Malware Analysis Report

2025-01-22 13:48

Sample ID 240831-pxvl3ateqm
Target https://www.mediafire.com/folder/vkqbd2erubvi9/JV-Sender
Tags
njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.mediafire.com/folder/vkqbd2erubvi9/JV-Sender was found to be: Known bad.

Malicious Activity Summary

njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller trojan

njRAT/Bladabindi

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Hide Artifacts: Hidden Window

Adds Run key to start application

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Detects Pyinstaller

Enumerates physical storage devices

Enumerates system info in registry

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 12:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 12:42

Reported

2024-08-31 12:47

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/vkqbd2erubvi9/JV-Sender

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A
N/A N/A C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1624 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/vkqbd2erubvi9/JV-Sender

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa198346f8,0x7ffa19834708,0x7ffa19834718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Password.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12765556321459505791,13706584102162669881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\JV-Sender\" -ad -an -ai#7zMap9092:80:7zEvent8788

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JV-Sender\JV-Sender\configuration\subjects.txt

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JV-Sender\JV-Sender\configuration\mailist.txt

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\gqvcwh5k.inf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

"C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mediafire.com udp
US 104.17.151.117:443 www.mediafire.com tcp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.10:443 ajax.googleapis.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 117.151.17.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 cdn.amplitude.com udp
GB 18.154.84.84:443 cdn.amplitude.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 translate.google.com udp
DE 185.60.217.28:443 connect.facebook.net tcp
GB 172.217.169.14:443 translate.google.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.84.154.18.in-addr.arpa udp
US 8.8.8.8:53 107.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 28.217.60.185.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
US 52.36.149.0:443 api.amplitude.com tcp
US 8.8.8.8:53 translate.googleapis.com udp
GB 172.217.16.234:443 translate.googleapis.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 0.149.36.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
GB 173.194.76.155:443 stats.g.doubleclick.net tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.76.194.173.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 172.217.16.234:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 btloader.com udp
US 104.21.42.32:443 the.gatekeeperconsent.com tcp
US 104.22.74.216:443 btloader.com tcp
US 8.8.8.8:53 www.ezojs.com udp
US 104.22.74.216:443 btloader.com tcp
GB 172.217.169.14:443 translate.google.com udp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.21.63.106:443 www.ezojs.com tcp
US 172.67.199.186:443 privacy.gatekeeperconsent.com tcp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 8.8.8.8:53 ad-delivery.net udp
US 8.8.8.8:53 g.ezoic.net udp
US 104.16.52.110:443 cdn.otnolatrnup.com tcp
US 104.26.2.70:443 ad-delivery.net tcp
FR 13.37.187.223:443 g.ezoic.net tcp
US 8.8.8.8:53 32.42.21.104.in-addr.arpa udp
US 8.8.8.8:53 216.74.22.104.in-addr.arpa udp
US 8.8.8.8:53 106.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 186.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 go.ezodn.com udp
US 8.8.8.8:53 www.mediafiredls.com udp
US 172.67.142.121:443 go.ezodn.com tcp
US 172.67.142.121:443 go.ezodn.com tcp
US 172.67.142.121:443 go.ezodn.com tcp
US 8.8.8.8:53 otnolatrnup.com udp
US 104.26.3.173:443 www.mediafiredls.com tcp
US 172.67.142.121:443 go.ezodn.com tcp
US 172.67.142.121:443 go.ezodn.com tcp
US 172.67.142.121:443 go.ezodn.com tcp
US 8.8.8.8:53 g.ezodn.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 api.btloader.com udp
GB 216.58.212.194:443 securepubads.g.doubleclick.net tcp
US 130.211.23.194:443 api.btloader.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 8.8.8.8:53 bshr.ezodn.com udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 ad.crwdcntrl.net udp
US 172.67.142.121:443 bshr.ezodn.com tcp
GB 18.245.143.118:443 tags.crwdcntrl.net tcp
IE 54.229.219.223:443 ad.crwdcntrl.net tcp
IE 54.171.4.236:443 ad.crwdcntrl.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 110.52.16.104.in-addr.arpa udp
US 8.8.8.8:53 70.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 223.187.37.13.in-addr.arpa udp
US 8.8.8.8:53 6.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 121.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 173.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 118.143.245.18.in-addr.arpa udp
US 8.8.8.8:53 223.219.229.54.in-addr.arpa udp
US 8.8.8.8:53 236.4.171.54.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
FR 13.37.187.223:443 g.ezoic.net tcp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 id.hadron.ad.gt udp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 api.rlcdn.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 oa.openxcdn.net udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn-ima.33across.com udp
US 8.8.8.8:53 cdn.prod.uidapi.com udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
US 8.8.8.8:53 static.criteo.net udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 3.33.220.150:443 match.adsrvr.org tcp
FR 13.37.187.223:443 g.ezoic.net tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 172.67.38.106:443 cdn.id5-sync.com tcp
US 104.22.4.69:443 id.hadron.ad.gt tcp
GB 18.245.255.11:443 cdn.prod.uidapi.com tcp
US 104.18.35.167:443 cdn-ima.33across.com tcp
US 8.8.8.8:53 229.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 106.38.67.172.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 69.4.22.104.in-addr.arpa udp
US 8.8.8.8:53 167.35.18.104.in-addr.arpa udp
US 8.8.8.8:53 11.255.245.18.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 tlx.3lift.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 ap.lijit.com udp
US 8.8.8.8:53 fastlane.rubiconproject.com udp
US 8.8.8.8:53 dnacdn.net udp
GB 108.138.217.48:443 hb.yellowblue.io tcp
IE 54.194.230.142:443 ap.lijit.com tcp
DE 51.89.9.254:443 onetag-sys.com tcp
NL 185.64.189.112:443 hbopenbid.pubmatic.com tcp
NL 147.75.81.235:443 prebid.a-mo.net tcp
DE 18.157.230.4:443 tlx.3lift.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 178.250.1.11:443 dnacdn.net tcp
DE 51.89.9.254:443 onetag-sys.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 d9eb767690df6f70ff9697bf70884547.safeframe.googlesyndication.com udp
GB 142.250.179.225:443 d9eb767690df6f70ff9697bf70884547.safeframe.googlesyndication.com tcp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.200.2:443 ep1.adtrafficquality.google tcp
US 34.102.146.192:443 oa.openxcdn.net tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
US 34.120.133.55:443 api.rlcdn.com tcp
DE 79.127.216.47:443 id.a-mx.com tcp
DE 141.95.33.120:443 id5-sync.com tcp
DE 141.95.33.120:443 id5-sync.com tcp
NL 178.250.1.3:443 static.criteo.net tcp
DE 3.71.149.231:443 ups.analytics.yahoo.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 48.217.138.108.in-addr.arpa udp
US 8.8.8.8:53 235.81.75.147.in-addr.arpa udp
US 8.8.8.8:53 112.189.64.185.in-addr.arpa udp
US 8.8.8.8:53 142.230.194.54.in-addr.arpa udp
US 8.8.8.8:53 139.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 254.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 4.230.157.18.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.146.102.34.in-addr.arpa udp
US 8.8.8.8:53 87.70.96.34.in-addr.arpa udp
US 8.8.8.8:53 55.133.120.34.in-addr.arpa udp
US 8.8.8.8:53 3.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 47.216.127.79.in-addr.arpa udp
US 8.8.8.8:53 120.33.95.141.in-addr.arpa udp
US 8.8.8.8:53 231.149.71.3.in-addr.arpa udp
US 8.8.8.8:53 download937.mediafire.com udp
US 205.196.121.132:443 download937.mediafire.com tcp
US 205.196.121.132:443 download937.mediafire.com tcp
US 8.8.8.8:53 c3.a-mo.net udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
US 8.8.8.8:53 oajs.openx.net udp
GB 142.250.180.1:443 ep2.adtrafficquality.google tcp
DE 79.127.216.47:443 c3.a-mo.net tcp
US 34.120.107.143:443 oajs.openx.net tcp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
DE 162.19.138.119:443 lb.eu-1-id5-sync.com tcp
US 34.120.107.143:443 oajs.openx.net tcp
GB 142.250.187.225:443 tpc.googlesyndication.com udp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 119.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 143.107.120.34.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 132.121.196.205.in-addr.arpa udp
US 34.120.107.143:443 oajs.openx.net udp
US 104.16.52.110:80 otnolatrnup.com tcp
US 104.16.52.110:80 otnolatrnup.com tcp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 35.244.159.8:443 google-bidout-d.openx.net tcp
US 8.8.8.8:53 woreppercomming.com udp
GB 18.165.227.106:443 woreppercomming.com tcp
US 8.8.8.8:53 www.chancial.com udp
US 104.21.79.34:443 www.chancial.com tcp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
US 8.8.8.8:53 8.159.244.35.in-addr.arpa udp
US 8.8.8.8:53 106.227.165.18.in-addr.arpa udp
US 8.8.8.8:53 34.79.21.104.in-addr.arpa udp
FR 185.235.86.118:443 gem.gbc.criteo.com tcp
NL 185.235.87.30:443 ag.gbc.criteo.com tcp
US 8.8.8.8:53 www.opera.com udp
DE 18.185.187.50:443 www.opera.com tcp
US 8.8.8.8:53 118.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 30.87.235.185.in-addr.arpa udp
US 8.8.8.8:53 50.187.185.18.in-addr.arpa udp
US 130.211.23.194:443 api.btloader.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 download2293.mediafire.com udp
US 199.91.155.34:443 download2293.mediafire.com tcp
US 199.91.155.34:443 download2293.mediafire.com tcp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
FR 185.255.84.150:443 hb-api.omnitagjs.com tcp
US 8.8.8.8:53 34.155.91.199.in-addr.arpa udp
US 8.8.8.8:53 150.84.255.185.in-addr.arpa udp
US 8.8.8.8:53 track.wargaming-aff.com udp
US 8.8.8.8:53 75229caa111691d684a74f5f68335b65.safeframe.googlesyndication.com udp
NL 35.204.130.99:443 track.wargaming-aff.com tcp
NL 35.204.130.99:443 track.wargaming-aff.com tcp
US 8.8.8.8:53 track.wg-aff.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 35.204.130.99:443 track.wg-aff.com tcp
GB 172.217.16.234:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
GB 142.250.200.3:443 www.google.co.uk udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 33.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 239.41.180.107.in-addr.arpa udp
US 8.8.8.8:53 fun-ruby-4625.lightning.force.com udp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
US 8.8.8.8:53 42.147.20.51.in-addr.arpa udp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
US 8.8.8.8:53 acpanel.hackcrack.io udp
US 147.124.205.158:16164 acpanel.hackcrack.io tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
GB 142.250.200.33:443 proxy-cheap.blogspot.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
SE 51.20.147.42:443 fun-ruby-4625.lightning.force.com tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

\??\pipe\LOCAL\crashpad_1624_VQGZVLNUXSKDPQCP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 693c2b7494bdd13eb7a148cf84912dc1
SHA1 9868670c4c552feb40aa7e92969581727c4de4cc
SHA256 02c3dc532c0e6929f0bf867417ac8b9c6880fecce3a3c1a5585ba26091f0a1ef
SHA512 8b842741c4581ea6d13b07f7cfdd666c1f3e82b29a58f43c14f836baf2d555c195257c3ea2a7c62c1c94de4355f57a9df2ded10617ffb899d8476fafd661b9f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b247775ad6e39486afb589b5817d3ac2
SHA1 43ba219602dd1c02eb1d06dc63412f2aceaa7eca
SHA256 3917fe56c0354481c7e79f5b547390250c8135ddada234708e28b979ebda003d
SHA512 3471475af70f0e064cc84291589804e9ca542fdc55d301c6b1d90d43be6c418d58ca07a37bc9005121f3d279a1bb38edb50b42bf985b4c2dfbb5bd1051356d00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b94fb61389cb374ce10987375257c0b5
SHA1 d8ecc18192174d4f60fb64c66d10a95686998d48
SHA256 2569aff58a077653c09af529b8b46764deb7bfc376a91ef85c61a1335f548d58
SHA512 981328b2818913c3709e540bb58a31182c54bb770d56ec4a4e1813d4e58660d25f53dfde0865b6d57cd6f1da37104f4ee3b6d5c7b3a76f4533aac1babbefd17e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d50f58830a7a264862d864b111274cc4
SHA1 c518b9698ab7f135bc23273760bd83d251a5c5ad
SHA256 50b7b273dc12e733d91e87853455c623683d8edf8f1def7ede5fb1eb1aca3777
SHA512 7e833b8c21974e85302eb378efa80668b877db52c287b6cece8569e90464b10c059da6d2e9e264a86e4c5bbbc05bd76caac261a8f83667d60fb323319c126e40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de4a.TMP

MD5 3130a7de8ffc645264df86e86eadcfca
SHA1 635cfc63b3a20b2c09eafcb087226a0d747a6ab1
SHA256 ae8ef8bba6d6e3c86c564ab500adc4fd8b0f53f3536c6ffb4907d1191ca5b4ea
SHA512 20f66b52ad72625edd13d801795552e0504ed7859dc4eed34ccf48d97ed62fbff14c062dfc45d7552d11b4e57542c59daa7732ce9cabc50c0fb40fb6550d96b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b7592b5873a8f0a08b74d95c55a00d20
SHA1 5305d8f55cc45e9b4d0540c9d3a84a9c7bf54605
SHA256 ab26244196c4f32f5a654b05c0d3161ed5692962cb978b28e5e0c0c7041a0e0d
SHA512 71f319f03fdb2548947abd7be1745ebd54ed738bdc4de115269d520af8b7083d7751b935b8e873cb28d8d49838dd8a21cfb7dfc0c0a714e625dca00eb53432bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 2b6e5d0202f05b0f9b7c7deb4452e765
SHA1 9135b7cac88626de29377964b793948ae87f15ca
SHA256 6579c4d11ea103c8bae30a9a89d07062e10abf1a25bbd3ed90e8d542ddc86085
SHA512 5dedab0ce442797ca28216bd1624410aa958d7a696e781ab27b423ae8ac47cef419c87ae87bd78e473343bbc9bb130e81ead7bb6ee980b1a650505d850048e51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 af2f5c6481eb9644332e165008e62820
SHA1 fa7812602e77b173ba7f4fd9143968de7e892d8d
SHA256 959171b7b425a543ba0784b9cdefd97952856a1355d7e7c9f614856bb8872769
SHA512 445983106e3e9141219475cdf0eefeee10c44cc05d1fd209dc6fe3de95920635409c9d828e67fffe1fc33e4241a02437de0fc24b75b11f257952dcc84d50049c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 660c3b546f2a131de50b69b91f26c636
SHA1 70f80e7f10e1dd9180efe191ce92d28296ec9035
SHA256 fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9
SHA512 6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 18a483acdd0418059c52bb5c4e0ec70b
SHA1 84e25015ada96f352f81115a4ad2cb349a8cbab9
SHA256 60704eaf7d3b646c5c23cd9b8e96f88fb4ebe495776a743b36be27891f52ecf0
SHA512 c0124b862df08ab4725435234941b5ed9c3566df40f0bbcffc3367ff3158225b9c9984e752a9c54ea4e37e72835b47dd9c4e02ebf971f34beeee95680b69675c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 4e396692209612a361b397a71d1182d5
SHA1 7e3510cecc0fc3589fb9e2588f32dbd6d9edd077
SHA256 08abed86af4e5f9fa8f16bf9012ccd5184e65e30ec659dd2639788cd34b6ee77
SHA512 2a1d6a1fee315864a3b547c794d137ca46db7e02fb6dc81ac3c3f10c8c012963b54cc307880dd662dee65c2e90fcef439ec67c9ec4330a1450c36050f20fcf2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6b657fb3da8037d30f1d720bb6d2e549
SHA1 1a2623d57bc568c54a440300adf195d4a260576c
SHA256 e00a867f59997a134e6ba67c0c2765168036fde64413f977cabd5a2edad5e4c5
SHA512 8ef76122847cc6273f7a2ea303bf5a6ed91206710a6df0c131e947ce942b1bab14980ee887e0eb281b3c0559899499e43b9568bf1d526b000ef7fe75958f51bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1664299dbd688ff6bc2c410493ee73df
SHA1 eff9180658606c27e47a74b8b6a3ab9eec128296
SHA256 62e33c3e8ca0c973570f100c034590bff7b0e0bbbb82138a82e8b44042ea96c3
SHA512 cca01354baa2d935d08800f35ec45da75021df374d0577e467ed431925ce26b371439e0844fed6b11e67697c0beb7f3262ce0087e299bd6c502231903757e309

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f99156deaa43bd1e3c4956ebaca43e0f
SHA1 236762bcb221c7dc0fbebe7d4f34a26646267798
SHA256 0cc5d70620770e4327a56c120694880d49273f40544fa3d9f4d8b5430f1e8156
SHA512 511c2816a0db18efcddafb3042588e8180b00c184a7ba2907aea98411bbd21f6ac9e003fd0910863a1aebd81ccd6d71e9a6710151d5bdb741585ef16092d6576

C:\Users\Admin\Downloads\Password.txt

MD5 6249cddf35e31793f57589e0bac8d728
SHA1 bb9f5f9c3be32b44b47279d1a0270c5a6b9a22ad
SHA256 b2c665656fa5a9baa8128db8654644529ea5acaddff9e8559c9b5f9cdae35590
SHA512 8c1f35b5bd24ce2534b86cd7b134d8904a67f044d43c833f172ddadaa33f8b2aa101058123465eaa59570dff31f1225e74e2be949fbf4883a06ddb332e4a83e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fcaee0519f33dfbb827ddebe9fecfe1c
SHA1 c436b7b8b6d1e1f98d2c8d4145d52935b7b3ff2a
SHA256 4631ab1491db0eb415861d2ac809323db9dcd0170fe832155bb97d5de065867f
SHA512 5a9a45b58b4a44ecbcd759c604afb093f86278fcd861678172123fe1b9c4fd70946a3d2a9106648ed8016555115bf6cb0f7822d48c75a5644c5ef87d69723b08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f129c839a5d2c16b141a6eff825acb58
SHA1 53c83dba7edfba6424083b038140656bf7323435
SHA256 e47b89fb4c54757c06a828cdd8c235fa6b32eec9829e01c071d34dc547ad1941
SHA512 665cb47055be542123f18a683ed4f710c79324127604b700a6a56243fcc885994d01d25e006f43425f82b3cd2ead0879d303a81790c5b358c43b7cbfab449cbd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b52186b67c79b06ef87833d2334c924
SHA1 ba38eae2c4e6a8a3c95e7d9e041ebe69a2c1434c
SHA256 126a663b7fd37faa9393720b731a82244a0121d28834344bc0c5a5478f85e33e
SHA512 7dd43ec8f0c63911a8dbb0a890796688feef6918980f7030d8c22a8ca0fc41256a3c09915e16bfdaa22512df34660c1360c7d574640cbfc3994a3f4aec0fd308

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2bc3182c67043bbcf0651fab72b15ef2
SHA1 d94d4639be12bc811832d3a51cb6b555480dd709
SHA256 25a028dff0e7bfbdf1e02425f7d830a91659b6c72d2fc98fef2eef29ebae1c44
SHA512 d4bc4e67522c8db8ff11303f5480de39838dd3e632b68ee72bf29ce88b5f1d7c856843b5f1ee58231014203c6e3bb2cc8200213f6e2431d9495158baf4aa28f3

C:\Users\Admin\Downloads\JV-Sender.zip

MD5 4f87503277e991c0522fb27ac5b916e7
SHA1 ff6b2210c587f080f331d87c2facba4cc0eba0dc
SHA256 1763202138dd09f8000f1086a42dfaf1e207c4dafeecb91a5088617d310861ac
SHA512 99af29c6ce5e0df8e9f0c67c2d36e58787a50cc7c2fc3d3a0f4cba69971d4f0be0207db6f23b42bb08f6bcb51a9be0bee1fdd497687c94c45b1821e3f86c158e

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script.exe

MD5 8c1e54ac324ce689c7edcc0cac372fac
SHA1 8fced71e5fd2eea8a5b1f5d69937b35ef8d2adc9
SHA256 23a69c78e651b8c02340b57447bf706ad381d95b02e87deb3f895ca525ab539e
SHA512 7354ec6f1cddedbc158b81cd096dd850c847dde2d979e1367d47ea1a276ba8a05fe4712e6f888ff587baa27937d6232e04df91f9742ad6d85480af7dd0137831

memory/5808-697-0x000000001C3C0000-0x000000001C466000-memory.dmp

memory/5808-698-0x000000001CEB0000-0x000000001D37E000-memory.dmp

memory/5808-699-0x000000001D380000-0x000000001D41C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 8e4f8329f0837d6a3801dd96973a05fe
SHA1 7309226e370a33000c08653504f2ac5786944b2b
SHA256 0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d
SHA512 9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

C:\Users\Admin\Downloads\JV-Sender\JV-Sender\script .exe

MD5 f805eb1200e7c6c1f19f4a0d40eae320
SHA1 b33b927d6082fc4bce9fbe1c4c4de6b64e8ee67b
SHA256 7768ddf6ef020dfdecbdfb87e91ad844e5fe1d1000ce4e1bb90fd55f26da6c4c
SHA512 4d0d1250595fe59b20b48c1bcfe1a55f3fbc5cc283c7ff76609bbfb33f8990e31fa47c55d418dc323cc8bbc404ef8632e04900f46afca8d211d40a446e959c35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 e5d01a5a8cc5c5ca9a5329459814c91a
SHA1 00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067
SHA256 612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6
SHA512 2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 287c4ef4138442be3996d52619f9e7d3
SHA1 2a64f031df9e950aec105ac2eaf6cf0932bda940
SHA256 686f17451faf52211e0b477c8b4dee8666eebc7332e5b429fa7f478aeece5b00
SHA512 a980b88c60bc4f5d8a6a233a24faf20aa4de697475492945208ddbe628f55a6f4a88ca945f6d1fdf147bd62e02cb103537b56083413e82763f74fcb9696cb6d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

MD5 8e1e19a5abcce21f8a12921d6a2eeeee
SHA1 b5704368dfd8fc7aeafb15c23b69895e809fe20e
SHA256 22cf24d10cc11a9bb23268f18afbc8f3481c27e1feb4cb42ba5c8775e12720e3
SHA512 48365f858592d677ef5d0e2948f672234898e47a153eec32592a2e079353702a64e41e1aa59250f05bd690690b9edfb8455dfac90c6695fb7c0b6907a057fe78

C:\Users\Admin\AppData\Local\Temp\_MEI25442\python312.dll

MD5 d521654d889666a0bc753320f071ef60
SHA1 5fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA256 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA512 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

C:\Users\Admin\AppData\Local\Temp\_MEI25442\base_library.zip

MD5 68f96a1f0b49d240b392ebb7ea147939
SHA1 5d8aa0cccc0f744f17e546ef7120308016cb5438
SHA256 29556cc179d145e9f64d287f0455991bd62a8dc4304e20429f83a1a40959fd09
SHA512 b326d5feb4f9b3d76254240dc3b0d16cb60c0a47d75ab7a1742fe7bb0bdfafff00a9d24a4c84559f1b2b04d23fd4f53d3b8d654532cb7c57c60bb83041331d35

C:\Users\Admin\AppData\Local\Temp\_MEI25442\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI25442\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI25442\select.pyd

MD5 d0cc9fc9a0650ba00bd206720223493b
SHA1 295bc204e489572b74cc11801ed8590f808e1618
SHA256 411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019
SHA512 d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

C:\Users\Admin\AppData\Local\Temp\_MEI25442\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI25442\_bz2.pyd

MD5 5bebc32957922fe20e927d5c4637f100
SHA1 a94ea93ee3c3d154f4f90b5c2fe072cc273376b3
SHA256 3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62
SHA512 afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

C:\Users\Admin\AppData\Local\Temp\_MEI25442\_brotli.cp312-win_amd64.pyd

MD5 9ad5bb6f92ee2cfd29dde8dd4da99eb7
SHA1 30a8309938c501b336fd3947de46c03f1bb19dc8
SHA256 788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8
SHA512 a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

C:\Users\Admin\AppData\Local\Temp\_MEI25442\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI25442\unicodedata.pyd

MD5 cc8142bedafdfaa50b26c6d07755c7a6
SHA1 0fcab5816eaf7b138f22c29c6d5b5f59551b39fe
SHA256 bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268
SHA512 c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

C:\Users\Admin\AppData\Local\Temp\_MEI25442\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI25442\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI25442\_ctypes.pyd

MD5 fb454c5e74582a805bc5e9f3da8edc7b
SHA1 782c3fa39393112275120eaf62fc6579c36b5cf8
SHA256 74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1
SHA512 727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

C:\Users\Admin\AppData\Local\Temp\_MEI25442\python3.dll

MD5 a07661c5fad97379cf6d00332999d22c
SHA1 dca65816a049b3cce5c4354c3819fef54c6299b0
SHA256 5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b
SHA512 6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

memory/5260-858-0x00000000018F0000-0x00000000018F8000-memory.dmp

memory/5260-859-0x0000000001A20000-0x0000000001A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0h4enjw1.ofn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3420-862-0x000002B20A880000-0x000002B20A8A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5 794d834f4a9a70041b3cad4d0002030f
SHA1 facc1ed8ade82799866c8414406d80549c190a9b
SHA256 2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b
SHA512 2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565