Analysis Overview
Threat Level: Known bad
The file http://web.archive.org was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Possible privilege escalation attempt
Drops file in Drivers directory
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Drops startup file
UPX packed file
Executes dropped EXE
Modifies file permissions
ASPack v2.12-2.42
Checks computer location settings
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Maps connected drives based on registry
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies registry class
Kills process with taskkill
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 18:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 18:21
Reported
2024-06-18 18:30
Platform
win10v2004-20240508-en
Max time kernel
505s
Max time network
507s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\afunix.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\applockerfltr.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\cht4vx64.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidbth.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\iaStorV.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\kbdhid.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\MTConfig.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\netvsc.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\PktMon.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\rdyboost.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\Acx01000.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\lsi_sas.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\IntelTA.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\Drivers\UcmTcpciCx.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbaudio2.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbprint.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbser.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\afd.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\CAD.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\MSPQM.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\sdstor.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbehci.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbuhci.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\volmgr.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\intelide.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\isapnp.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\modem.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\netbt.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\serial.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\HdAudio.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\sisraid4.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\WindowsTrustedRT.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\amdgpio2.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\amdk8.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\cldflt.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\fdc.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\mlx4_bus.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\wimmount.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\flpydisk.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\HyperVideo.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\wfplwfs.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\AcpiDev.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\BthA2dp.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\mshidkmdf.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\trufos.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\UevAgentDriver.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\cdfs.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\iaLPSSi_GPIO.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\mpsdrv.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\mvumis.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\scmbus.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\Drivers\acpiex.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\Drivers\mshwnclx.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\nwifi.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\SgrmAgent.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\storahci.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\ufx01000.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\winmad.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\kbldfltr.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\pcmcia.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\drivers\rdpvideominiport.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\drivers\vmgid.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File created | C:\Windows\system32\DRIVERS\trufos.sys | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\mwav.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\mwav.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\mwav.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mwrestore.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\PCToaster.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mwrestore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mwrestore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mwrestore.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\MEMZ.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Windows.UI.Input.Inking.Analysis.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\desktopimgdownldr.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\eappcfgui.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\vccorlib140.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\fhengine.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\SortWindows6Compat.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\xboxgipsynthetic.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\help.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDTH1.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\MosStorage.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\msfeedssync.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\perfc007.dat:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\PlayToStatusProvider.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\SystemPropertiesPerformance.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\taskschd.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\computecore.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\kerberos.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\MSAMRNBSink.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\SettingMonitor.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\AudioEndpointBuilder.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDDIV1.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\edpnotify.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\MTFSpellcheckDS.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\iasrecst.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDJAV.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\dswave.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\Windows.UI.BlockedShutdown.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\DispBroker.Desktop.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\iesetup.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\logagent.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\StateRepository.Core.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\perfdisk.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\eappprxy.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\DpiScaling.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\irprops.cpl:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\shrpubw.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windows.WARP.JITService.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\ustprov.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\ole2nls.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Clipc.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\dot3msm.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\capisp.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\iphlpsvc.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\appwiz.cpl:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\backgroundTaskHost.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\icmui.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\Faultrep.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\imagesp1.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\SmartCardSimulator.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\System32\upnphost.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\f3ahvoas.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\iasdatastore.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\MessagingDataModel2.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\ByteCodeGenerator.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\gamingtcui.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\ms3dthumbnailprovider.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\WFS.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSASN1.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDLAO.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\scrptadm.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system32\SystemSettingsAdminFlows.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\autofmt.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\msimg32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\storage.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssv.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msado15.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho_64.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msadox.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLMF.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLMF.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\splwow64.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\winhlp32.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\sysmon.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\mib.bin:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system.ini | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\explorer.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\servicing\TrustedInstaller.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\write.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\rundll.exe | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\bfsvc.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\bootstat.dat:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\WMSysPr9.prx:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SysmonDrv.sys:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\general.log | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\Lic.xxx | C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE | N/A |
| File opened for modification | C:\Windows\system.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\win.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\regedit.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\hh.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\Lic.xxx:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\HelpPane.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\twain_32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\Offline Web Pages\desktop.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\notepad.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.google.com" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\UnregisterDLLs = "1" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt32 = "CPL" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt93 = "MRC" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt133 = "RTF" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt78 = "LHA" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt103 = "OFT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\CheckCABSfx = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ProgramFiles = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt25 = "CFM" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt48 = "DWG" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt58 = "GZIP" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt76 = "JTD" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\HostExceptions | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\RemoveLNK = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\zcache.010 = "22488876" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt164 = "XXE" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt96 = "MSO" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt159 = "V??" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\BackupOfCleanObjects = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ShowDmp = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt163 = "XTP" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\CheckFileForgery = "1" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\MyVersion = "a" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt23 = "CAB" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt100 = "OBT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt112 = "PHP" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt132 = "REG" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt140 = "SHT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\UnzipPassword | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\BackupOfInfectedObjectsFolder | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\CheckCorrupt = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt18 = "BAT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt108 = "PCI" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt153 = "TSK" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\CleanRegistryErrors = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt11 = "ASP" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt92 = "MP?" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt126 = "PRG" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ScanDateTime = "18.06.2024 18:28:26" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\BackupOfInfectedObjects = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\Version = "22.0.60" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt86 = "MHTM" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt123 = "PPS" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt130 = "QPW" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt144 = "SMM" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt113 = "PHT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt127 = "PSA" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ShowCleanObjectInfo = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ForcedExcludedFiles | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\AllFiles = "1" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt65 = "HTW" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt102 = "OCX" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt106 = "OTM" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\DBCorrupted = "0" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ScanDateTime = "18.06.2024 18:27:24" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\DBOpenCount = "1" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\zcache.008 = "17586455" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt135 = "SCR" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\ScanTime = "1106" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt0 = "386" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt1 = "ACE" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt14 = "AVB" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt121 = "POT" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\eut\SOpt134 = "SBF" | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3110b8d7-d60c-6adc-c3ce-bd22f748af91.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\ChineseSimplified.lic:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Turkish.dow:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\mexe.com:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\ClickToRun\ProductReleases\C4DB1FF2-9CF3-498E-B7AA-765DC7D448F8\x-none.16\MasterDescriptor.x-none.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\OneSettings\DirectXDbVersion.json:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Chinese.dow:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\korean.dow:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\msvclnt.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\mdx_xf.cvd:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\emalware.cvd:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.PinningConfirmationDialog_1000.19041.1023.0_neutral__cw5n1h2txyewy\S-1-5-21-2804150937-2146708401-419095071-1000.pckgdep:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\system.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\korean.lic:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\compatibility.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\English.win:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\libeay32.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\emalware.552:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\shield-preference-experiments.json:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.5b1a057f-452d-4436-81f0-5c40c95c8a06.1.etl:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Deutsch.dow:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\LatinSpanish.con:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\emalware.585:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CallingShellApp_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-2804150937-2146708401-419095071-1000.pckgdep:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.adc60cc5-881a-4717-9b5b-b4b2a3c40fe9.1.etl:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\explorer.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player skinned.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\storage\permanent\chrome\.metadata-v2:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Italiano.dow:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\emalware.586:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\newjava.cvd:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Windows\write.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\plugins\emalware.550:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\MF\Active.GRL:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\USOShared\Logs\System\WuProvider.3be7c7e5-fd14-416a-bf96-3d3fec9cff1f.1.etl:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\trufos.dll:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mexe.com | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://web.archive.org
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0ae646f8,0x7ffc0ae64708,0x7ffc0ae64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3376 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3352 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
C:\Users\Admin\Downloads\mwav.exe
"C:\Users\Admin\Downloads\mwav.exe"
C:\Users\Admin\Downloads\mwav.exe
"C:\Users\Admin\Downloads\mwav.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1048 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\mexe.com
"C:\Users\Admin\AppData\Local\Temp\mexe.com"
C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE
C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE /s
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE
C:\Users\Admin\AppData\Local\Temp\MWAVL.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.TXT /ver=22.0.60
C:\Users\Admin\Desktop\Popup.exe
"C:\Users\Admin\Desktop\Popup.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6728 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
C:\Users\Admin\AppData\Local\Temp\mwrestore.exe
C:\Users\Admin\AppData\Local\Temp\mwrestore.exe
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8871412354065795680,17128144992148126156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
C:\Users\Admin\Desktop\PCToaster.exe
"C:\Users\Admin\Desktop\PCToaster.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\PCToaster.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\Desktop\scr.txt
C:\Windows\SYSTEM32\diskpart.exe
diskpart /s C:\Users\Admin\Desktop\scr.txt
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Boot /r
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Recovery /r
C:\Users\Admin\Desktop\PCToaster.exe
"C:\Users\Admin\Desktop\PCToaster.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\PCToaster.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /im lsass.exe /f
C:\Windows\SYSTEM32\mountvol.exe
mountvol A: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol B: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol D: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol E: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol F: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol G: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol H: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol I: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol J: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol K: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol L: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol M: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol N: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol O: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol P: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Q: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol R: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol S: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol T: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol U: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol V: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol W: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol X: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Y: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Z: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol C: /d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | web.archive.org | udp |
| US | 207.241.237.3:80 | web.archive.org | tcp |
| US | 207.241.237.3:80 | web.archive.org | tcp |
| US | 8.8.8.8:53 | polyfill.archive.org | udp |
| US | 8.8.8.8:53 | archive.org | udp |
| US | 8.8.8.8:53 | web-static.archive.org | udp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.224.2:80 | archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.239.241:443 | polyfill.archive.org | tcp |
| US | 8.8.8.8:53 | 83.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.237.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.224.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.237.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.239.241.207.in-addr.arpa | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 8.8.8.8:53 | analytics.archive.org | udp |
| US | 8.8.8.8:53 | openlibrary.org | udp |
| US | 8.8.8.8:53 | blog.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.225.195:80 | analytics.archive.org | tcp |
| US | 207.241.225.195:80 | analytics.archive.org | tcp |
| US | 8.8.8.8:53 | help.archive.org | udp |
| US | 8.8.8.8:53 | 195.225.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.apple.com | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| US | 8.8.8.8:53 | microsoftedge.microsoft.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | www.archive-it.org | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| NL | 23.62.61.194:443 | th.bing.com | tcp |
| NL | 23.62.61.194:443 | th.bing.com | tcp |
| NL | 23.62.61.194:443 | th.bing.com | tcp |
| NL | 23.62.61.194:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 204.79.197.200:443 | bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.134:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | escanav.com | udp |
| US | 67.222.129.224:443 | escanav.com | tcp |
| US | 67.222.129.224:443 | escanav.com | tcp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 151.101.130.137:443 | code.jquery.com | tcp |
| US | 151.101.130.137:443 | code.jquery.com | tcp |
| US | 8.8.8.8:53 | www.escanav.com | udp |
| US | 172.67.142.245:443 | use.fontawesome.com | tcp |
| US | 8.8.8.8:53 | platform.twitter.com | udp |
| PL | 93.184.220.66:443 | platform.twitter.com | tcp |
| US | 8.8.8.8:53 | 224.129.222.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.142.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | syndication.twitter.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 104.244.42.72:443 | syndication.twitter.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | tcp |
| BE | 64.233.166.154:443 | stats.g.doubleclick.net | tcp |
| US | 172.67.142.245:443 | use.fontawesome.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| BE | 64.233.166.154:443 | stats.g.doubleclick.net | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| GB | 142.250.200.42:443 | ajax.googleapis.com | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update1.mwti.net | udp |
| NL | 2.18.121.4:443 | update1.mwti.net | tcp |
| US | 8.8.8.8:53 | 4.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 2.18.121.4:443 | update1.mwti.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| FR | 92.122.166.120:443 | aefd.nelreports.net | tcp |
| FR | 92.122.166.120:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 120.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| FR | 92.122.166.120:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.200.189.225:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 225.189.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eaa3db555ab5bc0cb364826204aad3f0 |
| SHA1 | a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca |
| SHA256 | ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b |
| SHA512 | e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4 |
\??\pipe\LOCAL\crashpad_2364_SXMLXWLMJZPEUHBO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4b4f91fa1b362ba5341ecb2836438dea |
| SHA1 | 9561f5aabed742404d455da735259a2c6781fa07 |
| SHA256 | d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c |
| SHA512 | fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b82f1554ce88125f49c0c31deb5e4598 |
| SHA1 | 4fe0aa4a2bad2090cf41f727a443c70eccc5afa7 |
| SHA256 | e07169ae8242d9d29ee68f3115ea0c926b1db0959b17cc70dd0f6d30c33df4e6 |
| SHA512 | 5ec76353ae0181bfaaf67dab0328650d39060051f389d6cf590cc3c84298d5d141471fd63b08293de3dffd43ac426acc12653e3268ca727109683e0ed3cb5e92 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
| MD5 | 4931f1df5841bfff2e7c1a0910cec475 |
| SHA1 | 32c3752a49ee0a649cd6500340d4069258b95113 |
| SHA256 | 6002855a84d9b71fc9e1f5c9d3c6a30cd0490a8598eae8e71e37c1e3a779e8e7 |
| SHA512 | 9362067f6e47df9767c0396f7990c7071e5aff26aead78b07c46c139984939f383dbed6d09cd7347d335901021db8fd01bbe5555c22bd566ed2f2e1969b4c73c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | eb789629621b0fb923dcd752605d62bd |
| SHA1 | 1ede18ebb93b70d55a748ef252d15079f2326e1a |
| SHA256 | 1acd14d73eede949d501cd0b1e9ff5959de833a83ae796d6f057f2305c73e6c3 |
| SHA512 | 4720241c8903f6049835628609302f8524386ff9b7878411a1ef069b92d8eb4c76bae627418678681fa7b5201624b01711db2189ee955008712be25e4417601c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f66f0cdf8bed1ff55ed7c612b3d154c8 |
| SHA1 | 2a474ba81a1297c23f3fc3fbe658e5c3717b5db9 |
| SHA256 | e19a8d772552a5770f13a5572f10d9da7a8f2b88ecd7da5d3ef1ecc3f2e39af4 |
| SHA512 | a774b30918a70226dcfd0992d8d8ca9d35d43a2f2a4439dba88abfc764038db549820a0c2e6f5dbcab4d9054cce9a66662ec467ef69e6e9a709b16dec0443c34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 19d101f9163239cea41d6fc4db5cc3b1 |
| SHA1 | 1ed2fb6a212f3599a2a808ee8c5c8b32d0a9ff08 |
| SHA256 | d064dcda77bf76baa35651c29cade3d310d9eb390b8f08d5b34a182f29d06efc |
| SHA512 | e228bd754e66c6d83bf955813ef771c7ce8942b3000062116fb5e3b84bceb8da4c515d8146b7870c1ba5a9afcd7c5dcaa451fa66aa7186b245972231a3abaa34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8d89b33822366fba9c0261717f6388d3 |
| SHA1 | 89bb3f554a2cfc00d00152c53b0c498cb5b06547 |
| SHA256 | 9514c93eaea89b78188f4766225d28aec8cfa7d3b22c6d290b5ed5f6b4c368bb |
| SHA512 | a030c5753e33c2cd5bfa58f5ce8964158844f57595fb5b6a234be97dbd1a697a7705ade30387700eae3faa869eb9e67743499e259ede7a47c5df2b2d972c7e8e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad76.TMP
| MD5 | e85157a2ac46ce0584846394951510ec |
| SHA1 | be0ca5a7c0df33bb894482496b7e6252cd8abd99 |
| SHA256 | 47039c484e05441f13155747faeecce7ceb8166cf0a760f0059a6ae7fb1929c6 |
| SHA512 | f56ef8bbdd5213646f0ff850345ae28b31b2b3a2568dec81143555ae7469c41e9bf3068d1683d9cf8e7edb08c10206f6ae6dadda573fa4e7d27aa96732c0340c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 607b98c3c85ec91b34b55c90a5da8356 |
| SHA1 | 36dec67986a1e2c29aeb3bcc0e98125312e193e6 |
| SHA256 | 047d831c4353f82a156063589afd26a4c89569755ccf435fc6ef7a24d05be9c6 |
| SHA512 | 940b9b5326c410d7f64155f3ed7cfd43341e2f49ed241f8e8074048b9d80067a742dfcec0a6ac68c6d2dbf17de153e25f923cf4bea1f60b4285cb93e318a309c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 997fdc7ca2646a03d0f459a0b78690d9 |
| SHA1 | 33b91ef7eefd32acac9d7db72d509658502cab38 |
| SHA256 | 09e2b8bc9ffb87fa39f40383df509e66e3d330b64ebe7b6e4799bca0b0ca3945 |
| SHA512 | 8ed541cb6cf88ab32bafc54b3c2a3b9b20a0fd29b9957aa4e1ae48de6df4825b3050a246aeb19e7d3cde1f6deb37e7e72d59f17e28e3131a8494c890d68b7ced |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e88c8acc06371bd18eec2d84880ebabe |
| SHA1 | 87e26340771ee7361c4c8a9e21b35c2fcf194e34 |
| SHA256 | 70f4c7b101ac6b628d3ab06e75b9ab31da21cdfbabd5d940c3a0c12905a69237 |
| SHA512 | 0a67db49aa29c7cea0f4ae2b8eca274e0397f6700e3aed858e4ff683faedcab0e5aa24bd988d37f5a97a176e7261fd7a898b1e285d8a6b796e00b08e554929a9 |
C:\Users\Admin\Downloads\Unconfirmed 452733.crdownload
| MD5 | 42cc93998878d106bef5bb4061a91959 |
| SHA1 | aaacca9afbecb4937cb9ef07c23e2cf75f1a0e55 |
| SHA256 | 85d0bb671e31258247a1e8b1a209b92ab5e1faa9e6b7f85cce567b91a97c1cee |
| SHA512 | efc172ea2fc66d0736eeabb87b49043e3f8117fffadd7600dca952a6c94bef6f7f6b0b5ecc6102b626aa7dea1d1ff404c68219480a922bb7e77344ba86c09336 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7cfd5f2c3818cb2a71ba906df31b3958 |
| SHA1 | bed44cf65018b7c0d11a0666e1f7446766a6e2f7 |
| SHA256 | 86d7687eb9f4bbe1b96b981ddd570bc18f8d7649720fbef7d068067876226510 |
| SHA512 | ba524bf5e605612d755059e983a73bb36e25a386de8469a01365a0ecfe4011697fe34a9024a5384fc08a07ce7ec64340890d07c2aca0bb13c8fe57c3f7f165bf |
C:\Users\Admin\Desktop\MergePush.vstx
| MD5 | 9114dc929911eb21fa9c6b47a00020ef |
| SHA1 | 170ee4d3fad4bb619818117c99f8292f6674587c |
| SHA256 | a769cb5a16a3492acfd24d3805ad6cb4b208b920757a1c8b156b242246b60392 |
| SHA512 | a9aac0899201f90f26287273e05beab5c7ba27407a082323fba58dcb6cc16c5f07ac08987317e9eff4b1282f09372e7006ad275a371d546f3f5db463251befd0 |
C:\Users\Admin\Desktop\ResetConfirm.cab
| MD5 | f0a1d22ba71a4021429d170f959df35c |
| SHA1 | 5064b30c401db7b07f8e621ae13017a8fbf35765 |
| SHA256 | b9192cf941c9e7ceccfed4b1e26d59636d5a91891cf4c60d358fae090b6003a9 |
| SHA512 | ae3b8c5948f111e5f748c38985e46e94d6e73f70849e90b23587ca630eeb83c8366005aa87b55df5b4a4981a2fbddbdc6c9cc0579273113dce0e89dbc4892c16 |
C:\Users\Admin\Desktop\ReceiveCompare.dll
| MD5 | 036526a9e7f2e05cbcfc8e82b53a6009 |
| SHA1 | 8ad18b622da57553bdd1073a0525749a89695f5d |
| SHA256 | f4ec6981becb6f46be34ee1afa9eb03025fcc8cc066261d798b506f47471b8bf |
| SHA512 | b3ce334438f340465f237d7e14f0e8f203e205255e3dd80af3bff224ad3abcc3409137a48964df292270ec037cbf51a17de630efe1cb4aaedefb0a51f886e6d6 |
C:\Users\Admin\Desktop\StartConvertTo.TS
| MD5 | bcb7a39fdeb1ed39021ec05d40b138e1 |
| SHA1 | 14b1baf7a2456ff471b0fab05c9971a6bfc9887b |
| SHA256 | 061814ea91cc0407d83d4d5f89b5cc9347500ceaaf5b7de74b49fc7ee34d64de |
| SHA512 | 3069be0e14a5bded48ba2ad6623d9e4c2e8772ed79b9dede3d1d15d88d3bbdde5e2269b46a9c3131f46c529bff217c39eaaca236f5c7ba10598a4fce50ddd988 |
C:\Users\Admin\Desktop\JoinCopy.hta
| MD5 | ad3d8323eb1c11b2effb7140c200567f |
| SHA1 | afa3477fb802d5bf96d00d5195c420afd110516b |
| SHA256 | 5563ac5acf066ce0c29a045e4a8138ddeb7ad011b6d0996b465bbfcdd9f9d561 |
| SHA512 | ca8ec9c9b7ac94ce80d381a66b0d613010bf4d39cca929616c229901f7ac067fdcfea487243ceaead51c0179907042b1396297ebc07b87b2a65effaee61f6db6 |
C:\Users\Admin\Desktop\JoinConvert.mpeg3
| MD5 | 33804bc2dcbf5aec8ea09da701b3a95f |
| SHA1 | f31b958e5b232ff5ac6e4b70721b0cb9d472ef82 |
| SHA256 | aab3238269f8b44bec6f790a0b058a1fa31f6ed3f183bd9a9c2f94bb5e13ba5e |
| SHA512 | df4d4a9c8a23aab38d24713795463e7117565d410381344f814034f21915aa2f7ff478f9082c358530e6a48fb3ba82ef620bda7dac5bc4c812ecb2d319e5ea21 |
C:\Users\Admin\Desktop\ExportWrite.rar
| MD5 | bc773e836ddae562d3295ae337c5e238 |
| SHA1 | ee14a4448672e175b2f008cddb720fe916f9705b |
| SHA256 | 41f6d5044ddadc5481521fd95a6327f0b0c35ef0678c16073caa3e656e36b201 |
| SHA512 | 3c823a02f0aed99142b3fea1c3d0c881ee8b32b4d665794f146beaf3a662d32f7534db227a17d62f5701519bba218fb5ff422845ca0f288e53efb40fd75bac52 |
C:\Users\Admin\Desktop\DisableExit.avi
| MD5 | bfc78d198687e29c2161597d425f7c04 |
| SHA1 | 1fbb88022a4d769a17f2a68fbd1c58dcd9944f0f |
| SHA256 | 6e00b3f081e35e9eebe7c24d1f5d26fcb1ced490d1f1fa473d1df58951258c10 |
| SHA512 | ea75c5aea18e38245ca11b2b223c16e86d76a6fe0fd098909149b67a0c7df38ac4958b1061514f845d752d3b131cd196626cd478389068104784a8efc8953937 |
C:\Users\Admin\Desktop\AssertUninstall.ocx
| MD5 | f9ef0fa5eb7b3092120406741d884937 |
| SHA1 | fc58c341b0981a1cea0297a4764127a7790b8692 |
| SHA256 | 2fc8b4a133f266460a9b487fefae9558428e1b1cce4846d94ff7e8129adde54e |
| SHA512 | 60a91c57d823d2c575677fdb8ddaca5d66cfb8f7ee56d4174597e70598027bf664c2203c669d1ade56370302daa7652c71588899fcd66dc5e72643a4a8d69cff |
C:\Users\Admin\Desktop\ApproveAssert.inf
| MD5 | 6eda9883e65794a4511607a5d6483ce4 |
| SHA1 | 10d9dff682b21efe2388f43500613e39be2ef2c7 |
| SHA256 | d2ff09e70cdf95d122bfa5b21e171597271967e5c384729fab57c0a38b0daf3f |
| SHA512 | 172075408fb60eb7994a29a00671fbbaa8a3ae8e68fe0e24d2759d5ee483de3ec97339cce8e3e5d5a860c8a8cc587e9f7dcc8c443b4e97ef033bc936d8902b32 |
C:\Users\Admin\Desktop\ApproveAdd.asp
| MD5 | 5acd3c3dd836a192b1bb198d7e79ab27 |
| SHA1 | 78b1a5f068ca5592de4733ea4bcbfdc6d87f1284 |
| SHA256 | 3f7794fcbd3bd464ec43b862ac4e5f21255e1df681fbd063196c497a048c4815 |
| SHA512 | 6d712938ff3f5f5b6133c288647cf3c7551e6b9594492d0ca0513921add9604aa7d4615e8ccec39f55543b2874e80963dfc547314077c94e0bbdd18805270e56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | dcceec0a836f8fd38e252b7bc802333a |
| SHA1 | e8112de533c19ce9e9170fe6b2be19a5389c012b |
| SHA256 | f9c17c1ff1f27b03fb560627ef4a1c1b74e77fdc70d04d294eb410b6425fe860 |
| SHA512 | 10aa4715fecfd3f8392a6d92b5b0525a5377ed228719b43f3839bf1b789c18edb1b20db65e904e5f4743a1a2f9bbc994be5fd97cfbaed406d405952fa68d869c |
C:\Users\Admin\Desktop\UseComplete.doc
| MD5 | c45a37a0d9d8a7fb8bded2a452bf2be6 |
| SHA1 | f9b5f729c45a1d068790941520ae7d83251e10c4 |
| SHA256 | 51fed02d246c230638df725733c23c259363150951b6e910fa2b8d22c86ddce6 |
| SHA512 | 3eddd10138857e26ec7293c8ae1dba00e6a696d220595016132e246d1afeb5613c96c82bfa04d72032690f683dcedded0b4bf7581e64bf5b32e63628c38d5934 |
C:\Users\Admin\Desktop\UnlockRevoke.zip
| MD5 | d6f3c8149e146cab4f03be58493d2125 |
| SHA1 | 6d4e313f6ef126622c21a1ffc0425104b8c24e75 |
| SHA256 | 6d1cda56bb68da6723e043c8c1ee63f3af01a8ace69536fcee5bfe8c38adf940 |
| SHA512 | c33d771eb397d861be3bd0672d2f48c46af507829d33e5b6c38bc9bbf5611e8611aa9f966d6859ce896aaeb237380b71b22f24e03cf9c7311b3a92ec6117bb04 |
C:\Users\Admin\Desktop\UndoEnable.doc
| MD5 | b92df946ed73b934ec6fb31b48b62aa4 |
| SHA1 | 23d4f64b155cec4f32e0cc1c516b95f7d1124fab |
| SHA256 | b61c4e2d775b63e9f5b86c131fc04b514ddc03a381a8c085fa9a34641d709065 |
| SHA512 | 3e48c36c246880b76d81faa8e09a8383f09410f62ef4bfac24b600f8d43cda7839e9c7627490c822cd345913e912cac63d21ecfc24b5fc2fb45dfc13ba0b2446 |
C:\Users\Admin\Desktop\UnblockInstall.mpg
| MD5 | 879e0329e565d68f728a4625107ca287 |
| SHA1 | 6bc5b5e166fc4eeee5a9578bbd273dc5245b6d3f |
| SHA256 | e8b2325734bd981aee276f8db0508ac9d80384bcadfcc67a088c2c726b1065db |
| SHA512 | 68fc2679c0f0e99c7bcc32a57dd5c10274e2ec4796ee0ac737256fa25fd2a1ad0999bb72922411fdf2014eb8329524141d38fd90e012162df49e7060ada6c4d7 |
C:\Users\Admin\Desktop\SyncSwitch.asx
| MD5 | 73ced4dcbbfc9af476cd1cc506ff7db6 |
| SHA1 | f54f28ecabc2aca5daf587f79ef23b90de604d07 |
| SHA256 | ccca77e0efebf8f4afe018df6cbccf85d1da09d9d4a9ebd9090e546b8987c5ae |
| SHA512 | 5d3bcd12e4b9355510539543fc9288acdec8604b7f84e639b355e6dfdf0e04399416119e4f73cde53ddff7439628edf17aa3e664f8380a299bb7d18d2692f57b |
C:\Users\Admin\Desktop\SyncRequest.htm
| MD5 | 25e3bf9aa0b15f56ae5172383228a904 |
| SHA1 | a367170974048861856e59d209fc1d33630bdea3 |
| SHA256 | 7604a2720271f952f3488a09094364e8a8f3f750d9c9bf0c09feb08d67d83db6 |
| SHA512 | a2bc3d1b0fccf4525a8e82a7b6fcd4bea0436dc83b0aa078b3587c9f3c6257fb61766b5dd8cdc448d32f6c15afc8a7d72fa3e7ee021b66b9be5bb29cb575ccda |
C:\Users\Admin\Desktop\ShowStep.svgz
| MD5 | a69f3a2b1d2127e636ea6f4e41a5b7a0 |
| SHA1 | a8c20a7f9b365071362caa18178a669197c2a8b5 |
| SHA256 | 433fad319b7cac3c55109c701cb4fe5fcb5b78de2243a851b456d9ce1d841579 |
| SHA512 | 7ef659ee8cb62405f9cb29104fd1e3ab6796adf84d47f50fe2272d19a033cddff6a4cf07372f5d724970df0289ad5b9c9b6d34e7d84bec258bd000474f372291 |
C:\Users\Admin\Desktop\SearchNew.ico
| MD5 | b94bb6d61bd03e7a4b1837345b98c1cc |
| SHA1 | 6fa73c1e5d3c7d0f64d26f783d734f9dbe0155a2 |
| SHA256 | 2142f471bf5c64805b79f45bfd489e0d6d80c28b763eb412a78a7b713fe453b0 |
| SHA512 | 79ee84078d3970b9778c95d6b1080ec42759603b55618f0c6d22cddda6812752325dc79bb88e56dd619f0262d1b2756f752902e6b7a100dc7dcba3b0e1caa92b |
C:\Users\Admin\Desktop\RequestExport.ttc
| MD5 | 5ee7260962856d16f82ff06310a4acf2 |
| SHA1 | 520b6e9e87f76c44b606b335b693a3bbc30dae4c |
| SHA256 | 2d25a91f08b416724d54399c9b9cf048a74d7598374cd51ea01224de72befee4 |
| SHA512 | 695afe58c6b3b2543dd2dd717e7da77a9a51d61419389741b653778e8d5f1d5600027a41fea57173f3e9f69db1b7e0acfd7e041061f0d0f18c4f8a6d1ff4c53d |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 64ee528ca1b8fd376c71b7aa76d397db |
| SHA1 | 1be911eceb3949adf6d97790a7c6f77d8e620f50 |
| SHA256 | 5393e96e975d73957b17fb626ca075c76b0021bed7a87f4f8941037cc53f9fd6 |
| SHA512 | 628fc91b4d1f4560b16751e713d4793fff2e6cc4cd983bcf237ecb8f3ca51540f0885eca4e8e5622c21ca4b3714e514a72377983f2053f2e16d3982146889685 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 11fe3169d41e13ca315482265c1f3e18 |
| SHA1 | a37900d251ddc0de2436a116cb17c132c05f9fd7 |
| SHA256 | d3affcb06bdb51035040b4bb8472032fe23b71866047afa5ecec9e72e876881e |
| SHA512 | 06a7fd4957a97b2c9746abcfe072f43521e2de0518bb3575131b80418493209c91ad1d807a75c9ee21b432c24bb918d91f158b05d9cd06e8de7b55c373c22b68 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | b3f365ed4c08ee64b94d28619c083ec4 |
| SHA1 | baf8c39d1611f72c5053feb0070342842afc1f92 |
| SHA256 | 3e566cea6029d22a871843256c48c72f7a2d36f2fe4ebb4ed9d56c31fb62750a |
| SHA512 | 6b23d42ebdf3ca67fc9c5539ba2f80bbed447604801b222af171077cb9f7b01a77d434cd0a5bd039129ab0cb6f208d2e23b86ff70c5cb357a1cce0c4a8d5d8f4 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | dfc8a98a41d0622ea78a24a6a52d1aee |
| SHA1 | 4cde86bbf48c4a068eddba77516480d53667f47b |
| SHA256 | ff30ec7b25dcedffbb70684a06a6a075e19a68c2912ef41fa9f733a8b1e2efc2 |
| SHA512 | 4f40dfd1db52771bd02d288f22eaa9d27807a358bcbdfae73d1b25137378a41e7de58f38623680fa70168c9a9d460960894c3caca5b5f7513f225babc91f331f |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | e602081c4212c45fbff3180a313ca8cb |
| SHA1 | 1241fc562dca3b1e5f3717122079d019aef58008 |
| SHA256 | ed4f6887c8e432eaa50e189b426cfb5d65d38ce9990c971e424e41a338a13f40 |
| SHA512 | 04fda247bf2615e155bcf9fa2e30d1e6083f0699614ed48729a05d611be6525ce2f90d4011c33be64ea5f2cb66f04ecb7bea8ca9c4ccb24e8b90f6a57827b4d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 99ad751a83b745f857aa6d0b8c88cda8 |
| SHA1 | dafc4a08eb8766f3810f0492b084b2a076e050ba |
| SHA256 | 69e4ec734717aa03767672d7d6a8b6e2183f9b1c3498f12d155daf29e895cdbf |
| SHA512 | 1910a9f26f65e84c9897586ad1fb2b471b866733ee998b06e67a097e612dfe9aec54520cd8cd94ab5154988c295e63f4fa0ef4893243f920369b85a3ab858ef2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e8eb56af7784db6de0a9b249a510653e |
| SHA1 | 385bf4743fe7a8978ed9839049fb241e75d0881e |
| SHA256 | 8aa9895eee992ffd80d11c0f505bea9675cf576d3a0b08ea3ff1d23ebef2c09c |
| SHA512 | 110285607bf8e8ec981de6ab25567d26f58390f0f038bcc1a5f959050b3485839cae20e89d3036ca4b960d40392db0c084d49e34208ba355f0481051c2d4a9ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 75a5410af77a970ac7970584b6815289 |
| SHA1 | 848bd1095d2e6bdfa85d059279457d7e72c31920 |
| SHA256 | cdb6331e0e6c584c669fda5fb2ca97582b31b23036d1210f0250ec587be5815d |
| SHA512 | 495a8bcc159b3d2d28d2cb3cfe1b3972b14fe0e18aab592858d3d610e55d08c88df71f962f4513cb984b2cc17dfd91923872294cf7a0f1addc501ad69ae8c5d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
| MD5 | 76c36bd1ed44a95060d82ad323bf12e0 |
| SHA1 | 3d85f59ab9796a32a3f313960b1668af2d9530de |
| SHA256 | 5d0e5d5fdb4d16cf9341f981b6e4a030f35d4766ad945c27381f8d3afb624542 |
| SHA512 | 9f0555fb531734b786364701e17cb7f57ce94a688d4616fb85bf32cad45a253a9c479a301e05a4f8630cfea141dd52726a31b8e90198c19c16f33fb150a04a40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
| MD5 | 5d0e354e98734f75eee79829eb7b9039 |
| SHA1 | 86ffc126d8b7473568a4bb04d49021959a892b3a |
| SHA256 | 1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e |
| SHA512 | 4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
| MD5 | 2923c306256864061a11e426841fc44a |
| SHA1 | d9bb657845d502acd69a15a66f9e667ce9b68351 |
| SHA256 | 5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa |
| SHA512 | f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
| MD5 | 635efe262aec3acfb8be08b7baf97a3d |
| SHA1 | 232b8fe0965aea5c65605b78c3ba286cefb2f43f |
| SHA256 | 8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06 |
| SHA512 | d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025
| MD5 | b2cd531e7ed2f6fc156776e33c30fc7d |
| SHA1 | b133d3c7fbdfb6a65b831c26c94af5d093942746 |
| SHA256 | 7965c2bd230793da81cfc31fa0aa037824605ffe78c1de2ad678d47be7302705 |
| SHA512 | 603ef0f54b9be1ef766af8c9ede25dc5b643e503ce0cdac4b458631b020d5b5f366daeff456b730ab6f2c4e0df42ddde64a144145301ae4131290a7f7caa237e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
| MD5 | 77e89b1c954303a8aa65ae10e18c1b51 |
| SHA1 | e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73 |
| SHA256 | 069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953 |
| SHA512 | 5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028
| MD5 | 5dcfe3466181e542efe0cf922b40de1d |
| SHA1 | fcbb18ac226c9c475e69d1f11367eb7c7e6726d9 |
| SHA256 | 06e146efef87c63827881b3e12f29899d0d4dc1cd5858eeb9e85630629504b83 |
| SHA512 | fefb47019b213438a8fff7cf170634d24a88629d8ab8a7986dddc37d00ab7f14de62af343e8ff1aeb7fb7ee616d79e250c9a875634d35e474b4f8663ab2267c5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 8315434b15b1526d45b7053a21bf6ea3 |
| SHA1 | 270f1def4f82031a1ca2728fa5f2a42743485ca3 |
| SHA256 | 9a301e7d422e1872327cefbc580272d937689a8fd22a8c638ddf8a982c5526af |
| SHA512 | 930b7c78a0b76de740a6b03928f2276887c46506ae69da92086796ea4a88b014a2952351c8effd5fd03695d6d81c43912ee6f2827c6544ace3a40a38c10b4026 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 17169912569de59dd6c2e6f7f051fd02 |
| SHA1 | ad0ecb24bd33e2a0e9bafb0653715f22d57f8320 |
| SHA256 | 2399cd8100f712cd00611d52649ce1ca708c8763df1d711f3230e79b34298360 |
| SHA512 | 1ca1bf630da4d9b191d64d45a54d18b80ab6375b80acdad6c8d8937ec63bdfa20d8c29ab0712516430c058caae10e4ac993895e4c0a959ef92439844824b9fc2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 28a2ea91b52a646b5351f2c898de3602 |
| SHA1 | 4d492431321497da30c902a002abc7cd31ca42d5 |
| SHA256 | fdf231797e7967c851f4546e2e4b9cae930493a8e988243854c84bcbd964fa9a |
| SHA512 | 27c786113e4dc234e1ee462498afdf6bdf9837c7456aa4e3cb061e7c4772f7993cdbdce393ed088ed8d309b80375dcff1be2ecd42305a5adf9c6070516defc09 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 14ed3859a5f22a5620418f71396784e6 |
| SHA1 | 63bf58e424ed635ec34ed24862c0bff72949b946 |
| SHA256 | 0f1e5041e2ed1ee3e817380508f6dbef09987397bb5f5c20912611df2af1f663 |
| SHA512 | e306dd616cf2075c728f2d341eed3defb04c8847ccbf098e9e40e6e072a67c20c1351d6220a7416e4020f8f1c74fa8aa8c718a2e81dd66938307861d94429899 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 12e571be17faab83177cc56ca46c91f1 |
| SHA1 | fb027e02687d06abde30608f6941332d3387b9a3 |
| SHA256 | 7e04ff48dcbbda74f98841b63e78ffa06838d56147662e3bfaac094e3dcf66c9 |
| SHA512 | f143d4e975ecf07f83014913a8a7c7b9f5155d4f0f17e4e481d22bb8849dc4687b942b25e97de23b8bc09b9a86ec172c2264bc46edd2f3046a23118472f42690 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | be7b3339a17bda8477f68a67c88fbfd3 |
| SHA1 | 7a083275a5301e603d827dfdd9a9e63fd2164683 |
| SHA256 | 55e5ccbb2ff562e7b31c971fe940d1a06d94f24b840ce25db6465fb0bf88e60c |
| SHA512 | 65a42a38f144ff33bc31b0563768a2e66c4cb1bcb5ae90cbbea7d9efc4870dcd7cf3347368c7a4d2d01c292ee5e94b100edc312a2f4859d78804e3025c58d1b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bd5ef412dd26bf29b58452acca13c370 |
| SHA1 | 2b83353e2c3c3249d81f668efcfbafe451efc5c1 |
| SHA256 | 11f15b6539521bbc412e3c08eaba8fdf94c414281e9d5e01f6e2da34a2750ef2 |
| SHA512 | ec3a6c5166c7d37a8d3524816c0c186477b853fb156acde0ca3b265eb925508f7dcd2dd5079d0f82abfc9510aa29174036efa1bc28d503b5dccf26bf1b939d02 |
C:\Users\Admin\Downloads\Unconfirmed 815396.crdownload
| MD5 | 9c3e9e30d51489a891513e8a14d931e4 |
| SHA1 | 4e5a5898389eef8f464dee04a74f3b5c217b7176 |
| SHA256 | f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8 |
| SHA512 | bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7 |
C:\Users\Admin\AppData\Local\Temp\about.bmp
| MD5 | 5f21d46a759bd6884d306c7dbf9c6524 |
| SHA1 | 4182aa23cc6d0dd61976294105820ef6988a9356 |
| SHA256 | 0b1068ab12b7cffc5bbaf7214055b5c8f718b235b5dad963d17db986624bd0e7 |
| SHA512 | 158c4aa72aad12afceb5f786f1eb5cb20b6493e7a3f471d3e8b56443a42b7e3003670c3bad6b12512ae4ba42d4c6bb1b46c8930aa3807ab76dd3a6399633009b |
C:\Users\Admin\AppData\Local\Temp\about.bmp
| MD5 | 05bd7c91e0d4056898483e599f46c1c7 |
| SHA1 | bd6a8776cbb343b1faf57c5d9e98a42e5487afee |
| SHA256 | e49eed41d0152f3f30fd56ff52aae66e2cac81d6b579149722307ab98976c48c |
| SHA512 | 853adfb0c990bf963fa0313fe4b15136ecbc73fac4637d44addc12d8ac30a056455657650b055d2a8bcebfc4969d74d2e76145111f348e75662378d58804c249 |
C:\Users\Admin\AppData\Local\Temp\config.lan
| MD5 | fdf639b07b04e92fb0b2dd081c3aab31 |
| SHA1 | ce52af91fa75add7ca246ba7af5e46b915b06c11 |
| SHA256 | 105fdf5e298fa46c6193a7adbd116d57a29942014a926d37058e768c6c91fb9d |
| SHA512 | 685cff9a5efe205a0abf7b64de74d709245bbf888520f29ef555b1d2ec56c95f2850df23b4cff82cf9b6867095d1e33e2ae77fe6d8a631f5dcde5fe8c2f5ae05 |
C:\Users\Admin\AppData\Local\Temp\language.ini
| MD5 | 3d587d8078643f2dbfaaf0297ecc05a2 |
| SHA1 | 95ac1e0cfaf5247a11f7f4e4fd65f523cf1eb518 |
| SHA256 | fc83553ca87961291b4eb9903e1b694f8536f6d81140392090f05993e705f1fe |
| SHA512 | 90c89874abdb7fdef847bbcb641e9f873e0c1c231230203a7ed8f05566cd01f91aac6256d9cfe4d094aa021f8a91dc24f2ce863fcee819f84f26da5f2961e05a |
C:\Users\Admin\AppData\Local\Temp\license.txt
| MD5 | 8ce9a1d5353db0332a5c9bc4013270b4 |
| SHA1 | c24477b75a538ed6e260bded40dab4b1e43c1691 |
| SHA256 | 48973c77396e4af6bb89e040e17f4a1dfc525d04158a39653898f1cf6def1658 |
| SHA512 | 1b3fd014778edbffc435e03389b676f1c47f355ffd4f570ee76f7aa5297d979e3b2aa01abc41eda6c0d0a9eca32f75a6c29b4b9b911732811dd8f5af283e3464 |
C:\Users\Admin\AppData\Local\Temp\main.avi
| MD5 | bae47c070279bd5e94726bf3641cbefa |
| SHA1 | c0fa068a4c28896e0c6b58b092f110ea2fbee301 |
| SHA256 | 0f97a25a3cd4c5281648f3ab167e2892abc2ce189694a62870536bcc210f19a7 |
| SHA512 | bc9e42033ccd4bf30f7dcd9294fd673d3bd483128406a7a42773688a368e49e3ec4f92d352a47211e888d351a44035e69ea37a038ce8c1aa4c229db22edf74c9 |
C:\Users\Admin\AppData\Local\Temp\main14.avi
| MD5 | 766f0a47e6bba925b091d9aeb7deab15 |
| SHA1 | 5b0c01b96dfd284313b1a57b8993a44476ab3eb1 |
| SHA256 | 1913463812443322d1d91eafa1a17c0fadf7ee73d3a181436c9689431128a86e |
| SHA512 | 032e75acd52aa5ef769ac4716ca408e800e5f963907d6b68a3962b4320550a4653a9734f617a3baf5636a9f128fdf3ea1503edc3d10daa34ff199190c7ac9168 |
C:\Users\Admin\AppData\Local\Temp\mwavscan.com
| MD5 | f782e2b1a079103fd24d31eb7af00551 |
| SHA1 | 15ae22048a7a5b5e0df1e0bd5cb0a8d4ca92cc7c |
| SHA256 | e9a8841e4ceb8044e133ba79d06d64b58b23321ff2c10156321c3c770ecf947e |
| SHA512 | a2781e57c841984e1e5936322d59fa8a5c84863d91763a9d426dafae9006179a0e2d8b5950dbee24707af32008121f979cfe33f656ca9b7df1a9122d4d602cf3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5179e5772ffb966c90446a4659d9ed27 |
| SHA1 | 4d4e751d8ddb424f7cc3151d07eed740f6f47509 |
| SHA256 | 669b36aad33939b07b1cf6e87e0ed268a6d07fd1730b7a37e5d2ce79c74d0086 |
| SHA512 | 36fb942a52c3bdacc20c58353743e7e3b8e450ace343980fc4e5f59aed59adc7e9df565396bb4529056686c96d2b12043dd321dd427e8a7aee94614243a61aad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9167ee43d441a6f85619bd06049489fb |
| SHA1 | e9ff82e6f87f1e8c63569d66bd362fcf37288cac |
| SHA256 | f04b16cc328488e3753ecfbd4b4180c597614dcc0efdd228d855e630742ac25a |
| SHA512 | df0fe57e4df8e94be5fdbc329d6ab1ab6b48cccfd34cce2d293e40746d4ac682b517d2401692f7b431cc90f204cfbf1f677265bb7df29b79ae0ec46e4fcf3a3b |
C:\Users\Admin\AppData\Local\Temp\plugins\emalware.546
| MD5 | 8e1b25b9e4a34e6f3b2a9f1900389460 |
| SHA1 | 6828a556fa35c744517a4cfbb1affc5c61d44684 |
| SHA256 | 093c41e8d9aa9932fe6ad28cfab9b4318f24b4784560274917647695b196c0b3 |
| SHA512 | 6eb0aab8e5500fd7fdf9f528a946978d66f78669fd93a29a118b05785f7efe6df3c1f37e82e4e8c9f7e201e38e5c8279ad278a7c33518cb9349e5c7d44bb8750 |
memory/3144-4220-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\plugins\variant.c02
| MD5 | 7f38ffe1534882ab52e58dca877b443b |
| SHA1 | 8085ae4691d0ad37961146d5beb615b078ca2fef |
| SHA256 | 0a8f4f145746d73c039b4aea5bfd3a42c3ce203b62d48a78bac9ecc039c862a6 |
| SHA512 | 1c248ce96f80c0ce274748a2626e302024cedac500faab7436fe59ee1d5f40c4663ff6e3d018a22b3cf2c27a1f89806a6400596458e1d667271a28c5cd794315 |
memory/3372-5148-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-5551-0x0000000000400000-0x0000000000829000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MWAVL.exe
| MD5 | e35fdda0a2ea20581e039d87cb4d89f3 |
| SHA1 | c356b7ecefd10b8b662273bcb1fed239aafcc4a5 |
| SHA256 | d58e48e8f1b8369838349c22d469b545501f0df2b449bcb9ff18c5e9b12c429e |
| SHA512 | 72b353ad5bc59eff134f15cdc55de137720a8e3cc200b3a995dda2ade74dae4bbc73513cc8134852066a2fe9577aa10cef80fd23f8d21ffb97cd8fe344b77d6c |
C:\Users\Admin\AppData\Local\Temp\Download.lan
| MD5 | 4b43a0827cc85b4dc32e0842982cec70 |
| SHA1 | ba3cb699f19426654ca5f97358b4c475ad728373 |
| SHA256 | a601b5b32e0a3a6d311add1daa541f56571dad56132d6a7b17d043430b0e8a65 |
| SHA512 | 6b4584e35c689b990c6330a94543a897319181a0cfe713fae0502a391ea60c80b266524cd1b3da5d8545ece01b90ae7c86e5f451b4fd22ec8699b9322354978b |
C:\Users\Admin\AppData\Local\Temp\Schedule.Lan
| MD5 | 62345012df94dcbfa894cd121226078c |
| SHA1 | 934f678515ab5d8caca3e31e9ba022db2b2228d6 |
| SHA256 | 260e7a41168df0b5d9fa8f370ee7ee2fc1eb82ddf6795931f5dbfe7e9c1d2b03 |
| SHA512 | 9f29918665cce398abf99dcba557bb9fa2f280e0fbf176a25405d5421f882af679a3abb7ef88f2f39b840ca978840fc3d469942f2a7aebe1d4862552b2bebac1 |
memory/5852-5579-0x0000000000400000-0x000000000070E000-memory.dmp
memory/3144-5591-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\win.ini
| MD5 | 9ce2fbf5f6f68881446c119a602dc4e1 |
| SHA1 | 418780adae870a2d04d1cb9456a45be9c175fe79 |
| SHA256 | 94882dd77f497d890251c53a2a4e823c3e03397df4e63a9f34cdf972c56e7412 |
| SHA512 | c82f08422deb44635009d0d89bad04e5501a4e0ec10adf34f49c20017505e82cc45a8665ed57ed9f3bfd021627699008c7974601dc5e6e6511f65d22656b5a67 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0d32595f32b232c733ec298c4051aa19 |
| SHA1 | b62e2c7d09b4640f320d7c15a32f5f97b972b156 |
| SHA256 | 5c1936b99d763c7d9ff63d7654f41b640bcb3123542cbe5cab82efe4a22c5921 |
| SHA512 | 616e231f3dab7b31f6ea9ca620e0f923c1c58c41a092c0663dbcfaaaf9b71cd76e6c31d45e1e3517be43b2cb11810f506c84416a19b22545a35baf2fa1af07b8 |
C:\Users\Admin\AppData\Local\Temp\mwXface.log
| MD5 | 3331d1daf4d50aa142bd46b67b185823 |
| SHA1 | 0737db9ae07253c5bff1dee328493d15d29aee1f |
| SHA256 | b82e8e45d2487a806b44c4ff0d708aaeb31dd34b6febf5b3d89e687701158811 |
| SHA512 | 86c9718ef1d2932b84aa58895bd3b8646ee1b1ed37b5f5845f3116db3fdba5954ccdc1034b4e17b751a4ef86833a13f9e93eec0aee96b4594a1523f299e2061d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ab49e7447c91e1fe6c371cebeaed66d2 |
| SHA1 | 6414779a19a1208c44adce2dcc9deb1b83d6f3fd |
| SHA256 | 9bf17b3a3bf3bce53696aa04ad2408f743dc6ab45b3f05020ff98d65ad8879f1 |
| SHA512 | fa5ff0594740727f5c37f46cff979bcf2350dab51d3378a87b9471d65a13a1a03bd7e342fe94684b9d06ff1a723325236dc954746646b2e466bd4d3415698d44 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 7912ac649d86cfb23257c05c90b7784a |
| SHA1 | 8f33d6faae9e6e6def2ba7fa63b0626b448b8962 |
| SHA256 | 9fa3abe9eaf61d144e07f084b500b177ca7c5a40b2e653e99fb203d141a3528d |
| SHA512 | 888ff3db9efd63265218d9a666b2954f6b975619965d9c24ee41dc2779a13187805b555f0030d536c9b381dd34580b12823a4abfff26600382dcb0c616f2cfdd |
memory/4348-5703-0x0000000000400000-0x0000000000829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 09e5352efb6fb0d7871c44a848152db6 |
| SHA1 | 45bc0ec3a83cc0de9d10524b42a08b1c79294c12 |
| SHA256 | a2cacd0175ca60c65004143cca8a95d61f4bcbb48499f2988906e5c95e5fd164 |
| SHA512 | d18a368d267a0fb66a6a2bfcfb2007a4dc11b6d0dc534110601906c52e5c44f0f2bccff42751fea21a97d5eb7a47c55d7a5bcc8002bce94856c43ef76bcd5fdf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1be197984f0bb7f88bfad9bf396422fe |
| SHA1 | 73bbaa5234e0e7a347b9ee3f626c6480e1caebb9 |
| SHA256 | b841e6e208e7838367e2a8bf5d4919a1c14e88cbfb25f44e21b2f8e40a258743 |
| SHA512 | 750a1ab3d271c96321e4f3986154a855e973490a8041bd78b9c3690db7b31a5349f73f611b5e7bbc2deff5a36b88c3fd67b7c269a96aa72ab5a73ad774330f13 |
memory/4348-5745-0x000000000E780000-0x000000000E789000-memory.dmp
memory/4348-5744-0x000000000E770000-0x000000000E773000-memory.dmp
memory/4348-5747-0x000000000F940000-0x000000000F97B000-memory.dmp
memory/4348-5749-0x000000000E790000-0x000000000E792000-memory.dmp
memory/4348-5754-0x000000000F980000-0x000000000F981000-memory.dmp
memory/4348-5755-0x000000000F990000-0x000000000F99C000-memory.dmp
memory/4348-5757-0x000000000F9B0000-0x000000000F9B1000-memory.dmp
memory/4348-5777-0x0000000010500000-0x0000000010505000-memory.dmp
memory/4348-5775-0x00000000104F0000-0x00000000104F2000-memory.dmp
memory/4348-5773-0x00000000104E0000-0x00000000104E2000-memory.dmp
memory/4348-5772-0x00000000104D0000-0x00000000104D3000-memory.dmp
memory/4348-5770-0x00000000104C0000-0x00000000104C2000-memory.dmp
memory/4348-5769-0x00000000104B0000-0x00000000104B3000-memory.dmp
memory/4348-5767-0x00000000104A0000-0x00000000104A2000-memory.dmp
memory/4348-5765-0x0000000010380000-0x0000000010383000-memory.dmp
memory/4348-5764-0x0000000010370000-0x0000000010374000-memory.dmp
memory/4348-5763-0x0000000010360000-0x0000000010361000-memory.dmp
memory/4348-5761-0x0000000010350000-0x0000000010355000-memory.dmp
memory/4348-5759-0x0000000010340000-0x0000000010342000-memory.dmp
memory/4348-5758-0x0000000010330000-0x0000000010338000-memory.dmp
memory/4348-5802-0x0000000010800000-0x0000000010844000-memory.dmp
memory/4348-5801-0x00000000107F0000-0x00000000107F1000-memory.dmp
memory/4348-5800-0x00000000107E0000-0x00000000107E3000-memory.dmp
memory/4348-5799-0x00000000107D0000-0x00000000107D5000-memory.dmp
memory/4348-5798-0x00000000107C0000-0x00000000107C1000-memory.dmp
memory/4348-5796-0x00000000107B0000-0x00000000107B4000-memory.dmp
memory/4348-5795-0x00000000107A0000-0x00000000107A1000-memory.dmp
memory/4348-5793-0x0000000010790000-0x0000000010798000-memory.dmp
memory/4348-5791-0x0000000010780000-0x0000000010783000-memory.dmp
memory/4348-5789-0x0000000010630000-0x0000000010632000-memory.dmp
memory/4348-5787-0x0000000010620000-0x0000000010623000-memory.dmp
memory/4348-5785-0x0000000010610000-0x0000000010614000-memory.dmp
memory/4348-5783-0x0000000010600000-0x0000000010603000-memory.dmp
memory/4348-5782-0x00000000105F0000-0x00000000105F1000-memory.dmp
memory/4348-5781-0x00000000105E0000-0x00000000105E1000-memory.dmp
memory/4348-5779-0x00000000105D0000-0x00000000105D3000-memory.dmp
memory/4348-5778-0x00000000105C0000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e5711f8cffb25f5f3099c56448bfbd29 |
| SHA1 | 618ba78fa752128c67d4a5ede8366ed76354c72c |
| SHA256 | c6147022cdc769412613db226f3fd85a80e50a783ce8efb381ca674e6b9bf1b6 |
| SHA512 | 001d8b8b5076a8e2ec3d5d35c46038465ca2879c09151fa77f66baf163154de89f6034176321f6e037fe44e9d6c6e6a6009d21ff186a52c9aef4350424c30e47 |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\orice.rvd
| MD5 | 20981ac7bc4cc348798ef835370b3daf |
| SHA1 | e7b25e6be06db607efe3b63f3a7864b0d6839034 |
| SHA256 | a20bf52deb17b0be04e70bda7ecf102d5b9a764ca9fc5160e805190fb876eb93 |
| SHA512 | 97c26bcfa7c906e250aa8b2228754dee519b3fb4b212318ee60ece990adeeae51b2993cb57d1f15f623a34e1d8add39d9354d8a2dcf425a2b2294d4645d0108e |
C:\Users\Admin\AppData\Local\Temp\mwXface.log
| MD5 | 69a4baf49e16a3b30960813ad3055025 |
| SHA1 | 35948de74891d7af8d408a0e09d6722751c6d5fa |
| SHA256 | 9e4ec2131120abd76cd181e48fdc571ef82a4bfcea62626542c8ed1e5458b823 |
| SHA512 | e682345c827867baaabd4664f864d73caf25dea1bfa0936997d727a8920812cd72e72188fec8c56a1a54022442c03aada10ffda216aef7286fe187927c433bb7 |
C:\Users\Admin\AppData\Local\Temp\AVCBack\scan.dll
| MD5 | bf2d3edfc10c7e70b82043c6f4efba52 |
| SHA1 | ebb26d258275a7d7189085c87134693f42a3e81b |
| SHA256 | 6f36d4e54d66ec91d10d549a148018896089430aceb5c6a14a541c554cabcedc |
| SHA512 | e111e7e581e4523c947fc183a3a97df50c5e7fb65e32bbd42e1e09606b280fdc372bf134e9f942f971dce2d89c8949382e1afdef0b988891b6e88b25c13d1bc5 |
C:\Users\Admin\AppData\Local\Temp\AVCBack\bdcore.dll
| MD5 | d5cf5596a28f87232bf1fefd62f8ad51 |
| SHA1 | 3556a87a2e2663ef35aa96a48def52b8d5a6fc53 |
| SHA256 | 38d096af7fbf260ca2972b49fd1044170c46919f4f63b3171b86bb3625e61545 |
| SHA512 | 67dc3ada18192a8243368e8f00cb2040d2359bb51dfb565b0bcf192b3a0add263359a81430ea08c0e466d96956eb476df497acd0b3384e4e8022187e52fb016f |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\lib.rvd
| MD5 | fb6fb4b92211bb48b1fbbb5d41e022db |
| SHA1 | 5c88b87a8799522a1a9735f730a9fe6e8f657245 |
| SHA256 | 14e97b03946873be303092cd78569869ae28c21809dd736db29d6dbf9ef49d0c |
| SHA512 | 515dacfc464803843ca0ac977bb94d8111fa80c9a999cd66acce9f940e7e2bad40888084b9c8a5148ee4ae18bf1d36466119637441f410c5306e3b29c21442b9 |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\lib.ivd
| MD5 | fb34175e7a1fe4a750c2fb01995bb932 |
| SHA1 | 6a3536b36539854944dc964ffcde70c3d9187795 |
| SHA256 | e3e46fd247c0f500e4a89dc6e59f66655c07e0709d7ad2d387a74923f1365b68 |
| SHA512 | 2fc0bb5f3479b076de1d1b3e4682ecab1b2f7743f445a156f55610aaab4220ad0aa060c88487211fa0e75d68cf20f177f778173b0265ccda29b217808fb2655f |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\lib.cvd
| MD5 | 57241111b097b183e075e914f7199975 |
| SHA1 | 1e0513bb570635a318da879a9f203dcca8465908 |
| SHA256 | f1b8720e07fb82e1439aacd5194d2264df92bb8458a4b7375bc61d6766b908b9 |
| SHA512 | 6f0ac0db09feb081af152b06de59652ce08ef02777ed70a03e72ebb26d0f3f0869a40bd92a2fa0bf7d5e0b1a77bda799eeb56459187aea9fe9fc0fb1e6d7085c |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\mobmalware.cvd
| MD5 | 25a1f3eace01f1e6c9a9d702be735a9a |
| SHA1 | 1949c3713ca504d65a9535fa355cd9dbb181f13a |
| SHA256 | f4142bc3738cdfcfb130853c65bb6f2fbcb894bf106b71ae10853a614d9ec7e4 |
| SHA512 | 604c5a75f568d5e243e1f491b573f183053996310c8943e2d6051b3aa79d8621d54ac7e3703347bb9fa88572b86d28f2f6adbf856c3ba643d09eb39cee0d821c |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\mobmalware.xmd
| MD5 | de6550e9130b3cfd8e1afd90108e7518 |
| SHA1 | 7099394f182bc289005cbbc89e7a33416a0a2ddd |
| SHA256 | d88a5f69714157b7f4a735fde2e1f24d784b4c39a747518accedcf471373cd1d |
| SHA512 | 15af2a1dc86cda89b97f0847fa2e566a67925a4cd5baaed4f87a4d28f347a8b894d40357dd609163374b8a285d1c9307b1bfbcb867b8a62553b03a1057c39b2e |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\update.txt
| MD5 | 0271785ed4d412d6a6242fa232c5a630 |
| SHA1 | 75e53d0986752e905c48cff30613c336a6632eef |
| SHA256 | 7c5d627c8e450faddfe3ac0fdaae96e20f8e6c670e39a0a74748072bd32741e8 |
| SHA512 | a9e67fa69edfa3b7dbc7e4d92ea46bfd7cd018b16ecbf4fcfb28bbc8fce33e379077e03d0a56459a2ed967fbe9ded4c1742c31b402393c07835e1900725f7d1b |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\xlmrd.ivd
| MD5 | c068575847878385d17cbe35964c107d |
| SHA1 | 963f37a923419a1d41e54ad3d8b815fef42fc609 |
| SHA256 | 47c642f3401fe5a767e55c364c8d60ed92782fb25eb14fdf8c6232596bd47eb3 |
| SHA512 | 47ecb8d2ac06e2bd6abdf26b40873703b471f977ac56a00a49d9a6d172a1dff128a26e88031726762432a4b5f4ec3b9cf5bbcbf0c30b6be13c3673acec3990fe |
C:\Users\Admin\AppData\Local\Temp\AVCBack\Plugins\xlmrd.cvd
| MD5 | 56a7b166c1fa23fd9190d4aa4593597c |
| SHA1 | 68d301f35c434ce8e5d86bde78e38717286a049e |
| SHA256 | 6e7793dcf413268931a8f8ac827ac160efb37202ff21b538732bb959c04cfd34 |
| SHA512 | 424977377c817c8188158c8dabc9bd72558bfd4bde54875909adce59e2bae0ca6675441082a7793ff50210c6789256896b3087584e3912656980bbeb2817a4aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8d36ae114c3bfb821d60e2cd0b50bcc8 |
| SHA1 | abff921a8020e0a3a818f4f6627806421de0559c |
| SHA256 | 75a80fac3937376ee528c36e6b5b4c136d09a4db5b2a5e66882d19da1f525ddf |
| SHA512 | 162fc4ba28c00afb3799a672cea46bf1ac4a689bcecec18960c4b408c808cbe8e841810d0ba99c468ced1df8786b01f98da782f4bb7e393188953dca51fa89fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ed8738103ac12f9005938dec7e09132b |
| SHA1 | 7b24653165ab6aaf64a2c823648d412df6f384d7 |
| SHA256 | 74db2d18011dfd2de99f3d7d42e6458cfc126f3a9b36ccd2d2b4bba6762e6088 |
| SHA512 | cc89187c33c27a0cddd06c822236f0230e2bca93adb9cb2f80487e80a146c512ff0110cda145e4ee0fc164616475e2ae08cc9f1f4d93cf721b60cec6ae534bc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a9575edc2dfea82e618bf7240b2da172 |
| SHA1 | c5c09dad752c3731b07512a0e5ea7c596be0835f |
| SHA256 | d44fd81da0384722454810b81098f5f1627e254392df25e78c678fe21bcb10aa |
| SHA512 | 0192063d14217312d110d989f50106f5959b736bc9a144a7cac5c4650f134ac597a637272b763a128439d90a4cbee4317a9fadf208aaa69cc4e966a8eb68185f |
C:\Users\Admin\AppData\Local\Temp\trufos.dll
| MD5 | af1008b7782df17120100686ecd2af5c |
| SHA1 | 4c4ced2e96356cb08d72b7ea5963d65bf27f96fc |
| SHA256 | 3b0a9f80f8c2a77a7a41ee7cb7850b2ae5acc3b1fe271aa4a52c890ac9cfafb9 |
| SHA512 | 58508f4878b7da0e1d648cb40db1b591ec2f9c7da7a027f7faab13564d820b96851191cfced985f73118e0e178a761eb9acf8023ad410605e7e5452824593b2c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e6adb3104632ac8d96e1cc33e50e29cc |
| SHA1 | ddabd4b3d40783533a9ea2b72843a763d3dcaaab |
| SHA256 | 68a0d130667d5f84afe8defe4c5bca267528882e3e2a1e5ce7ffbafe9ef6fae2 |
| SHA512 | 028153345610f8ed6ab9bcd043755a973b18011f7f3eb00aaa13a3169066a146b8fbffbf8b8e4084bef1fbbfc218c4f12c271e7de29a093564f8b94aea64d129 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e648531fc59977c5eb6f901b99fbcb7a |
| SHA1 | b55bca267faf1d3d2c756150d4a3721a6853c400 |
| SHA256 | 6b078254125c9473529dc50be6a3a7920bb23f46ca478d7c164f5e12d44678c0 |
| SHA512 | ed9e180e0cf149db9b4a43356acf1bf1d84f64826f5edc0042e19225444ae19432d4d60d2de3c15e1c54858ccea027fdf0f1ce5e8d813556289118c7a1e33a3b |
C:\Users\Admin\Downloads\MEMZ.exe
| MD5 | 19dbec50735b5f2a72d4199c4e184960 |
| SHA1 | 6fed7732f7cb6f59743795b2ab154a3676f4c822 |
| SHA256 | a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d |
| SHA512 | aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3ab1e6f17864e71ebac1554b9083ae02 |
| SHA1 | 0c790a4d540aa693d11ae79a8ae931d36b703f6a |
| SHA256 | 892a67f1c33ba651671e7de29df0398745f571b46d7a4cd46d1d7b1e36b9c5c2 |
| SHA512 | d4629b186628a1ae031cf43e8113ca47a73c9443f774cefa17825c8365cbfc7302756f07981a61ad32194970131a1efd3a02ff18c632884a2f68715b89426c4d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d9c0122392ff5c775e7495dafffc169d |
| SHA1 | 44aaa05533b92ed4d4ab30dac140dcde83a25139 |
| SHA256 | 2f7a95802e7208938605d15835a9fb5a875c60226725e84c4a31387812b9d312 |
| SHA512 | 26b1950c7e2c52ac5baa3c5caffcb2fb40b413f75539d95c38561dc6394eeb409b2b46c4cf79072e05a3a9dd42e8deaf9050b67ffb7f30a4f5ef7f437986418a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 68d17724ba43010642e687684f04ac1d |
| SHA1 | 4022cf8843aadd70651638a66a7076e067c5347d |
| SHA256 | ac912515e5749dfdf718821b474063083094966edf776570386df7ae4133a7f3 |
| SHA512 | f7b3a5361c18b89371d2f0e860cec593985d3dfcc8aabe0ca0c020fc0f0cbf758425900a45efadedaab1c178a68576d52117927383aa0d24ceb72849eb82c41d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fa7be5aa4e6eef2da5904eed4e05c4c7 |
| SHA1 | 46aa40f901d91508ec18f763efe4843301389044 |
| SHA256 | 0199881d994ad8903e4768d3a8961b8a75feb8f6fd3639f2a58f48bbfabc3023 |
| SHA512 | 101c0cef3d34382b834633bf3696bfa66f3ad575a4e43f3392f830db15fa374560e5e540c87a260e82e25dcfc274900705b76573beb0e97ff2b7004623cbc414 |
C:\Users\Admin\AppData\Local\Temp\mbr.bin
| MD5 | d3641b28e19984e182169bdbd8090c31 |
| SHA1 | 14c211ae2199a0c791b10129c248e45f832101b6 |
| SHA256 | b45662878d9421c385f62b98a7a558b00afa8b195bc40fb428a0b60ffbbb0bd4 |
| SHA512 | ee4af76f596b93bde4328117713e631a4e94f33caa31dd58bedee92625a1ac0dc57e4701eaa8d4deca5f67e00d73c7dc857d353b4232b7ba6df4c854e9b56d4d |
C:\Users\Admin\AppData\Local\Temp\mwXface.log
| MD5 | 7147758a54a4d5bf68aef2d9e0eae368 |
| SHA1 | caf2f8ffd026e08832866234a69d7fe539517f73 |
| SHA256 | dbed2b4a856e93922c765575db1d6dbf9dc33648daeada7e2334fa03de1a6e0e |
| SHA512 | 573149bc0953aacd45518aa844c86692acd9e9a643103fffe8676eba09a812f687d96fd36705b54692935c9df4be90d16089778387247923518b14cf6ffdea5b |
C:\Users\Admin\Desktop\MWAVSCAN.lnk
| MD5 | c117f14439b3c293b85768aa22bc0883 |
| SHA1 | b6f57acf1ba55dc31acf1423627320c620adb2c1 |
| SHA256 | 1e98d5abfea9553271b5dab6106373ed734a6df25907c7982e77a06c53fde4fb |
| SHA512 | 1d9733ce64824e9e51b93db6053e1b9d4c373385c227d648727885c606fb2044867591a29a459b5bf8ef1806c1e41028043a8794f8ed30873d32133bce7746c0 |
C:\Users\Admin\AppData\Local\Temp\18-06-2024\RIJTOOVX-10.127.1.30\MWAV0001.log
| MD5 | f0daf30ee0288b173ef40e7aa0abd250 |
| SHA1 | c21f170bc2e2206e85e603516a920cf2471c7930 |
| SHA256 | dd17d22d5887610dd446a4d779ec2beb679166f770aa3167a5f9a56c07e7bed3 |
| SHA512 | dd8b4b854324d06326153913c442c1d0bab760b7e0b100f0d54d637fb2c11300d7e98aa07622a360c523d98fbbafa1a9ddb696e8fb14fe5b5598fd40d255b8c5 |
C:\Users\Admin\AppData\Local\Temp\mwrestore.exe
| MD5 | 79b32e3cc26811e50bef459234c64812 |
| SHA1 | 08f0be130e50aef98348f2b9129cf838d953ca85 |
| SHA256 | 1f90b82d4d9ba454a6a532da008e8ab3bc91435bc690725b1ebf155622577e80 |
| SHA512 | 1e5c515600c31661c78edc1f831e817f9f980dd7040fffd5eccbcf9c66bece9512c3295ad57bd8f945e12c0d4bf8487884b3f064cf559d2efe7ddd2d259ef191 |
C:\Users\Admin\AppData\Local\Temp\Log\Quarantine.log
| MD5 | 183c56983ad3293b6cb389ead1e8f5d5 |
| SHA1 | d1bd67ad4f3fde1e6aacc90231e8133fd0d37b37 |
| SHA256 | 541fb2d9583bcd63de8181483194bc26f1dc0de7941e50b670f5c242d3dd3a69 |
| SHA512 | 6f21badcaf6ae91b2781d131020289066af39baa1ffff7397112527bc45aa6941f99d329c08a452ee2d173fabd91e9e02db18be00d7ba8dde65731617ecb86b9 |
C:\Users\Admin\AppData\Local\Temp\Log\Quarantine.log
| MD5 | 5ebc0528a74cbd16ec401767cd646e7a |
| SHA1 | 7d02289f12d3f605f01a13c2fd4a0a36afdaf67b |
| SHA256 | 070c9298316931cd786dd0c325bd6fe30a11f01e678bb936272435e3c3761cf5 |
| SHA512 | a245f49a63459e452298574238be4a6284a3edf5b2386ad40cfb19db27cf7e2086d79eb67c6411e77f2bb8f1811ef4879adc2b30307941899596c54f846e94d5 |
C:\note.txt
| MD5 | afa6955439b8d516721231029fb9ca1b |
| SHA1 | 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9 |
| SHA256 | 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270 |
| SHA512 | 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf |
C:\Users\Admin\Downloads\Unconfirmed 260205.crdownload
| MD5 | 04251a49a240dbf60975ac262fc6aeb7 |
| SHA1 | e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0 |
| SHA256 | 85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3 |
| SHA512 | 3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c45c42ee97c0b3437d5a66c493095117 |
| SHA1 | 7c03cdefbc23d740b8fdb2cded7f8e592f15d2d6 |
| SHA256 | 7d2511e712167505432805ac5a58ab1269d233773564c47214a4184eb58936b1 |
| SHA512 | 7dd0a46a6f133b30bcb9090408d2514f4a590b37e8fd26b449f21f93e949499896cf254d2f1e712fa7ab7217cbf17d4ef99290add19eaf14f127d828b578e7ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0fc59710f3bbbb8802af30373551afe9 |
| SHA1 | e63934285ee82de7d0466a3875983b858218cb36 |
| SHA256 | 463630c79433b37a1c551374ab973a9b85840d8f1bd7110d4ce60969c3a3e662 |
| SHA512 | 302fd3d317120e9cfbb92cc908eec054e0bbb2c71dabdbfe7a20cf04b12d05743fc04ce6a0caf082d7b640d9d822b1c73cee8322c0550f49942805f69dc563fb |
C:\Users\Admin\AppData\Local\Temp\mbr.bin
| MD5 | b8aee84ebd168384b5336f902b62a601 |
| SHA1 | 82cdd65aaa1a2aa3cb98adb3e43752212d8be1a4 |
| SHA256 | 6558072530a152f3177ebd1db02925d850cfab59c9fe24e23ecfe1e2e8622737 |
| SHA512 | cd0be3d63c9767fc7951c04bd3970e9f649b103a38c04f2d974a463819be0e8eec5c687e635ddc013e5038d23a7dfa0f492db84cacbb76c9449dfec9e159ab52 |
C:\Windows\System32\drivers\trufos.sys
| MD5 | 05717b4f041b77c29489177075e2c83e |
| SHA1 | 83804ffa357d56ff7f575e99050ab4c646781cce |
| SHA256 | 8bdc721aded7e48fe63dc0f19dd598ed404e1e1cb15bbcea31164bc2aa805670 |
| SHA512 | cc4c637430d9206a464d63606d7de173877cb32f1f5e160259ee61fd3b78fc977a6712e22ebec87ec9d8f1e6fb535a1a8748549a948f5e805da81ce30f679cd5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4adc5388d0985571c86410497a408c72 |
| SHA1 | b1580a1b5f76eac47f1a734befaa38626037cab3 |
| SHA256 | 338edb83be98fe9770b3d86d548e1ab87d9c3232916c82340b61d2064d30c7bb |
| SHA512 | 97577fd539347f1e4de254b01284c50f47e4d38e28cf1705f1f7e92a430c35d5264b33a631e576aef03a72cf420ce2c2d59a0c8db38ae63f9c8f4974b2be3723 |
C:\Windows\SysWOW64\eEmpty.exe
| MD5 | 0c7e37bfb73dc8ed7d22cdb04bc6be98 |
| SHA1 | d3b8694bd2b8fcd18e50093335913bcf6d38aeb2 |
| SHA256 | bb75b75a53dcd9e276979e456253a2198fc2e97d0574f8acb1d06d335fa9b790 |
| SHA512 | 190c82d40ca503435e2007816063fb211fa26e03cee8dd352f7ffbbb508d5d4b143ca36678539ebdfe40ae80643ea7d6109d36c99a16d67e9632b6dc92d4d330 |
C:\Windows\SysWOW64\msvcr90.dll
| MD5 | 4d03ca609e68f4c90cf66515218017f8 |
| SHA1 | 545e440940073d5ec49d47fefd421730f8b33efb |
| SHA256 | cf420aced0d810e1d75f6811dd986f2d9fded2fbb8d61fc9a7024520c475febb |
| SHA512 | 1b52d09f94bd37850d098ae7222e85e16a4f6df14cfdfc28526cd98b81fb009865fa75774ee4feaa2e5d5861bea27759fe4fb979c902f8ea60afa8c3e1f723fe |
C:\Windows\SysWOW64\msvcr80.dll
| MD5 | 5042d3932a04ff6b4b6385b99c4f36be |
| SHA1 | 2c9916065f3e8b6f013b2ccc2e4b23e5169b6cd0 |
| SHA256 | 0d6fb31d7a4e79d0d515c903ca75e4fbd7c8d1b0b04b17aa79a2a3c879c4c689 |
| SHA512 | c04826eed4d968aa7eb7f29f8ef9f64aea6fe192d7c7776d383febcb083c9bb6f6b9ae5e96dc627ca2a4787adfd15adc74604139856693b371bbf117af1c5480 |
C:\Windows\SysWOW64\msvcp90.dll
| MD5 | 871f979d70414c900b35e56222932daf |
| SHA1 | dd683e4ad54cab6ba1c7b3ce9c0925db0e1d0e66 |
| SHA256 | 91fd46d7335c9990a20f215b9f6f53bc59551420a9c99ad8110ae2f9ff7598f0 |
| SHA512 | 87e1e585a8a5ffc1bbe87d58e4d8de2831d1589526143ca0cf7fb919b4842c81e50b656cb6a44975d707753063171801cb538d6755a573f8a91cc8be996f7fc0 |
C:\Windows\SysWOW64\msvcp80.dll
| MD5 | 3ee76894c28bb5666c1770d8a965f8f2 |
| SHA1 | 9d63992f084c3247058c1820efd279c43dc51047 |
| SHA256 | d7a333f9c661a2495cf224650d5f6cb43c7a92e06fd7f93cc74b521804811f23 |
| SHA512 | 7ddf7aa33b16b4552a41ce9abfb99e168edf2d5277e656291180f82a02fc52a93c5c0aec512bdf6dad0bec748ce67add94153c6a72d762eb77ebd9e39ee92175 |
C:\Users\Admin\AppData\Local\Temp\DEVCON64.EXE
| MD5 | 20f619ebb6d10ee6a5c164d7dfd36f32 |
| SHA1 | 05ccb1b2a9d14efb1a618826f9e94621538b1871 |
| SHA256 | 99b69330b3fc2a1dd0c68361bb03b6f04fa5af40a6708e03e90f31a947145ef0 |
| SHA512 | 2acfc0c2e6956f879263279b01d4d74cf241efc8be22e1a33a502e48ea35405e2bfdacdb6428a970b02960b070a5fe816791c2326e7a27a687c57bcce9712aa9 |
C:\Users\Admin\AppData\Local\Temp\DEVCON.EXE
| MD5 | 8dd27f1aa717c3dca0b1b9c9e47c03f5 |
| SHA1 | 6fd8d1a75b871f4fab16812324b07de976069959 |
| SHA256 | 551886804fd55a4b795cc2e465e8199bc798f71d5fda79f3c3ad853ca14c31cd |
| SHA512 | 8e0e6e04347da7bf3f164d0eb8c87279fc83360c89f4a82c5285faf756984e0532b06acf5591d2d65c1b9cb4b5be0c01c5538b3f3d0614cdb4513ffd138bc2ae |
memory/4348-34252-0x0000000000400000-0x0000000000829000-memory.dmp