Malware Analysis Report

2024-10-23 21:42

Sample ID 240905-1m3eps1cqc
Target https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z
Tags
redline sectoprat stealc vidar deepweb default leva logsdiller cloud (tg: @logsdillabot) w9 steam credential_access discovery evasion execution infostealer persistence phishing privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z was found to be: Known bad.

Malicious Activity Summary

redline sectoprat stealc vidar deepweb default leva logsdiller cloud (tg: @logsdillabot) w9 steam credential_access discovery evasion execution infostealer persistence phishing privilege_escalation rat spyware stealer trojan

RedLine payload

Detect Vidar Stealer

RedLine

SectopRAT

SectopRAT payload

Stealc

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Power Settings

Detected potential entity reuse from brand steam.

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies registry class

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

NTFS ADS

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-09-05 21:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 21:46

Reported

2024-09-05 21:51

Platform

win10v2004-20240802-en

Max time kernel

216s

Max time network

281s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ExpressZipFileCompression.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\appget7854\File.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\ExpressZipFileCompression.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
N/A N/A C:\Users\Admin\Downloads\appget7854\File.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ExpressZipInstall = "C:\\Users\\Admin\\Downloads\\ExpressZipFileCompression.exe" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Detected potential entity reuse from brand steam.

phishing steam

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NCH Software\Components\zipcloak2\9b0__wt C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\zipcloak2.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenu.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\unzip32.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\zip32z64.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\7za.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7za32\__wt C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7za32\7zxa.dll C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\infozip3\zip32z64.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File opened for modification C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\arj\arj.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenua.msix C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\unlha32.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7za32\7Za32.exe C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\infozip3\unzip32.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\unlha32\9b0__wt C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\par2.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\zipcloak2\zipcloak2.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7zip\__wt C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\arj.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\par2\9b0__wt C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\par2\par2.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\unlha32\unlha32.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7zip\7z.dll C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\7za32\7za.dll C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\infozip3\9b0__wt C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\unrar.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\zlib1.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\7z.dll C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\Components\arj\9b0__wt C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenub.msix C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SourcesShowing C:\Users\Admin\Downloads\appget7854\File.exe N/A
File opened for modification C:\Windows\BehaviourVibrator C:\Users\Admin\Downloads\appget7854\File.exe N/A
File opened for modification C:\Windows\AtomBoobs C:\Users\Admin\Downloads\appget7854\File.exe N/A
File opened for modification C:\Windows\AntarcticaTucson C:\Users\Admin\Downloads\appget7854\File.exe N/A
File opened for modification C:\Windows\WonderAvailable C:\Users\Admin\Downloads\appget7854\File.exe N/A
File opened for modification C:\Windows\DecreaseHands C:\Users\Admin\Downloads\appget7854\File.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\ExpressZipFileCompression.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\appget7854\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\ = "Open" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\Shell\open C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\cr3file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rar\Shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\OpenWithProgIds\NCH.ExpressZip.rar = "0" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3g2\Shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.heif C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.zab\OpenWithProgIds\NCH.ExpressZip.zab = "0" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.deb C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.shn\Shell\NCHconvertsound\ = "Convert sound file format with Switch" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.docx\Shell\NCHconvertdoc C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\OpenWithProgIds\NCH.ExpressZip.tgz = "0" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\NCHconvertimage C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.VhdFile\shell\VHD File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mpdpfile\shell\open C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.ras\ = "rasfile" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.vmdk\OpenWithProgIds C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.pkpass\Shell\APK Archive File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHconvertimage\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\shellex C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pkpass\shellex\ContextMenuHandlers\ExpressZip C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.m4v\Shell\NCHconvertvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\Shell\NCHconvertdoc C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip\.rar\Shell C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ape\Shell\NCHconvertsound\ = "Convert sound file format with Switch" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xar C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.rpm\Shell\open\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rpm\Shell\RPM File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\voxfile C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mov\Shell\NCHeditvideo C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\shellex\DropHandler\ = "{8EEA165E-0B8B-4BA7-9796-50214C767171}" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\expresszip.exe\ = "Express Zip File Compression" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.zipx\shell\open\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\OpenWithProgIds\NCH.ExpressZip.apk = "0" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\open\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\OpenWithProgIds\NCH.ExpressZip.z = "0" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nch.expresszip\shell\open C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.xz\DefaultIcon C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.wps C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.wim\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.xz\ = "NCH.ExpressZip.xz" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4a\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tgafile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.7z\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.vmdk\Shell\VMDK File\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\dfxfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind DeskFX \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHconvertvideo\command C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow\ = "Create slideshow with PhotoStage" C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 640128.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: 35 N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 4596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 4596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1540 wrote to memory of 5088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb057346f8,0x7ffb05734708,0x7ffb05734718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8

C:\Users\Admin\Downloads\ExpressZipFileCompression.exe

"C:\Users\Admin\Downloads\ExpressZipFileCompression.exe"

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\Downloads\ExpressZipFileCompression.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"

C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe

"C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe" -LQUIET -instby fiExpressZip -instsvar EXPRESSZIPRelatedprogramspaidon

C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe

"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"

C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe

"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe" -installsched

C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe

"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe" -LQUIET -instby coExpressZip -instsvar EXPRESSZIPRelatedprogramspaidonLLIBInstquickoffLLIBControlonHyenLLIBSpltxtfadeonEXPRESSZIPExtractfontlargeoffEXPRESSZIPIconstextoffEXPRESSZIPTvwatermarkonQvuxTKYgCG5tEXPRESSZIPAddarchtextoffEXPRESSZIPRelocateopenfiletboffEXPRESSZIPToolsencryptv3onEXPRESSZIPToolsemailv2onEXPRESSZIPClouduploadonA6lhN24gEXPRESSZIPSplitsson -instrefdata refdate%3D1725598048%26referrer%3Dhttps%253A%252F%252Fwww.bing.com%252F%26ref%3Dbingads%26ref2%3Dcf5fee8e27ff1f3873c0885401221af2%26ref3%3Dkw%253Dwinzip%2526m%253De%2526d%253Dc%2526c%253D76828563876589%2526ag%253D1668175108%26kw%3Dwinzip%26theme%3D%26pageconfig%3D%26download%3DExpressZipFileCompression%26clientid%3D%26platform%3DWin%26language%3DEN%26browser%3DEdge%26screenwidth%3D0%26screenheight%3D0%26cpucores%3D0%26webvar%3D

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\Downloads\appget7854.7z" -o"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\" "fo1der687.7z" -aos

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z"

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" t "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -o"C:\Users\Admin\Downloads\appget7854" -r -i@"C:\Users\Admin\AppData\Local\Temp\expresszip7zfilelist.temp.txt" -aos -p"1234"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\appget7854\File.exe

"C:\Users\Admin\Downloads\appget7854\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 799275

C:\Windows\SysWOW64\findstr.exe

findstr /V "TransformationComponentBrideInvasion" Calculate

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Saudi.pif O

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x344 0x474

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1

C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe

C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe

C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe

C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe

C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe

C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe

C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe

C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe

C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe

C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe

C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe

C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe

C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe

C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe

C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe

C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe

C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe

C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe

C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe

C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe

C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe

C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe

C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe

C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe

C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe

C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe

C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp" /SL5="$80352,3387544,54272,C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe"

C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe

"C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe

"C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe

"C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe" -i

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJECFIECBG.exe"

C:\Users\AdminJJECFIECBG.exe

"C:\Users\AdminJJECFIECBG.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAKFCGCGI.exe"

C:\Users\AdminFCAKFCGCGI.exe

"C:\Users\AdminFCAKFCGCGI.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1352

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HCFIIIJJKJKF" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

"C:\ProgramData\xprfjygruytr\etzpikspwykg.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3560 -ip 3560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1480

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kinglinkdubai.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 65.108.125.53:443 www.kinglinkdubai.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.125.108.65.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 88.221.135.25:443 www.bing.com tcp
US 8.8.8.8:53 25.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 95.101.143.202:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.202:443 r.bing.com tcp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 201.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.4:443 login.microsoftonline.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.nchsoftware.com udp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 8.8.8.8:53 211.5.149.54.in-addr.arpa udp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.102.154:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.27.103:443 www.google.com tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 157.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 103.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 94.102.250.142.in-addr.arpa udp
NL 142.250.102.154:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 secure.nch.com.au udp
NL 142.250.27.103:443 www.google.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
GB 163.70.147.35:443 www.facebook.com tcp
US 173.247.253.164:443 secure.nch.com.au tcp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 138.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 164.253.247.173.in-addr.arpa udp
US 173.247.253.164:443 secure.nch.com.au tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 173.247.253.164:443 secure.nch.com.au tcp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.252.146:443 aefd.nelreports.net tcp
US 8.8.8.8:53 146.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 audiochannel.net udp
US 173.247.250.125:80 audiochannel.net tcp
US 8.8.8.8:53 125.250.247.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fOBoUGVOdhpeJ.fOBoUGVOdhpeJ udp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 54.149.5.211:443 www.nchsoftware.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 163.70.147.35:443 www.facebook.com tcp
NL 142.250.102.102:443 apis.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.102:443 apis.google.com udp
NL 142.250.102.190:443 www.youtube.com tcp
NL 142.250.102.190:443 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
NL 142.250.27.94:443 ssl.gstatic.com tcp
US 8.8.8.8:53 102.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 190.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
NL 142.250.27.94:443 ssl.gstatic.com tcp
NL 142.250.27.94:443 ssl.gstatic.com tcp
NL 142.250.27.94:443 ssl.gstatic.com tcp
NL 142.250.27.94:443 ssl.gstatic.com tcp
NL 142.250.27.94:443 ssl.gstatic.com tcp
US 8.8.8.8:53 94.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
GB 88.221.135.57:443 www.bing.com tcp
US 8.8.8.8:53 57.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 itch.io udp
US 45.79.115.66:80 itch.io tcp
US 45.79.115.66:80 itch.io tcp
US 45.79.115.66:443 itch.io tcp
US 8.8.8.8:53 66.115.79.45.in-addr.arpa udp
US 8.8.8.8:53 static.itch.io udp
US 172.67.69.99:443 static.itch.io tcp
US 172.67.69.99:443 static.itch.io tcp
US 172.67.69.99:443 static.itch.io tcp
US 8.8.8.8:53 img.itch.zone udp
US 172.67.69.99:443 static.itch.io tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.102.119:443 i.ytimg.com tcp
GB 2.20.12.103:443 img.itch.zone tcp
GB 2.20.12.103:443 img.itch.zone tcp
GB 2.20.12.103:443 img.itch.zone tcp
GB 2.20.12.103:443 img.itch.zone tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
NL 142.250.102.119:443 i.ytimg.com udp
US 8.8.8.8:53 99.69.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 119.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.27.154:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.250.27.103:443 www.google.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
FR 216.58.215.42:443 jnn-pa.googleapis.com tcp
FR 142.250.74.230:443 static.doubleclick.net tcp
NL 142.250.102.132:443 yt3.ggpht.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.215.42:443 jnn-pa.googleapis.com udp
NL 142.250.102.100:443 play.google.com tcp
US 45.79.115.66:443 itch.io tcp
US 8.8.8.8:53 154.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 132.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 100.102.250.142.in-addr.arpa udp
US 45.79.115.66:443 itch.io tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 45.79.115.66:443 itch.io tcp
US 8.8.8.8:53 teamterrible.itch.io udp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 45.79.115.66:443 teamterrible.itch.io tcp
US 8.8.8.8:53 autolinkmaker.itunes.apple.com udp
GB 23.53.172.57:443 autolinkmaker.itunes.apple.com tcp
NL 142.250.102.132:443 yt3.ggpht.com udp
US 8.8.8.8:53 markhor.organicfruitapps.com udp
GB 18.245.218.63:443 markhor.organicfruitapps.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 57.172.53.23.in-addr.arpa udp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 63.218.245.18.in-addr.arpa udp
US 8.8.8.8:53 43.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
RU 176.111.174.109:80 176.111.174.109 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 file-link-iota.vercel.app udp
RU 176.113.115.33:80 176.113.115.33 tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
US 76.76.21.164:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 109.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 164.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 youtransfer.net udp
CA 158.69.225.124:443 youtransfer.net tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 227.188.43.179.in-addr.arpa udp
US 8.8.8.8:53 124.225.69.158.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 store.steampowered.com udp
GB 95.100.245.51:443 store.steampowered.com tcp
GB 95.100.245.51:443 store.steampowered.com tcp
US 8.8.8.8:53 51.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 155.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
NL 142.250.27.102:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 cdn.akamai.steamstatic.com udp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 shared.akamai.steamstatic.com udp
GB 2.20.12.100:443 cdn.akamai.steamstatic.com tcp
GB 2.20.12.100:443 cdn.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
GB 88.221.134.144:443 shared.akamai.steamstatic.com tcp
NL 142.250.27.102:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 71.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 102.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 100.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 144.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
GB 2.20.12.71:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 video.akamai.steamstatic.com udp
GB 2.20.12.87:443 video.akamai.steamstatic.com tcp
US 8.8.8.8:53 87.12.20.2.in-addr.arpa udp
FR 142.250.179.65:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 65.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.27.250.142.in-addr.arpa udp
N/A 127.0.0.1:27060 tcp
US 8.8.8.8:53 api.steampowered.com udp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 173.222.211.24:443 aefd.nelreports.net udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
NL 142.250.102.156:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 156.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
NL 142.250.102.132:443 ep2.adtrafficquality.google tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.250.102.100:443 play.google.com udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 iplogger.org udp
NL 91.92.253.107:1334 91.92.253.107 tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 185.215.113.100:80 185.215.113.100 tcp
DE 5.75.214.132:443 5.75.214.132 tcp
US 8.8.8.8:53 107.253.92.91.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 132.214.75.5.in-addr.arpa udp
DE 77.105.164.24:50505 tcp
GB 2.20.12.87:443 video.akamai.steamstatic.com tcp
DE 5.75.214.132:443 5.75.214.132 tcp
US 8.8.8.8:53 24.164.105.77.in-addr.arpa udp
DE 5.75.214.132:443 5.75.214.132 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 147.45.47.36:30035 tcp
DE 5.75.214.132:443 5.75.214.132 tcp
US 8.8.8.8:53 109.231.8.46.in-addr.arpa udp
US 8.8.8.8:53 36.47.45.147.in-addr.arpa udp
DE 5.75.214.132:443 5.75.214.132 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
DE 5.75.214.132:443 5.75.214.132 tcp
DE 5.75.214.132:443 5.75.214.132 tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.91:443 www.youtube.com udp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 91.102.250.142.in-addr.arpa udp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 172.67.146.35:443 condedqpwqm.shop tcp
DE 5.75.214.132:443 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 211.208.67.172.in-addr.arpa udp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 35.146.67.172.in-addr.arpa udp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 evoliutwoqm.shop udp
DE 5.75.214.132:443 tcp
US 172.67.146.35:443 condedqpwqm.shop tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
DE 5.75.214.132:443 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 gacan.zapto.org udp
RU 45.132.206.251:80 gacan.zapto.org tcp
FR 147.45.68.138:80 147.45.68.138 tcp
FR 147.45.68.138:80 147.45.68.138 tcp
US 8.8.8.8:53 251.206.132.45.in-addr.arpa udp
US 8.8.8.8:53 138.68.45.147.in-addr.arpa udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 45.152.113.10:80 45.152.113.10 tcp
US 8.8.8.8:53 10.113.152.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b9569e123772ae290f9bac07e0d31748
SHA1 5806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA256 20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512 cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

\??\pipe\LOCAL\crashpad_1540_SBRHLVGYRLHCJGGP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eeaa8087eba2f63f31e599f6a7b46ef4
SHA1 f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA256 50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512 eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f68c7cfbad537ceed24c2a23398384bf
SHA1 723b75a42383c35d4144dbb881fa5c676dc7452c
SHA256 e9f3aa3239539c0d63d5197e51df2dd53ebe6fdcd7eb8fa19df8c8d6861bfed8
SHA512 193db63e409cba915f7ef2431a981c49b60089a5934ec831789d457794d45a7e03fe59c292b92d28f5889a947169cf0c7ff7565f2cecf6fdba4a78dd5e9e65be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 072558515fa6d3a97b5e370828de8253
SHA1 bed6abb2a1ec6b2cf5d4864ea599217ebbef79cf
SHA256 ab22d564c4e4978034c60e7216ae598734ed0c8de4ab5f9b6f083f2f46ef0826
SHA512 3de95380f1f268ce5190a6948025fdb6d344006926ec6b93203104600500825486a5fc02488d8e3796b67e517baebfaba11defc74fe51c90841c2459193a8fa9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b4605e324074b1a0569c3dc8d40ab9f1
SHA1 c692828cf502a09a146cf1ddb16d24aa7cf546ce
SHA256 9b6884c06c13bccdbc9f378dfdfd7b3541f0ddf6ca90cea47e9edc43c48fdc4f
SHA512 9c0095505f8a8f146e87c84c13e6e817dff1c5589ca2694489b7906205cfae0e7e278e4630cfaa1cd16b5469e57f03e38853bdf6fea27a56d3276ba1618b60b5

C:\Users\Admin\Downloads\Unconfirmed 310012.crdownload

MD5 1ed0c1859d698038e0925824f139343f
SHA1 265326a70e8c18ac204f5c06e8071cddb0322d70
SHA256 4ed3eef9073cc7922fe6f77fcdf8e9c1d8a09da5f2b7d8218a6f87e7075e7cd5
SHA512 38186a14336f17ed00c42026b9805de53e311c155765f0f3b4128e9400df565fc19263cd4d4fbe56c3244d6e40d6faaf0c50c73c96c3f36edc1e055ff12ceae9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 959272233f107c17ece32f9e9e818047
SHA1 0eaaea4b88a6f8527f191b49fb8d6c75396e4b45
SHA256 c8f131e62a5a03d3ef06b7eedbc9dff0fffed42876ebf37c31a9654c7c625a01
SHA512 877d93b016bb568ef213e6c591a87b865244f8072862f417354b6e454b1c14f4641856f6fdf1df8dd58704c468c51db1b62c027e2d8821f6aff1b70882920a7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e49202c158825f1233cd1e161bb9708b
SHA1 1bad974f298949daafd3363cebccfa83bcc9e345
SHA256 fcfffa5f82865e551bcc55fcf243aed443db9f7cb7307ed863f94b3af54a6c7e
SHA512 ef5fd239f7006de8b64b7d2cee10764b78c90eb6bcad91a1fb249c647634ce08829b25db6f0efedf65472f9a8dc026d7cce5d5d05dc70702b104c43cc497047a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe64102d.TMP

MD5 62f6b13c3ae7ea12c57ad50ba56e8d89
SHA1 b9a8dc5078c9a2fd92aa79a5068fcf8a29621944
SHA256 4d95538aac37a1ec6860316e738848c3a7e608edc6b5d48924dc881516aec983
SHA512 99108be56a95896507679620f6392315b66d2d0e4850180b5a0d44fce27f6d578fae6caa97cbc0030be09943877210212439074b1bb934fc70f68190971cfbe9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

MD5 3bdf96b3e02075e63f1a999ff37db119
SHA1 525d559dfca20e676c4653aa9c018ef338ebf7ab
SHA256 ccf9fcac880e8e0d633944a89aa861a8d89961a981b7fa26b0d7fa3f000ca3ce
SHA512 9575019a8150769c110e0498e1758cdf9e54a5e399b3d5847d45b7d4ee8a84a83128e7cc438575f81da53769a4e8c5a84f3e0dadaa56299ad33fe426ba51d7e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fc99f179478bbcd5712791807667e460
SHA1 bf6a4b618300dff9ff5f865481d862e76268ff5d
SHA256 03571e1d3959d0ded485cc1314dbcc9fa7b886b719c385f7d19989181d975079
SHA512 55d3814144ee7673039267f2a61d71d0f29c43ea023e288cfa2488fd824d795360ed96dffe3263c17203100ce721f6f479dd80add1dd39bbe4eb075ae1741f14

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

MD5 bb46e538c5ee51265e3c7dd21d996af6
SHA1 1f1d7739e238f631b0ce8892102e8f2224009b4b
SHA256 1c54ed31c594fdb830f1da9dff6b4daac0100c5970f5401e0a5b60abbe64a446
SHA512 ef3aa68097b811dfcac683377a345291e6e2535fb91c9944a7628ff941093c5701d0f6da5d7fdf4fc552aa5486d602f803497f44c5a57a6ac57919dfd2a05c4a

C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat

MD5 b9086110e2962badf24196a0de6a0ff8
SHA1 707f02bc9c0834720db4588e9a5ff612b9e83ac3
SHA256 6aadcf84bda1fc81881dbd9bcd9371f60c0198e73b53c1e13b9c9dda32c02e63
SHA512 92462bd513e6a3e7ba40a39176732e86aa1947c0fbde6bb333f6d462f3e3af3e0798b889e595dde0fecffece88f820b76bf16d8a32042588248ab4f652b3dea2

C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe

MD5 81d94f5c09ba974ce676909fe5811817
SHA1 914b9cef5a6cea203b20658ebe6a9f696a337b82
SHA256 3c01370b6eb1f2cabac6e2afe6c9a0141544b554a3a2c146489f1111c41e39d9
SHA512 1c9e1cb31b4cbfd07d345bddaccfa6f56abb90f18bcce5583d287daa078cb73544293557e73f946355535ebb4de57b4207eee2a3e7dab8414d76c9dcd95afb45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE

MD5 609ee00dc8d0c80be9a028088167f7a1
SHA1 a1991b03f27d5c735a3c35b03f14b3c7a184bc69
SHA256 d94b3a4c3f4ab3f7a0fc27d1554a99b048fa6a9a8c245ba4688a8f4012132d14
SHA512 c9caa2dd2b9aa61d73c8271b0ae81c5c37e274d595b594827f567e5867f72005c77a4217f49e3eeb554fa108c16ec85c39be22b00f5557c2108c8e2da602e545

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE

MD5 17b3f5125c44a52481cc3abcb3d4181a
SHA1 0b74bfa0f60dac8000de17115661cda7526eba5c
SHA256 82dfe5fe4bab81f3acbf9de0b99705450db1b6b5c8557f50680d894eec24a950
SHA512 4f0c20f060c604f8351a45dad9e8eca15d07d89cefea91ffb74adee82e265e8e2572b8f61d40a690d6904ef892a3028dce3e420e37df0a42e36a5c71a090ead5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 c210f6689aca680446c0d8ecdef2e46b
SHA1 66cba496d984f92fed05f77101c45734f193e211
SHA256 8f8540c24fcc6ddfddbcabf8f028f8052addf41601d5226ffe378a6e7d4caf5d
SHA512 9c62a6b2a129a50e2094566d88acd7c25ee29600ed1596e6972f684edd48d11366605dca0d90133d489b51eb38bbb6c1a5ad68d0ec9f81c8d23055d03e9540b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 678f61ea30e42568194b9401aac05b06
SHA1 448db80f4f3f221e426a87f852c1a994a1a0d57f
SHA256 250c16b92379dc8d4a257e355cfbcc83af2505148c1dbf3d2416d42febac0816
SHA512 500cd25239a969479694bd8f8782fc315ec9a8b57084b70e56bba6b75715844d6f7c4c12a293f79c29b8e1f231a7a0c818ba51178c1507bd2232ec36fb5026b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 20069500756a1a645a477c9e9d57e4d0
SHA1 7d5d14a9feec763954a936318f1d9890b728622a
SHA256 0b9c59cbdac33da5e2b39a0be1bf9d5861e0188c0442cf300fcdc70cbf9a3cb7
SHA512 29ee4033c4552dde83f70d5038593efb9eb5f1afd19edbf003d3996f0615552189f9f9d08ad36628a0da1e82a10efc82233f543a0bc4d622923632228854f91a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 05e3180c2e7e4c82550b1ec617788438
SHA1 8860f4b6bdbe3335ec806c826e8eaa77c40d002c
SHA256 8d77860796749d893f6bcd8c983f03a1e26c308f6009fbb21886894b7328ef4b
SHA512 d6daac486647af9aa38f81f5aa068057529a479e4d4eb52ef00f363ed2d65a736b18e8007bcb9771f081d675bb08166ca81aae4d3e7b7582912030f07ee753f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 675b7aafdf7cf9609da75aec1d88044f
SHA1 1a391a592e48252a04067cab74e641b1968ed71a
SHA256 b0ce2796d4094e01810dcce9c5013db6436d83144a58342e4e1321d497f78d41
SHA512 ad4467d5c02e25fc19801964dd6749a073be98753d0491d9d799216b1d7492b2f7d8cbbfd31fb5e8a9aee37790160986090caad63936a487ef32fffad08735cd

C:\Program Files (x86)\NCH Software\ExpressZip\zipcloak2.exe

MD5 aa7a48540eb79ba2280f81da93c1599f
SHA1 e8856c21151b91d6a270964d5541fc09f2f05283
SHA256 39edcf477e1463ac9de52ffe4006128546cbf12a19d91b8aaf856f3c19d49aa2
SHA512 06ab843d9e8e017b1389282d5d2b005f52f5bb5a815db6f63238258888b03202adc72c415e0f682f53f00940f8acb093129254f69b638f897bd015e9c876844a

C:\Program Files (x86)\NCH Software\ExpressZip\arj.exe

MD5 014b712a9b591a14c84e7fa1dd199554
SHA1 857df15d9e55e018cc5b81c40ff4c1c649f3f01d
SHA256 00ac8169236b8f9910c661e6d8b82c2f2e5800338a9c7775d691e622f3521ac9
SHA512 f852e54a6725d5fd8d44ac07bd3ecf2519d707506beeda4d64fee2cbef0e280d0de30c4d27526539213454de272960d963d2f462c320d8d9b268865465284dab

C:\Program Files (x86)\NCH Software\ExpressZip\unzip32.dll

MD5 d636e5b90daa1596718081ede840d03f
SHA1 e5f54ee365a63ff0980f781bbc30547ed54eb12c
SHA256 59b4d9afd66d8e33c7ba2e4b8617030f364ee905410610f8c96209df62a3a734
SHA512 35ee29b25c50ef2aae22fb53077234ca5f2c8c145f95cfa03fb226b736d8f26ff1dbaed3586e93d9ac82b4aa90c64aeea3c25a3930ace993cfa9447cd501c68d

C:\Program Files (x86)\NCH Software\ExpressZip\zip32z64.dll

MD5 ce5fb67da5c10a00cf502728c63b76e5
SHA1 97e927e8a670443be87bcde1989fd2d60d705434
SHA256 8e40c7805f57da244a20ee289ca2c018b4f3fbb9047fb06fa2fed954da237b67
SHA512 c678c0e960c8473c9712239ea31d5224baf7a0f7ed05bbe69d422c045f29b5d0b664a3811a5d11ab4b0b9d0b06ad51bbb03707cd21ec36859a4bec7b4f2cb41a

C:\Program Files (x86)\NCH Software\ExpressZip\par2.exe

MD5 bafe41bcaed61df51b17f390ae1cdfe1
SHA1 c6e502cddaf9031b7fa703a289be11121b01f003
SHA256 521900b12c8734a6a56eba855c663cf49cb9b2b352c755c0cd747cbd6f18ee8f
SHA512 256338f880b5ea8f33a3b4a5b4db5341ec30c37a6c857a342bced7cc37400e51ca1678de6aec888af28f450fde90ca6381b7d8768b0162db1304689b5eddeeea

C:\Program Files (x86)\NCH Software\ExpressZip\unlha32.dll

MD5 ae041e680ae569a4860e600188fa0adf
SHA1 fc86cff5f51df5cc08b9849100e56eee9738d0d3
SHA256 126f81c57d54c1ca6bbcdd524c647af635cdb408401a5bc21216b4a0a792dc5c
SHA512 b2ab7e985f0de3dedaeccfac23d43c0b1910cba5401de19be94cf8cb3c7287c6f9a315776819c5a2c8c4c986a2de70ff568e0892cc7a277fcb37a0cb8b55e2b9

C:\Program Files (x86)\NCH Software\ExpressZip\ezcm64.dll

MD5 0216981a67cd11ee5803bb1b78f25262
SHA1 30919b9d43a65cc69ebbc50c6ce241991f64b179
SHA256 17d044f52c7ffe0b737ecfa3563d6afd2dc6a9361036b910b640e73de568b230
SHA512 153d63e3ed7ebd65eb00fd9a5eacb0fc357f374ff60b00640506930100d2661e5b6c4f504d347c02ca6e5a64b79ee612b4031adef449736ea00cb337a17afdd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e22d90c548c5774f1f1345e161f6476
SHA1 e0451fda429fc4a8fad8a91856e974fc06d43289
SHA256 36583f97fe5b0128129e7e2f19b1fb142731ffae7651d72ec3d89d3b05ed34bb
SHA512 ca52bc4a2acf1bb9221d873f59e0547901dec2ae82e990f5901afccf43d099ca863cb6ae81750dea4f7c1197669d3adbca2c1d3a518356a729171be4126667a9

memory/3916-641-0x0000000006E00000-0x0000000006E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe

MD5 11eec88dbffa7ba1fc3d7f5796c2de76
SHA1 5248dde8554729b5394acf58034f2b61926c3dbc
SHA256 d5795d9b213a8405a85182f9382194b4e0742861635316356ca4dc8fd93a355a
SHA512 64cfb4417e276cbe24448784bb75f494b883875212431086eba18d2d3f5ed36f048354f38a43d9b651d9cd929f6d670ed640c4cdb459b13a3740e3a2265d9aeb

C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe

MD5 e18c1989d43b3760c4b97767ba4cf877
SHA1 c683ceb15dbae84c885191806c17d1abe6b4209d
SHA256 055c7bae37fc7ea245396b51521d41d16326d3fb6e46a2d4436901c9fba922d1
SHA512 5301b5d5aa843f6ad8e08537ec88d0b8bd60996d02a9f081c6fe7ec2a2ae40129904688fb6aa573b45a5e89cac23b7648d9d038982220ab2dfe03ccdb0d5bbb6

C:\Program Files (x86)\NCH Software\Components\7zip\7z.dll

MD5 7580437d0fb8c1ae60d96dafb6883d30
SHA1 be89b488b258555a8cf971e4d29c40ce92bf881d
SHA256 3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef
SHA512 e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb

C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z

MD5 c42e50792b48c1f1601103be676bd936
SHA1 1b1fd1556c42613d866b89ab51af93bb5db86b37
SHA256 188c1da51090a4625023982165ebc4cdbe34f317f13630726b9d6085e2fc415c
SHA512 23c5b2362f0b96aa55303ac3d9655ef5631076ab3da7863a3f4abe3b5de655e8b4898613784c1804cf4005edacafb299bd43637b17f381e8aa503b21d5d94303

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 a0423f1305547bb6b8f5a4fb1a9fc2d8
SHA1 092dcf1fe57e6bb53821eb754e04188ee70602d5
SHA256 6add651cb411ed9ce9a17883c1522920a6ee3b4eb676f5b411e72d1a5e7de6e8
SHA512 b8487c60b40d332e562cc5d4fc7c515e3b3c2c82311700b788905754c1376ce6f0da650583545a4691d51f04ec5da0c0204997214d167c85b788d4c85236c4c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 160d1e0d009ff6e2b6a521d1721b9be0
SHA1 20696afd2abaa4e90bb816ce943dcc09279897ba
SHA256 1f95b4f27f8f2b4c4fc0f5ed52eb0b29965c1ae2fa9cfec6f70be7c7ead7b9cb
SHA512 b8425f1d1e51d82285390e11ae0e1af185d99c1866acbeb6dd5403de890770bd44de4d7f35424bb54875196f79b772bf9e04445575e6009a152a974b6c15cb96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd92b7cc28b14227cdc34deea80da04c
SHA1 8c03cb8a32fc605dd21fa80452c5d8014a836a85
SHA256 cccdebfce7439b4068c224002c5d182e4c19c274fe359d38020e0fd38b5aa291
SHA512 743a3025223e644f907e56c21d14038404458b7798d76e87552554dabf2810d02f8f5617f3f010b9660e7dd775d121ec1571bcf19b7c495e384d79ff7c0fe52e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4a2a2b986057f5d819a4da8aa9c2e4ae
SHA1 a87b510f1ba6fb23350e49572b97e83f904e44ce
SHA256 33a6294cf1f228b55a8cd08328b7c2f2e4880f7417d7ac69255ff355ab3b0c51
SHA512 e68645390d4bd4eba3bc359137c3e58ddae1a48e63ede7ca19dbe3165b22ded3850b61b6c31f33417e2a31d2f9d97aa85aef7b676d0cf0bf87db5225628763c0

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/5676-936-0x00000000012A0000-0x000000000147F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c6c6dd777af40003f927a4e7b684bec3
SHA1 e85f2cd3da6eb052c6d7f883f3992461c5cae575
SHA256 c481646487ae705219d997cc22ecffd246e0543ced592e915a57481878139e21
SHA512 59365bfd79d733e10edb1d8d0f4a1a6e9725c07a6074731cb27fedc319ade726de919d2de7ea1f194c78773117b2c8c47e15ab5a1015c7a37a934b1c1ff8035f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ebba0a39e27662b1d255e6b9c41b92c2
SHA1 f9b18fc1b56dadad563fc188697415d5a0ffcafa
SHA256 f82e6e2b80d5694c5caac9b1bbec7c6a2113178f9c4fa28258e61c50d5027463
SHA512 7ae40278b32cff8b2fcec6f26c111f474b6127be29f8865f4af8bce16d6c3b8aced34d52a45aacb0cb3a792737d6333c8e36e7b3db6a3eb1fabd13938a37bd21

memory/5676-973-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-974-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1094-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1096-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1099-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1097-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1095-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1093-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1092-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1090-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1089-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1100-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1098-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1091-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1088-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1101-0x00000000012A0000-0x000000000147F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe

MD5 f10161c3acde4b7dadcd1eeddcf937f1
SHA1 ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256 445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
SHA512 5024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9

C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe

MD5 5f7bdc962aa76f272673ffb86ae8d634
SHA1 0d78738b625c66f105c24484920a78ac02bd1533
SHA256 9482245f504dc281027c12eed58c987147b2d982c3669e1c7dca3bc0911e7b97
SHA512 62b6be5a24108c685a0824399dc78b33b5b52149d0e1b7792ac90a30d6fbd7bb2b0650563861e493c79f2313c33a2112f0bd9366e0947d24bee9b1206b4c0141

C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe

MD5 e600b6015b0312b52214f459fcc6f3c2
SHA1 0e763e33524e467b46d27e5f0603cd2165c47fed
SHA256 65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
SHA512 b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464

memory/5676-1133-0x00000000012A0000-0x000000000147F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe

MD5 aa92bc82a2b3c733b305eef3ccb7ae6e
SHA1 b52729db10f5c62ea03f4280e16cbd5304487bcb
SHA256 ee9e9a1840ff7f83b91b8eb3fc1e03df51aee5a94ac9cb3c63c0a37a9f3fcdd5
SHA512 de5d0741196ae12200d35736dc37f7d7fb809e63378ba5b0b8f0da962c608037f2e9ff6b35a371fd0a0d7182da86f3338697c47fbd246a0c1831a14edbead8b3

C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe

MD5 785a37d8d62771cc35c6f5cc145e1219
SHA1 0e35b6c575670d4e8cbe0f13e7a7db9aadc8819f
SHA256 ffb0ca6890b94342d54d26250a6c6104b9e916858fb7242b58709f38c65b93b0
SHA512 d1fa909e78ba7b9478ffd7f627873a1e0013231cb9436d9f8895b262c7e0ba3efc1225d7d9797cad774062f9781afbdefe72b0ff9b23ddf540869f7b2b11f1be

C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe

MD5 1777e41c01138cfcd1b8e4b6082ae3b1
SHA1 bf83c19106c0226d8e3e08fbbd5633ce96472bf0
SHA256 7af1ac95d468a1b0d9dfb2dbe0dba8b3aca9a09e2620a0ec35dc087f829f9401
SHA512 e44f8d2b9c5f33b48c64107b9a1c8fd0ac77bf88b465e6fcdbcc2b1b3253f71922b350048e55b6d97e938892084b0d7cc098cdd208ee1f15b9434426449fa88b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81dc876d356c4f4f684d59e466270376
SHA1 d7736cc46a7a07dbed0ce1d165346d213fc4a9c3
SHA256 dcb6efd18f2ddfb2141b84ab86fac6c153007e18396ed4a0a21d71b08d49cf49
SHA512 0eebf43e7e2a5b9ac01f43f07eeebae5e11ab802fa4999913a451259b30b6bf98e2fe130e75ef26c98a31ca72ac594f84a351d9ed19ff00d89fc4516e6e90666

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9c447089330cb72c29a0a9a9fad6274e
SHA1 e149bbce8d4bb46e808bfc531b5ed5494d7853c6
SHA256 599bbea4d39c57f45e0fc1f1e1ef4d7c9e6577972e22d2dac40dc8fdecaa492e
SHA512 34de210db207959f4d492b05bed1b2deeedf9592a6e172f00f82c622ebe47850366416f0a1694bdfa16c4ebe4ff0a2590db9831c6c168e13ffc124745a0a0e20

C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe

MD5 c883436a51137626711481fed4be79c8
SHA1 57c7e6907219e8aae747f64343066963b57508b0
SHA256 7e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5
SHA512 8b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9

C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe

MD5 0de88c2f978a57026e58e6ca90ae5d69
SHA1 e066a32f87292b1c50bcec3064e76f4fc0781d1a
SHA256 fab479cc1e503225be39c710a3555db1ae1f6d6acfb0504b715d2284f75e3527
SHA512 47fd6cdd95e6d08c59340b4e00fe97c4bb987cd2c11628deda02cd59c5739e990f9c94fadca37e4b7c8adb9cafbae12b69f20b569457078c159bbcb180f9163f

C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe

MD5 b5887a19fe50bfa32b524aaad0a453bc
SHA1 cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256 fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA512 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd6b455197e1761130bc8eda3752ee39
SHA1 faca9abd4f6cfabc179279f05de446b1ccbb3488
SHA256 edff748a52a82842de21c82b427e0d0745517fc4bc99117539e2a751df72c523
SHA512 51d43ba6a56be77d954e838f87bc7e76edd15de5fc1cc170a97482d5c19cdccf67ec497f721c06c55363130b85f13d3964c22af7affbba537e8ad5c4523770a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1f6d7f68c3b14ee258d158047d595c25
SHA1 aa778ca15367e599b497de962226496e60545c1b
SHA256 d1b35518fa0925c5cfca502d6fe57e809674e792affd25a3c42d76f92f0d0f4b
SHA512 73e83281b25d10876a61e8c1e5eb5317954c59d921c2ce19de3b3b5cb4e3f33a2ec1469852561bd538e8048a378aed4d0093230399668496a1e461c5ec2a7931

C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe

MD5 6a94b94ba557d5d85a1da20213d48974
SHA1 a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256 e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
SHA512 a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74

C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe

MD5 a79fa370fdeecbb187f96558a76534b5
SHA1 5ef78b7d2c21882cec551528c697f12abb1f8b23
SHA256 8ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1
SHA512 e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846

C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe

MD5 c4d092354c3f964ee1d9671f2517a6c9
SHA1 838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b
SHA256 1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
SHA512 c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee

memory/5676-1480-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1478-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1486-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1482-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1500-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1502-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/4528-1504-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2068-1506-0x0000000000F00000-0x0000000001595000-memory.dmp

memory/5412-1508-0x0000000000170000-0x00000000004DC000-memory.dmp

memory/6064-1510-0x0000000000690000-0x0000000000ED2000-memory.dmp

memory/5412-1514-0x0000000005770000-0x0000000005D14000-memory.dmp

memory/5680-1513-0x000002138E390000-0x000002138E3AE000-memory.dmp

memory/5412-1512-0x0000000004FD0000-0x00000000050DA000-memory.dmp

memory/5412-1509-0x0000000004F10000-0x0000000004FAC000-memory.dmp

memory/6076-1503-0x00000000000C0000-0x00000000009C8000-memory.dmp

memory/5676-1496-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1498-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1494-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1492-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1490-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1488-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5676-1484-0x00000000012A0000-0x000000000147F000-memory.dmp

memory/5064-1519-0x0000000000400000-0x0000000000657000-memory.dmp

memory/6076-1524-0x0000000001330000-0x0000000001331000-memory.dmp

memory/6076-1525-0x00000000000C0000-0x00000000009C8000-memory.dmp

memory/5204-1539-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3092-1542-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3092-1541-0x0000000000400000-0x0000000000490000-memory.dmp

memory/6064-1538-0x0000000005920000-0x0000000005942000-memory.dmp

memory/6064-1530-0x0000000005BB0000-0x0000000005D60000-memory.dmp

memory/5928-1526-0x00000000004F0000-0x0000000000548000-memory.dmp

memory/5064-1521-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5064-1518-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5412-1517-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

memory/5680-1516-0x000002138FD50000-0x000002138FD8C000-memory.dmp

memory/5680-1515-0x000002138E3F0000-0x000002138E402000-memory.dmp

memory/2068-1563-0x0000000000F00000-0x0000000001595000-memory.dmp

memory/5204-1556-0x0000000005320000-0x00000000053B2000-memory.dmp

memory/5032-1554-0x0000000000620000-0x00000000006A4000-memory.dmp

memory/3440-1557-0x00007FFB14D90000-0x00007FFB14D92000-memory.dmp

memory/3092-1555-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4136-1553-0x0000000000480000-0x00000000004CE000-memory.dmp

memory/2912-1567-0x0000000000F70000-0x0000000000FAA000-memory.dmp

memory/5388-1604-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2720-1621-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5204-1631-0x0000000006730000-0x000000000674E000-memory.dmp

memory/1524-1634-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5204-1642-0x0000000006D70000-0x0000000007388000-memory.dmp

memory/5204-1644-0x0000000006800000-0x0000000006812000-memory.dmp

memory/1656-1647-0x0000000000400000-0x0000000000619000-memory.dmp

memory/1656-1648-0x0000000000400000-0x0000000000619000-memory.dmp

memory/5204-1646-0x00000000069D0000-0x0000000006A1C000-memory.dmp

memory/5204-1645-0x0000000006860000-0x000000000689C000-memory.dmp

memory/5204-1643-0x00000000068C0000-0x00000000069CA000-memory.dmp

memory/1524-1636-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2720-1618-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2720-1615-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5204-1587-0x00000000060A0000-0x0000000006116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpD1FD.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3440-1564-0x0000000140000000-0x0000000141999000-memory.dmp

memory/5204-1566-0x00000000053E0000-0x00000000053EA000-memory.dmp

C:\ProgramData\DAC Core Library 9.5.45\DAC Core Library 9.5.45.exe

MD5 bb93e0794549090f9b51330f4cf18174
SHA1 aff16714e0aca8b6f8e86d2b34d7810bfc693e36
SHA256 969d33b5f4aedbe805282a630da8cb43c80d3d81f466c59d292ecd6682a69e1d
SHA512 2a9a3fb67009b57991872cf78c42b3d4a75085bb6afb27640f73b39bb06e7345f3143c48dd403be22dd9ea2c6e2269598e40a440fe4f27f11fdb1fd1e6bcfdca

memory/5064-1652-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5680-1653-0x00000213A89E0000-0x00000213A8BA2000-memory.dmp

memory/5680-1654-0x00000213A90E0000-0x00000213A9608000-memory.dmp

memory/5680-1655-0x00000213A8660000-0x00000213A86D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e97992a0c79a783be7997f3b2fa0bc1f
SHA1 0b06e7475910473767d58668a770e37eea5477a3
SHA256 98f3421d02c55a67ca1517ca9a8dd7d54eb2bc6b0d37443d2af5b8e4edea1d51
SHA512 0dc4b79ac1f9f9ec8552403177e59a86ff980e903ef19cb652473768d685c8995249a727fb3df7e48d95fdb12e6dd9562501acb020966eb74965c611992b61f7

memory/5680-1666-0x00000213A8630000-0x00000213A864E000-memory.dmp

memory/5064-1665-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5064-1667-0x0000000022530000-0x000000002278F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0c8f837678a0a686dbc26c6788cfb3c3
SHA1 266de6ae76db7055632146d809b7c8cc29dad1f3
SHA256 02c0d4e9c0dd918515f774ba62fb3aa1fe5c5b76a8f0f7236f5106ffa48942df
SHA512 683b97356a914d619b7e8d8f54d14f38e34250c2e182077db207934181428b3ee9f417eaf7acf088fec3d0e3c3a99e2be85cd4b174ed3d6f4c4132d294df3212

C:\ProgramData\HCFIIIJJKJKF\EBAKFI

MD5 db26309558628fa1ef6a1edd23ab2b09
SHA1 9bfb0530d0c2dcc6f9b3947bc3ca602943356368
SHA256 e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070
SHA512 4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

C:\Users\Admin\AppData\Local\Temp\tmpEAC7.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmpEB29.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpEB3E.tmp

MD5 f27bd194d4aa758a07c49756b4c34905
SHA1 78bba20d0bb1830d5bacabf6bed4b3b95702684b
SHA256 9cec6313a340ed6ea2d32f6a4a29bdd57fe35a4ff087d8811bbd4ad512b74451
SHA512 4e73860d71404f37b37728af9324fe663924054319c1e369efa1b6d2a7aeaeb24b35ebc4ee89fb23118fe47e9c0b9f0ac76fd4eb1c4276c28717a9ec8d8c82ea

memory/5680-1834-0x00000213A8750000-0x00000213A87A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEB5F.tmp

MD5 567e60454ed777fd39912ab26e689b80
SHA1 9cb5d0d87c1b092a0dc0256d5d8772487b834848
SHA256 23fa6ef15f88d7e3a0d0eb04b2adfe755be809e4d1543aa2b8988cdf6c2276e0
SHA512 989f0f9e231c23730c0c5f28ccbefdbc46ee5b032b2dcac7897c1e966b2d355a83248dd416508ecd562879bebfc9e61c325cf4657ff8a8ac8c8b3268c9ae1daf

C:\Users\Admin\AppData\Local\Temp\tmpEB8B.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/5388-1894-0x0000000008DA0000-0x0000000008E06000-memory.dmp

memory/5204-1917-0x0000000007590000-0x00000000075E0000-memory.dmp

memory/5388-1926-0x0000000009E60000-0x000000000A022000-memory.dmp

memory/5388-1927-0x000000000A560000-0x000000000AA8C000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminJJECFIECBG.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

memory/1656-2015-0x0000000000400000-0x0000000000619000-memory.dmp

memory/5516-2020-0x00000000000D0000-0x000000000012A000-memory.dmp

C:\ProgramData\HCFIIIJJKJKF\BGCFBG

MD5 fe776dd032bebe227d52e0a0fce3bf43
SHA1 a681f3dc51cb61b627eab1291f0728253e2f234c
SHA256 e582d57e1b6ebcd262052d02149530a8077b4d14c6e3855fc7ebc823eca56af2
SHA512 be322e942264d9f161ad2f44b17eabcd5db36a6746db1a9f107481307081cc6d074d56f7f95eec8734a256377b73e466d89d8c20657e9bec53404ec262f50f15

C:\ProgramData\KFBFCAFCBKFI\KFBFCA

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\ProgramData\KFBFCAFCBKFI\DGCBKE

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\KFBFCAFCBKFI\IJJJEB

MD5 79ae7ac8836dadd84a38235a63831048
SHA1 55b1b4aabb5edf4e44d5211461b4d059c5e457cd
SHA256 acbfe327bd4e8c3c9f77742b5feb9733effad9e1ce4172f5f28a64dbf83aea0d
SHA512 0a9cbd3a4f4f766767218679f0fdf10404a7de18ca0f019a12867cf55cb9c233c34e11f82936cfdecd8ca1ed69694c19ae10c1456652dc92248032bf839daba1

memory/6076-2216-0x00000000000C0000-0x00000000009C8000-memory.dmp