOAY.KJoFONIMgPTTNrOAY udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a9e55f5864d6e2afd2fd84e25a3bc228
SHA1 a5efcff9e3df6252c7fe8535d505235f82aab276
SHA256 0f4df3120e4620555916be8e51c29be8d600d68ae5244efad6a0268aabc8c452
SHA512 12f45fa73a6de6dfe17acc8b52b60f2d79008da130730b74cc138c1dcd73ccc99487165e3c8c90dc247359fde272f1ec6b3cf2c5fcb04e5093936144d0558b75

\??\pipe\LOCAL\crashpad_1376_YACVTOSFVOYQGKDX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dbac49e66219979194c79f1cf1cb3dd1
SHA1 4ef87804a04d51ae1fac358f92382548b27f62f2
SHA256 f24ed6c5bf4b734a9af4d64e14a80a160bea569f50849f70bf7b7277c4f48562
SHA512 bb314d61f53cf7774f6dfb6b772c72f5daf386bc3d27d2bb7a14c65848ee86e6c48e9c5696693ded31846b69b9372a530175df48494e3d61a228e49d43401ad1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5aa2158dcf2a6fd73b418d4f72030083
SHA1 7aa1a36c0d51e9fdff8258f70dc6ac5cb61aa5a9
SHA256 b29beaecb97fe6e3d21fefadb2bd44df625186677096b234e04c7d3d9aa48db6
SHA512 4e82ea1b6ef1ea02a2abd800de461a97be34594566ef30e2249412806a265c4f9eef41759a4312e0f7aeee69be588260a9cdfca69249403585911f72ff287efd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c06378d77e82553782ae818c6bb4e43e
SHA1 36bd46433834b21b740bd6bae05150d8209484e6
SHA256 d1f04a8c5c51e696f6a43cf5696acfe2f99ed5cfc8fe578966b9a6ae2160536a
SHA512 952d539fe8477adb3372c1cd398811be5cb8afdf34446d5204e66edac5e8a1f9f42336925324dd0fe25069818e89e72f90a985a93005da9e370229520d304566

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 153a789eadbb05489d5d07f12dfefe2e
SHA1 a5d3f863063ab7e7a509dbb971ad4c4e9a902467
SHA256 35574331e867afc46667ef6658d0c5646b2762df36b8492f81e5738b49297d7f
SHA512 88177843bafe521bda885cd2a4b370c3ad72cc8312afea6aabaf50ee69f5e40ef3233633686853c57862b5f65a1e613b92e062a787ad0cf4d7493b508256d26d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 97c274c135ab2e5f02f67a89dba03577
SHA1 2adecae1b6148cdea1b153cb47cc73f53875a400
SHA256 58dfc144626253527bcd818ac5a99ee4ad9a6d66f3b3272bfeb95fc27fcbf165
SHA512 ee0402ea0969eff667f2a1813184f9cf68426e126d952b20d601e4bcaa7ca226d3ad194eef8122695963aa5727641a7014e818928dfbd0f731b7f2b64774f8f9

C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1.zip

MD5 627066057611ef9f4bb5259107a9e752
SHA1 8f0643f23a0cea2ff241815c96dd31a5cfba0255
SHA256 cc2956caa4a83e34181f290e6b51dc3eb909ca9b7737d25f6473359dc218d361
SHA512 ff687014cdfcbd1eeaa52d352d651233684dc7d55ef20d092c013064c604990c16b96f55424f9661b7195171c0a2829d7a9bdc8990181e56d7e2aa40cac1baac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dbef09ed28268af715154cfba6f05a6c
SHA1 9a52b011de4934f69bfb4c4ef9a4045188279325
SHA256 35b6cbc784ae0f2f2509ea438905a3b29020de96381e8599f7f6023b8fb147ce
SHA512 e279c0d5401f4d3b4d61a75908b61ba0c4202d8a7fc39f74fd7a452d206be9eecd55b7bbf32fbc8f3660dd793768f8c2c64a346c581aadef18a3aaeab14ea29f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1c252c93b021d2dbdd83b5727ed4ade2
SHA1 41bbe438ad23ade9b41a49ad750522e3348a24b7
SHA256 3309ab860fc12d6fca3c5967fa9b6ab7ce1b02996263cfee1308454237335ad3
SHA512 2a43af54ff3d9dc21b3a8e8e8df807251bd3846ea23c1e781f47223ec328d8162901ba83205bba23f97854f2afff625b09c445b06592cc88bdee2d65e1129110

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c859f6ea1f23e9e229538f002b99bcb5
SHA1 5490e530c73b87cfbf225a6e6d7447b73c82036f
SHA256 5277cc029c643b88ef680f9aa67c773faea7a9cbb03c9894e4eee51216d9909b
SHA512 0a807442b5f47f8420c3f94c9d1a2d66a087131bad77b6d388ac4ef9a6be8f0db25975194f0e1fd19cac9c9963852a52f70192a224445810990f258a918be13d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b2c84e8a2adfc5bd7820344e5dcdca6f
SHA1 8321446dd4a2611087cdd951b5f207e6086bcb24
SHA256 3679c15aa59a571c01eafd901b3d6ce607fde91980d1d08684f7221a6ff41c6b
SHA512 aebe170e02b628c5304e5d90beb9ce5f926468075ea6541119bc79753a821c884b39e41757694f30dd8d5782b0095f5c8200f14d724f2ce9f21844d134958f5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 96def06d4a1fd4a99ddb1fcd1f0ddc2c
SHA1 db8ec623a02dbea8c4c85ee3a66927f8fbfce198
SHA256 4416c775956f8db75ec65496f32d8ad0deb7bdbdc62e7427240356cb4c9a1162
SHA512 1acfe252ab4a6f2e9bfbe3e4b586fd09214a4c53f17f1968f2bd171a708fd1b80fa8834927ed95787c1ac6b734323c3906ed9b6245ea50e672f398b670ab79c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592541.TMP

MD5 1da4c7c625f19c7b31e4ae15f4399d48
SHA1 dd0c37060f3f0c6490c4a5e62c6c8b889d3f869c
SHA256 c651cfc4d63745b17214944bfe8c3c64ba66f0ba2ead196f509c7b264242a3ba
SHA512 e1ac88f424c394a2e83fde7d4ab3fad78040711cd89fdda38cf72746c7f33beb8d2895b8cc894bc9bbe23afecd1509a2637934439afc986463c9eec950a5ab82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e4193c0f85cd2952ae8b1e773237cd7b
SHA1 dcb6d83430e38e9f4cb4a16e2e417722b96a8b47
SHA256 9fb47807a4318f675ff0c942634f1d3ff2281d0e6a27b65a4a5e0e7c2e91ed9e
SHA512 1c75ae4fc9d14aef4e3015a9483dbb3b2708906c62d8f08bfc4e9bee61080faad480ddcbcfafd758356804dfca16fb2ac16a5bd6fba6f978e349e9ed8c07cda3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 165cc44e7327cd6a4eac3844d725d22a
SHA1 db0d2579eba108d1c5359f58c11b492f2d26a9d9
SHA256 3106cf7f7221181269300bc1aa8ce0f2ceac31310ad496c86cca75986d1b7069
SHA512 dd3fe224f1821bca609ab61b460fc332d57ad733404d8b1012489868980f176803d51392e118cf4572b8cfdfa3ed09b2f681cf84cc7751b0c11ccd23bdbfb3d5

C:\Users\Admin\Downloads\winrar-x64-701b1.exe

MD5 8c80e9a6c80f878dbbbb84c0eeb06841
SHA1 776c1ebfefd195cdd974c7da149fd9335ef03684
SHA256 8249444b8ec33512027cde2bd6edb51bea9e9b4f35c4b261319d7a52d3befffc
SHA512 2032fcb28818c44e478ce4d73b76454ff50bd7ff67371b6de3b60978a3474f5dbf135d37b92f4d960c7a9bb95b594590f5beb385fddd0d49aeeca4e817028863

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5aa3555438a546c30801cfe7fe85d0d7
SHA1 eb6ec24deefdcc649f5e09407fbe3516699895cc
SHA256 953d519b74629c075649f83ef2be9547525b113525cf9b9727b31bc5bd159933
SHA512 f3a288e4a3acddca6072bd8194797a6248a1d4a8b5aaeffc7d116d1065ee0f5f4da32f6ff3b3a25ea5ed93d91c1dc44d548c424cc35025a9bc00e75802d25830

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fbf4c2a68ebd5d797a21b7d95e3db9a4
SHA1 e6f74f13f57c879636a71bfd37816d0e3015d656
SHA256 eb39586c2b1b8080a8041847b9061f4f3c6ef0efb292fb425e908979db1fdabe
SHA512 aade75de33f4d2a691852d1b60cac2f1cb9554ee099d3b01f908e6b715235ec42d893121ea7a7be3680feb86164c06253afa107aa3a1b1b4b7cb686d4869bacb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f2e4019435104bb19402de0dd8039506
SHA1 310bd9f4508a9b43c1cdb94dcc209c68a1f8f074
SHA256 b0a39fcb964914d6e3413ec466bbbe5f827277d915f57d7d23fcd7c60acf5a4d
SHA512 787cb91f8385d07728c7642461ccd9e6c0405df162343be2a618d64d97c37a0495e8af0e3327bcb34c9d37a11dc429de9fee99fd02c72ee7f739e61ed1496a92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 517d162ddc7836e330e396223543c576
SHA1 b34bf5b883094f074d1ffe9add6ab7f68610f89d
SHA256 eafa5670f3bd8970aa8aff19240aa137f860ab9099f3645b9e2007c522012eab
SHA512 909aa336a8279cc03d22af16ba43dc2ea09bf2e1412ad2bae7fab23c1e9ada8810fa20a6f51756e41b03857a9938dc3b37fb2169df4cde37874e1545261e9fe6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 215b811c9d8ed888fb8a49eff72685b9
SHA1 e4a796ed1528ce4e2ea6af73668dc797221f86fd
SHA256 3589e89770765c280f18b23c45ac18e21e80371c66318b36059cb6c50120b0a4
SHA512 437f476672c4c538bab57fd6f61f2cd90fa06cd986662cb3a6d9c8595db7b84bb1eeede5641f814e33066ac63ceaca0d49015bcfc97c76bcdeb5ad28142eb154

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 44d717fcef80c92f02922d841b070435
SHA1 e279141b4345c98e6cc0739482035186fc009b22
SHA256 06ff84df368a0fd29f0e5e137d9b3d043d7ee277a34e56dbb75c57d1bc124031
SHA512 166b1a17073a890c0ccaad79a881b6d70cce22f9b683cfa4e51882d60cd0d2a79858b962916f34cb58b41a1d9cfe0f13427dc4b07845226f98008b447fbc0bf2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de252419c761e55728e84a65fbb2dfdf
SHA1 d4ced0c64d8109db1210c210867f507a9a1e2140
SHA256 1248614c6d6a59bb7f59e328204fb6df540f86f698788878d99658ab0bfb8f1b
SHA512 6addaa2cd2e8fee4c7e1104376d45b5a00e717a98851f10253be9c386ad53a3d5631f935bfc18ea1e67c915c610e7dfe7b5822778a112666a55952c7e3439ecf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ee027d96112004d583dbdce453e5f24d
SHA1 345109eb4c7af83cb86b767e3f5608b75e0c6445
SHA256 43a423b1bec9ff695dca303608c7d24ae376df9ac6c252d2d1777b895bfd737c
SHA512 7fb78f7fffb70d8e586845fe9e4bdc4c840c1fe6479cb880140d3339acbb8c0c12773efb38edf7cfd871f2fb5135795ebfe7f41055346560d2935007afa322f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ceea51c4dbbc59d38d2ec6b5d0d6645d
SHA1 c91ce2dace4815dfe3aad274afd256eb61c25ca1
SHA256 7d96d6ae33dc200c7d20554bbfa7cd113a8937f31aba98e24f85996bb04f0e15
SHA512 f8b00cc3cdb414ce49373c155d4751fd5e9fbc484da2c74b13474d0fd0ac290b5cc793afa2c728a7731d7e2deeba5e4f81e72b40bf88bb740bf0e92db317daf5

C:\Users\Admin\Downloads\Unconfirmed 173262.crdownload

MD5 48deabfacb5c8e88b81c7165ed4e3b0b
SHA1 de3dab0e9258f9ff3c93ab6738818c6ec399e6a4
SHA256 ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24
SHA512 d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c5388b713c710d2c78452d63a1f288f0
SHA1 fa09b600d3d0fa1e795fa04bd26c5de824999322
SHA256 9f8f73ea870a0bcbe01a5870453085f7c0653e0a94e20014077deb900d249ee0
SHA512 90708cac2d6d4ab385a46e3062eb3b45cdb58cdfc88bf5e669c8aff52993416a89dd22b4d664f342d038c6178bbf6f0af3c8d30e6d08d1099f9dc47e43f5a303

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0a05915957e6b69a8df16b37298945c6
SHA1 0f08bfeec32883f445262c63e7e8b3378a5c6b8e
SHA256 719883558c8c6044bda12f2397251aa9fc108fb2d0f54c33292bb144d777513b
SHA512 b2545497882750812d4649193441f7de6eec7283fe02947a88c07af1e4fce29556ac24c461d285951516c8bdbe56af54d60a80ab4bdeac6256d1a7508ef0b6d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 07943f4d66c17d06e71de10158ce3c53
SHA1 2a16c4dc60ead79c68f905d945cb0df910151151
SHA256 2d3411a80da61169597979429d203fb4a506fbbcbcc1744681d8191852fef32d
SHA512 098b24e88ce42d38cd84cedcf0ef804a72dc33ea5582b6be3126696be636e6c2c0caa08d31db1c24fd8cc1b5fd8f95a61a15fcb815694e699271d088e0da30ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 694912fdf9d78167e12d3a4abc13835a
SHA1 c16e64976b03691feb73462af85bfd4aeb5cead7
SHA256 6b54dfda532c41204bda7391ce4d490c52ee9eecea2c3ee6a83899e9572a77b8
SHA512 8acd1e5d0be64980c61cbce1ea1218e17d3ab634c355f9474c83bfdd240ba6a57749e5e4bd0fe9d1e24aa25f30d395cdb290a1dd9f0427049e1b63a855ef6bca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 68f8357654668905d34f2cfe5d75bee9
SHA1 cb0c131ead6722b56d3523b30b12bdbde7c5e485
SHA256 12d4b83a62551b07944c2a14bbe661d5439434ddcd9f08dd31040909b04a28f3
SHA512 a25e92b51a740c14d2b426100db186b6bc1fb93aaf4fbc3b269b3633b7ba4a8f8a400273a52b01f726334eacf7319072365b920b79c05bd77a1a32875f5b9675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e26bed32d0ca34fa86168ae52d065232
SHA1 646a9e9dc012f4473c6ef27be6aaade0c3e3493c
SHA256 9b7d872d1e12c03664830c8f399736efd58a9c65602cd760efd8c41421873205
SHA512 0263b3a3fbf107db72a4e6f79a9a943dbbe0746d5c024057bb88e22fad1dba64b305abf1d9bb9725e6b0fa86b1eae24e7f7d17d32936913384d822707f8dda06

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Survivors

MD5 ec59908d44dae3c6763dfa1ff6e028d7
SHA1 692052f3a2b8ae0c3c833d79e879b04da2c6f2d9
SHA256 47b184b8d27dadc64fa276c3d1f43b048f7cd39b1d9f13ae746e316aee6dd133
SHA512 62f26d02cf268ef844006f22c5b3cb64cb6a24a3acbf6767f0928abbbbaf135d671808a0145940e7d89fac13e1575f8d9c64baaf6ae6550602dbdf1b4f90583c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tall

MD5 2deac528950398199abb1557e1760b0c
SHA1 36869327c9ff42859c62510f5714d32d8dc50b05
SHA256 df7ac59dcd9591f07f9a37f631f1cc92ed0cb0bc2e889cd69b83c8fecf3c990e
SHA512 9eb113c2de4e9d3f9f3a67ba7b3674dc288f0f852be5fb0a9901607d3517af674c5d0eaae9dc54aea1ec2b00fc10a7ce728f58ef268ac7678ea5da014990b28c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Phantom

MD5 572bbdae8e009af0d2840f10feaa4fde
SHA1 cef63dac1cf2112676c2c6f1f34d8619f5d7c9de
SHA256 c07c20860d8aded0d53da2789d679b7dcffe5ecc741857ed5caae8c385a8dedf
SHA512 eaddb4814afad4159bc9678322262378c531b73f444812bc6b77b9b0fc0cbe6fc7ae9a7115d279ac82d668a7383c723d47f14a23b96b5de90467fe222412dfb7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plaza

MD5 80b0185c61fb245926dec26217976e2a
SHA1 9ddb686647eeabb704c9c2bd46625ad898a48cfe
SHA256 0958ae8d97ac8e3285457a179f768eac30c8ef95cad6936492a0b76a6ba88f8a
SHA512 267055a9d6973571b9332cb6b30ae202ed84354e382d04194c6e28fd6a01c3c9f7e984e190a50c8047c36505b8ac3c4584c618ab1443f336b5a3d22c136292b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ballot

MD5 048263c25239abbd5ecfffd24313bba3
SHA1 2b10d008b0ecd1c6f594b8017abd6a8d8a6f290d
SHA256 b469309b45bc77bde7d7593e0ac2b675f7698bed8a38ac973a7cbc7228573de7
SHA512 5563d68b85845d37566f7a7c980e9f821790e46047e9efbc1dcf13cdacb9883d0501ff80c4b7dff86cc3279f2240b8faf4ae4f6e4b444770564e4d0728b1e57c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Railway

MD5 2df85c40fdae66b23d7be0bd2a6b12e0
SHA1 22c6eb371aebc8c12dc6b0e34ce625a177092710
SHA256 f9d331d0aad9f14726c1ab87c2a0224858bfc525ac1b70df0fcd8decf49ff906
SHA512 b213ca0a8738eb7e793292a8fa658a23292ae61f103f272bc5b70c834c25da36b168137887e901ce2b76986b6eaf38ed0f3fa64aa7d4fa7618a7923de4be62e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\De

MD5 e072dd1deee0bc3f1a544c725183ae73
SHA1 4dbc04900ab4f00d7112044e37897c25fcb7d491
SHA256 109e787154f2b5c1156c7261b510561d8e2d349d40ac4757931b2822d6c7a3a5
SHA512 da2a2061c38bd85e883029094e2e4fac14b53945cfd62b062e90960610d6d534da94c9f7aa310c47ecb565b1806ef186c9c2460ef5bb6b628d930e9324e2d70b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spirits

MD5 3d7a3c2178dfa66fa9af97342c929198
SHA1 9f61d84863c7cc71e53e325542798aeaf74c1d35
SHA256 eb28ac821250fcbca882d80c68d58a40ea8fe99606bf302f8d53ee7aa32a3b41
SHA512 cdfd9cbab8bc553f3253ef6e67647caba95fb2ffda57ae7e8ccb8e2ecd0212740048e679519cca13eed51b331dd4aba62db0c85a2dc323a4d326febc0edf094e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jersey

MD5 e23669cdf38b0893d18a8a32633e1447
SHA1 7acacfe1e7b440a4c8f51e7db5b00973e22a018d
SHA256 f44940459aeb945ea918ab10c0134865a828987a38a17d72031905f97b97f5e2
SHA512 16070adbd370511735c75c1101a90926af0d5ec10fabeeb556b4105abc94301f6c254204063fdd5e72499fccd835d39142a0247590da125ef68643344cbdabff

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ln

MD5 731603cce22e41ae5abf103fd9c6c315
SHA1 aa5cce06e8b30f76709411177bc5e8079f9cc4b7
SHA256 540e351768b15b80eb6b6ff57077b56219cb82c37ce6cd97af2b498a4752c73b
SHA512 b2f5173fa02d138f799e83c493a183948fb1da8387f07cc0ce3da33a5f44275a3fcc34ddc7af36c0350aa6f0a04401149bdf42722a45ad37a4648fca6285130c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Precise

MD5 14bf7d55effe56d8eb97e275df411f4e
SHA1 cb924a610c857aa8d13f1490b667cf96ebf89621
SHA256 0bd26eb862c76e036de851e5d4ba028b7bb70feb07a80da1b8b43ed9a798bdf6
SHA512 f7441a3f2163e63847ef0264867c29f08883ba76130bd0d079b7c829b39856d4682dee4b3ad6d61552524975e86c165d4857d493a7141f550cdd7a635e945122

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nominations

MD5 a960bb0bfa890f7b17092927491951f5
SHA1 01ed334db20e3bd02eff9161de2f52c74c4a03ad
SHA256 9d3970eab9fb5a3c23e1ae22833685f4e028c6ce1c4e8c3bf166d840f46209e2
SHA512 3c4dfe56aadb7acd84e367ee66c9b83a787e338572c6ed5bdf68c81584bc9c5224db0a8416618f50f801b528c3b1e4f9c3424841823ed1087f47928f61c63b07

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nhl

MD5 3d9cfd7ee3b39be68779ef7c402b0f88
SHA1 97abda2bfa806ce568f40be1009f9e9fb02892cc
SHA256 a2044183bde2b08538b8a1f7ab20fbcd78c6ffbb957050ddbf2e79dbe950bd29
SHA512 a97446f4084609404431d94fb33d50eb235165eaddf324fa2a76143b3450b05480f3884e0da7cd5e9862e5a70b25c833b3b33c3cf1589f3207a3c1babc6abf58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\Tight.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\o

MD5 516ad8cde3f6b9cb38e2f26a3ec845b9
SHA1 d74d737cd7bceb72f669eed4b26bf1a1f9a22102
SHA256 a8bb0c34c381d5f065fc9fcfb4f4c7f177fd534117a350ed8a9751f1e15fd031
SHA512 8e75567cdacf5711cf4c6816bf7eaff68c51aca3c13f79ed0504a718e50337330265dd6b7bc2d499e57e560957077fda6701de88fc0cc07af2f3ab8ac3ebb916

memory/4652-801-0x0000000001300000-0x000000000135A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4483934\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/4652-804-0x0000000005E80000-0x0000000006424000-memory.dmp

memory/4652-805-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/4652-806-0x0000000005A60000-0x0000000005A6A000-memory.dmp

memory/4652-807-0x0000000008C80000-0x0000000009298000-memory.dmp

memory/4652-808-0x00000000088B0000-0x00000000089BA000-memory.dmp

memory/4652-809-0x00000000087C0000-0x00000000087D2000-memory.dmp

memory/4652-810-0x0000000008820000-0x000000000885C000-memory.dmp

memory/4652-811-0x0000000008860000-0x00000000088AC000-memory.dmp

memory/4652-827-0x0000000008B10000-0x0000000008B76000-memory.dmp

memory/4652-828-0x0000000009460000-0x00000000094D6000-memory.dmp

memory/4652-829-0x0000000009420000-0x000000000943E000-memory.dmp

memory/4652-830-0x0000000009ED0000-0x000000000A092000-memory.dmp

memory/4652-831-0x000000000A5D0000-0x000000000AAFC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 e5b26bcfd06bec34f3ffb5aa2fe116d1
SHA1 33830591c937210a427ae27ef81df0a3cd107730
SHA256 d1efb717bec858be32c1d1a66a1c9c49c49c67f1c799f5bb996b5433b98d43c3
SHA512 11499f2c797a5776b6c9b0a0ab85f79ae41beb39fa2bb98e51d3a510d5ea3b6ab04acd0579a606fe1e937e8eb530b51a311426e9f87def94a54579c87651f67e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 86066b195a6f0f4b74ba7d2cbd353374
SHA1 6cc20419a6076f10434b7f1caafa93f028e27a16
SHA256 fab95402423df32e6e561b9f7c948936e9b362229acc6494eed09d9370a5a083
SHA512 0c5646a5f174fc0d4e52ba109d6b70868f8d244429f74d3a4589550e74f2794393313482ceab1e12c969464dfdd071cef1bc1572fcaa7e8336e4f618edf5461a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4485114\Tight.pif

MD5 7774285e3ebcad0ee1383c20afd009c1
SHA1 85032512c88be4440836ec98ef20fa088071e0c9
SHA256 1b66f14e747659a401df5aa57e07e383e611fa74cf2c697a0a7fa3f6a7e2acea
SHA512 2f85dbc58e89fe708bfa6124d21f671a3497ea51fc155abc09015a9d0750306b73cb994c1cbe04bfe8fe140b740de97e2cc94391dbf8571140b17329a6f4fdeb