Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/uVsNXU was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 10:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 10:46
Reported
2024-06-09 10:49
Platform
win10v2004-20240426-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Microsoft Checker\Office365.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dwm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Microsoft Checker\Office365.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\Skype.exe" | C:\Users\Admin\AppData\Local\Temp\dwm.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/uVsNXU
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff467446f8,0x7fff46744708,0x7fff46744718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Microsoft Checker\" -spe -an -ai#7zMap32298:96:7zEvent13387
C:\Users\Admin\Downloads\Microsoft Checker\Office365.exe
"C:\Users\Admin\Downloads\Microsoft Checker\Office365.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe'
C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dwm.exe'
C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe"
C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dwm.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Skype.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Skype.exe'
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Microsoft Checker\Edu.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,11869564898794317572,11929678496954649800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6328 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cold1.gofile.io | udp |
| FR | 31.14.70.248:443 | cold1.gofile.io | tcp |
| FR | 31.14.70.248:443 | cold1.gofile.io | tcp |
| US | 8.8.8.8:53 | 248.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aozepaokojfksdjfsk.ddns.net | udp |
| MA | 105.154.115.179:1000 | aozepaokojfksdjfsk.ddns.net | tcp |
| MA | 105.154.115.179:1000 | aozepaokojfksdjfsk.ddns.net | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | aozepaokojfksdjfsk.ddns.net | udp |
| MA | 105.154.115.179:1000 | aozepaokojfksdjfsk.ddns.net | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:80 | t.me | tcp |
| NL | 149.154.167.99:80 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn4.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.35.152:443 | cdn4.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.35.111.34.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b2a1398f937474c51a48b347387ee36a |
| SHA1 | 922a8567f09e68a04233e84e5919043034635949 |
| SHA256 | 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6 |
| SHA512 | 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c |
\??\pipe\LOCAL\crashpad_4792_VNGOHHLVIDNFSNAU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1ac52e2503cc26baee4322f02f5b8d9c |
| SHA1 | 38e0cee911f5f2a24888a64780ffdf6fa72207c8 |
| SHA256 | f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4 |
| SHA512 | 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\440a195c-eb8e-482c-8ff2-ff55556412a2.tmp
| MD5 | 4c8344d2da37cfc1d753c60ef83313ca |
| SHA1 | 8f0ffd9c43546c2a8912a4d63e2ddf77a2bc21ca |
| SHA256 | b16b8d60b6fec3ce8eaf051736828759880af74a3abd42168057d854af05a35f |
| SHA512 | d25a5e76c9a10532b2cc82e421d31fa23ccc104814bc7b6190a0f23aacf194809aacaf9ced251c32adf9463623bb0eb3372eb97c83ce71cc938d81deb5555241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Microsoft Checker.zip
| MD5 | c0ef2be4eaef238a225e006bd79140ac |
| SHA1 | ab73b34f93545bde2ba3de945db392303e1b966e |
| SHA256 | 03f545e2ea67aaa07d333354ae3a862e7dc5ad09bb5cd97ef19b5085c50f53c0 |
| SHA512 | eb09831fb3fab439601c55b9ca3166ed8bb28b4571aa7ed4f9cf056285264c25d5e672b3a706a3193f77438d11e2e2718783e47586991981dd5a6a77fcb1b4ab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fc15f85f6db78641450bc79c714b7663 |
| SHA1 | 14e96bc98de16d48897e9e5559c5e2cfc8307030 |
| SHA256 | bb9f2117d4103c6998ec23f2db952af65268640b24734b0a5a67e5397736366c |
| SHA512 | 7dcd583fd7c4f6f68b3f299ab84e0b2646cd72c840f5dacd49cc043cfc56548d1faf592f65d631be4b7ba06d09a5bcddf8ef22a94b3a73a471e891cc4d74400c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f155d6d19df4ad2737805baf4713d29e |
| SHA1 | 357734d719b14caa9d084de89caa812d4009f521 |
| SHA256 | 6aba4492ff647689598bda27ed712cf78a7803e4030ee928d6f3db3eca3e65a8 |
| SHA512 | 178d5adc802d395abe2d35c0cdae2fbf369e6d50bc250543be9fae299f2d1a9f61da8ebedb7a98c80f384c15de2288f5dda4c01c9bc7d32bfa9a5a8e43efd97f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 955b0ae9b0e98b1fd159f5ec37cf1840 |
| SHA1 | 28548b503ebdccdfaf5da3cc2e2a35d04975d639 |
| SHA256 | a091ac480672f6df0a444d009baaa0d4209a35e455eb40ed39c583c89c3127b7 |
| SHA512 | ef3ee1513e318db3bf952a25c450cb2ee28a70717368822da511918fc5e43914c9c33e98f3a05443853adc91d393a497d301057ba9b1dc4bda55d5f207c9cdaa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 74a6935167718848f19439843c44211e |
| SHA1 | 9cbe776441969d50abc7a135c2b1706ea15aaa42 |
| SHA256 | 756bdb41a89fc8d3eb94b7c9a737997a0bb99f72eb8a5c333ef669e949bffd5b |
| SHA512 | 705d6685f448c5872c09019979a42e9606409bd75e09e476535761a2ca22a269adb25e436dd5778e132729e73f4ed4613d0487348e2285403b893aab83c03b5d |
C:\Users\Admin\Downloads\Microsoft Checker\Office365.exe
| MD5 | a83f31e374053ec3b3c1d618866e1d37 |
| SHA1 | 584a5927ac493d2e3bdc88dd9267404d12e5c76a |
| SHA256 | ddb709f71b945e9d7d98a5ee7f33b2ecf7155a387a6e3d40fb3fbbe3b735ccdf |
| SHA512 | 7ead9d7b3320bf96606c20adf87c78b4d732fa4f446403247b1d79627ccd3e6dd9971bfc8d47b6188b935c08153ff27bbd417cda91e5a1ef4546363f00015e6b |
memory/5600-119-0x0000000000EC0000-0x00000000018C0000-memory.dmp
memory/5792-120-0x000002045E940000-0x000002045E962000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a31i1ioc.tqs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\Microsoft Checker.exe
| MD5 | 5136b92f76191ce6127ba2bea6876ad6 |
| SHA1 | 01e3eaa7cc50703869899c8e400bd19b27bb029b |
| SHA256 | b3d5d9d0ee2d7f89042d4208842d9bd7791c70f691d988d613abcdcc5aa3c681 |
| SHA512 | ba3ecb3d164a9fb59ba86b6b25757e72bdb48a63273170c64324205437c66368c9779dd8833ce366478eea979209d94b8317329426c73afbd41d422b1f1ed68b |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | dd88b0ee993325fa43bdb3c47ebf7efc |
| SHA1 | 4170dc1751e7039d5a3e368d7e2365d6a7487513 |
| SHA256 | fcbf534cc18eceaacaeff40c95c2a0022d2f5a2e70f6f0967b8b5f462b956714 |
| SHA512 | 0cf3f258b471d9d5bfc5616b2fd9d0004312139868c4db60b1e4275817c3a1b3b1288d47c0426743f4f188e543d52994f567c68cb75a07630737517c2f45730b |
memory/6048-150-0x00000000005B0000-0x00000000005C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\python310.dll
| MD5 | e4533934b37e688106beac6c5919281e |
| SHA1 | ada39f10ef0bbdcf05822f4260e43d53367b0017 |
| SHA256 | 2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5 |
| SHA512 | fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\python3.DLL
| MD5 | 24f4d5a96cd4110744766ea2da1b8ffa |
| SHA1 | b12a2205d3f70f5c636418811ab2f8431247da15 |
| SHA256 | 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53 |
| SHA512 | bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\unicodedata.pyd
| MD5 | d4964a28a22078c30064c65e968f9e1f |
| SHA1 | b9b95975bea97a55c888da66148d54bdb38b609b |
| SHA256 | b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703 |
| SHA512 | bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\select.pyd
| MD5 | c6ef07e75eae2c147042d142e23d2173 |
| SHA1 | 6ef3e912db5faf5a6b4225dbb6e34337a2271a60 |
| SHA256 | 43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78 |
| SHA512 | 30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\pyexpat.pyd
| MD5 | ea36d6df8ab58a22421f01d6d673adf2 |
| SHA1 | 6a22ea1f37e8655d1602823f18ac87727110a1b5 |
| SHA256 | 32e8c601259ec029e44824116ad911426157ceeae55f9fdd15387af40660dd5a |
| SHA512 | d23b7b4f46e99fa4c93e6adba24e30d09c445e85c7b2eae93a6efbffc5d8be166908f7ba7edf7b3e5089e712a4ce8e5bcdc32610f59bda94b90dd01aa3601035 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\libssl-1_1.dll
| MD5 | 86f2d9cc8cc54bbb005b15cabf715e5d |
| SHA1 | 396833cba6802cb83367f6313c6e3c67521c51ad |
| SHA256 | d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771 |
| SHA512 | 0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\libcrypto-1_1.dll
| MD5 | 80b72c24c74d59ae32ba2b0ea5e7dad2 |
| SHA1 | 75f892e361619e51578b312605201571bfb67ff8 |
| SHA256 | eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d |
| SHA512 | 08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_ssl.pyd
| MD5 | 7c7223f28c0c27c85a979ad222d19288 |
| SHA1 | 4185e671b1dc56b22134c97cd8a4a67747887b87 |
| SHA256 | 4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986 |
| SHA512 | f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_socket.pyd
| MD5 | c389430e19f1cd4c2e7b8538e8c52459 |
| SHA1 | 546ed5a85ad80a7b7db99f80c7080dc972e4f2a2 |
| SHA256 | a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067 |
| SHA512 | 5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_hashlib.pyd
| MD5 | 7a74284813386818ada7bf55c8d8acf9 |
| SHA1 | 380c4184eec7ca266e4c2b96bb92a504dfd8fe5f |
| SHA256 | 21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2 |
| SHA512 | f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_queue.pyd
| MD5 | 60dec90862b996e56aedafb2774c3475 |
| SHA1 | ce6ff24b2cc03aff2e825e1cf953cba10c139c9d |
| SHA256 | 9568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46 |
| SHA512 | c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_multiprocessing.pyd
| MD5 | b3c8414bbcae9bcc3377a4df72a4aed7 |
| SHA1 | cf754caff33c158ef6377b6cb2dc11ab96a27678 |
| SHA256 | 65413d49d81e5b939226a211fd40c9b7c6d61366651639446273988930f4a6fd |
| SHA512 | 3a1a85ff177d5521043a7a84b3aa56f567b9d1e0fb5b72441d50d0234e50519c86dfc24f6432be32460cbc63226ff3e4bc2d86e3154cdcd7a3d9b8d87b32b035 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_lzma.pyd
| MD5 | 14ea9d8ba0c2379fb1a9f6f3e9bbd63b |
| SHA1 | f7d4e7b86acaf796679d173e18f758c1e338de82 |
| SHA256 | c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39 |
| SHA512 | 64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_decimal.pyd
| MD5 | 709613d7d7bc30abdaee015c331664b6 |
| SHA1 | 84278fd8acc53c50b4e2ffa3f47b9ddad7dd7a70 |
| SHA256 | 8600cae4f34cc64c406198e19539d0d4f5a574fc60b32b8aa8f32fd64c981da5 |
| SHA512 | 4eb48bbcdf7cd9ebb9909e5269d4663bf14906a282a1f1418cc7e137f2be1c792019d78446d4d8bea63024cbf01bec14e28633d6e4ebbd85d7d074b948cab211 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_cffi_backend.cp310-win_amd64.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_bz2.pyd
| MD5 | 56203038756826a0a683d5750ee04093 |
| SHA1 | 93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2 |
| SHA256 | 31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c |
| SHA512 | 3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\_ctypes.pyd
| MD5 | 462fd515ca586048459b9d90a660cb93 |
| SHA1 | 06089f5d5e2a6411a0d7b106d24d5203eb70ec60 |
| SHA256 | bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4 |
| SHA512 | 67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\base_library.zip
| MD5 | c4989bceb9e7e83078812c9532baeea7 |
| SHA1 | aafb66ebdb5edc327d7cb6632eb80742be1ad2eb |
| SHA256 | a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd |
| SHA512 | fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671 |
C:\Users\Admin\AppData\Local\Temp\dwm.exe
| MD5 | 9d30078b5b773714952f184e0df31742 |
| SHA1 | 2ee3d12177f2fe5993b1753f281ba2f94d9a9c6f |
| SHA256 | 924b885022523009a7164feba30f1439592ef4aad89a6c1445872ecfc2dc7110 |
| SHA512 | 1f2ab1e4595957cffd2a8f1e1a126a2823f2cc4aae1ba89bb807c986a26252590f83f5bb27512c95fc9d54fb88eaefc131b8d8e34c0f01adb0804d85999a1d47 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\zstandard\backend_c.cp310-win_amd64.pyd
| MD5 | 4652c4087b148d08adefedf55719308b |
| SHA1 | 30e06026fea94e5777c529b479470809025ffbe2 |
| SHA256 | 003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795 |
| SHA512 | d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d |
memory/5556-246-0x00000000006C0000-0x00000000006CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI59802\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | f33ca57d413e6b5313272fa54dbc8baa |
| SHA1 | 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44 |
| SHA256 | 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664 |
| SHA512 | f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32 |
C:\Users\Admin\AppData\Local\Temp\_MEI59802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 494f5b9adc1cfb7fdb919c9b1af346e1 |
| SHA1 | 4a5fddd47812d19948585390f76d5435c4220e6b |
| SHA256 | ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051 |
| SHA512 | 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | afc6cddd7e64d81e52b729d09f227107 |
| SHA1 | ad0d3740f4b66de83db8862911c07dc91928d2f6 |
| SHA256 | b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0 |
| SHA512 | 844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 34adb1ccfbb97a3ecf8decbf479bb79e |
| SHA1 | 51b9575e3c0fd73e0202e2f7ce74bc35f37d8b85 |
| SHA256 | a0f1629527d02f55394c9ae3cbc3adaf4aeb3f3322e4961a4f703a6724db9876 |
| SHA512 | 81c3542d0e1cde63d5aec8aed49c9f66d6ff1b96464800b178799e0016fa7345d45f0b0ab8cab781a0a1589e8b7aaa6b6806a8480eb73dd63afc7fe497a7b07c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e29b.TMP
| MD5 | f63c0e57b9e879be4b4d8c29b2e8fea4 |
| SHA1 | 7c95ced7753d54acd35935d0bcab8c400641e798 |
| SHA256 | 408a056c3c0e666c235ec089bf63868f6430eb0a645012f7a9d1e68cfa1896ca |
| SHA512 | 12013d5ccd066ae0d51cdfd90c4649a6bc836b5036d5b7ea0d98857572e434bd564a2078828eb7176113fad57500496e87af80e5ba2f7a25e7a134bdc1ed3f62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fc003a1e9cad20de2470ebe31d8eba37 |
| SHA1 | 1036de39c029e332c341c1c15dddf0a103858de5 |
| SHA256 | 1a7501315e2af65f449d21ddf243d6d498a6bc1fe3f1573b8cb4a1aba0682550 |
| SHA512 | 6c9c21faf7724618d5e8cfd6c243f441afa7ade7bbe5158d8bc54b60f94476ad2dbd6d7851ab605758cab7720ed1a45bd615c1456a696e14616a10041e6b7e7b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8852bcd54f1a5d9a7cce4548aefee644 |
| SHA1 | 0fe2bd2b67d769ce6dc318ec4d90504c60559255 |
| SHA256 | d2e885d3eadcda3bfdaaf0869261df25117b4bfd764a2cc068c88f7200fad871 |
| SHA512 | dc48a5271a194f1de49a12b70dc72a1fafa63f7c20dba7cadb159c0c039ee5b96582a7df3d9acb07fb9c61806ecc248f0e62fee8d7bb5a4bd24cf8ba98abcbb1 |