Analysis Overview
Threat Level: Known bad
The file https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detect Vidar Stealer
RedLine
SectopRAT
SectopRAT payload
Stealc
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Stops running service(s)
Downloads MZ/PE file
Creates new service(s)
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks BIOS information in registry
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Checks computer location settings
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Power Settings
Detected potential entity reuse from brand steam.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Modifies registry class
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
NTFS ADS
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-05 21:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-05 21:46
Reported
2024-09-05 21:51
Platform
win10v2004-20240802-en
Max time kernel
216s
Max time network
281s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\ExpressZipFileCompression.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ExpressZipInstall = "C:\\Users\\Admin\\Downloads\\ExpressZipFileCompression.exe" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Detected potential entity reuse from brand steam.
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NCH Software\Components\zipcloak2\9b0__wt | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe | C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\zipcloak2.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\shellmenu.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\unzip32.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\zip32z64.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\7za.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7za32\__wt | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7za32\7zxa.dll | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\infozip3\zip32z64.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\arj\arj.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\shellmenua.msix | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\unlha32.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7za32\7Za32.exe | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\infozip3\unzip32.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\unlha32\9b0__wt | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\par2.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\zipcloak2\zipcloak2.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7zip\__wt | C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\arj.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\par2\9b0__wt | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\par2\par2.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\unlha32\unlha32.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7zip\7z.dll | C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\7za32\7za.dll | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\infozip3\9b0__wt | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\unrar.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\zlib1.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\7z.dll | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\Components\arj\9b0__wt | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\shellmenub.msix | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SourcesShowing | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| File opened for modification | C:\Windows\BehaviourVibrator | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| File opened for modification | C:\Windows\AtomBoobs | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| File opened for modification | C:\Windows\AntarcticaTucson | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| File opened for modification | C:\Windows\WonderAvailable | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| File opened for modification | C:\Windows\DecreaseHands | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\ExpressZipFileCompression.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\appget7854\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\ = "Open" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\Shell\open | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\shell | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\cr3file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rar\Shell | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\OpenWithProgIds\NCH.ExpressZip.rar = "0" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3g2\Shell | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.heif | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zab\OpenWithProgIds\NCH.ExpressZip.zab = "0" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.deb | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.shn\Shell\NCHconvertsound\ = "Convert sound file format with Switch" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.docx\Shell\NCHconvertdoc | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\OpenWithProgIds\NCH.ExpressZip.tgz = "0" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\NCHconvertimage | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.VhdFile\shell\VHD File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mpdpfile\shell\open | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.ras\ = "rasfile" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\shell | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.vmdk\OpenWithProgIds | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.pkpass\Shell\APK Archive File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHconvertimage\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\shellex | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pkpass\shellex\ContextMenuHandlers\ExpressZip | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.m4v\Shell\NCHconvertvideo | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\Shell\NCHconvertdoc | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip\.rar\Shell | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ape\Shell\NCHconvertsound\ = "Convert sound file format with Switch" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xar | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.rpm\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rpm\Shell\RPM File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\voxfile | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mov\Shell\NCHeditvideo | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\shellex\DropHandler\ = "{8EEA165E-0B8B-4BA7-9796-50214C767171}" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\expresszip.exe\ = "Express Zip File Compression" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.zipx\shell\open\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\OpenWithProgIds\NCH.ExpressZip.apk = "0" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.z\OpenWithProgIds\NCH.ExpressZip.z = "0" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\nch.expresszip\shell\open | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.xz\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.wps | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.wim\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.xz\ = "NCH.ExpressZip.xz" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4a\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tgafile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.7z\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.vmdk\Shell\VMDK File\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\dfxfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind DeskFX \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHconvertvideo\command | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow\ = "Create slideshow with PhotoStage" | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 640128.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA | C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb057346f8,0x7ffb05734708,0x7ffb05734718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5088 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
C:\Users\Admin\Downloads\ExpressZipFileCompression.exe
"C:\Users\Admin\Downloads\ExpressZipFileCompression.exe"
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\Downloads\ExpressZipFileCompression.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe
"C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe" -LQUIET -instby fiExpressZip -instsvar EXPRESSZIPRelatedprogramspaidon
C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe
"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"
C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe
"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe" -installsched
C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe
"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe" -LQUIET -instby coExpressZip -instsvar EXPRESSZIPRelatedprogramspaidonLLIBInstquickoffLLIBControlonHyenLLIBSpltxtfadeonEXPRESSZIPExtractfontlargeoffEXPRESSZIPIconstextoffEXPRESSZIPTvwatermarkonQvuxTKYgCG5tEXPRESSZIPAddarchtextoffEXPRESSZIPRelocateopenfiletboffEXPRESSZIPToolsencryptv3onEXPRESSZIPToolsemailv2onEXPRESSZIPClouduploadonA6lhN24gEXPRESSZIPSplitsson -instrefdata refdate%3D1725598048%26referrer%3Dhttps%253A%252F%252Fwww.bing.com%252F%26ref%3Dbingads%26ref2%3Dcf5fee8e27ff1f3873c0885401221af2%26ref3%3Dkw%253Dwinzip%2526m%253De%2526d%253Dc%2526c%253D76828563876589%2526ag%253D1668175108%26kw%3Dwinzip%26theme%3D%26pageconfig%3D%26download%3DExpressZipFileCompression%26clientid%3D%26platform%3DWin%26language%3DEN%26browser%3DEdge%26screenwidth%3D0%26screenheight%3D0%26cpucores%3D0%26webvar%3D
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\Downloads\appget7854.7z" -o"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\" "fo1der687.7z" -aos
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z"
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" t "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -o"C:\Users\Admin\Downloads\appget7854" -r -i@"C:\Users\Admin\AppData\Local\Temp\expresszip7zfilelist.temp.txt" -aos -p"1234"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\appget7854\File.exe
"C:\Users\Admin\Downloads\appget7854\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 799275
C:\Windows\SysWOW64\findstr.exe
findstr /V "TransformationComponentBrideInvasion" Calculate
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
Saudi.pif O
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x474
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe
C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe
C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe
C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe
C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe
C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe
C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe
C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe
C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe
C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe
C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe
C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe
C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe
C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe
C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe
C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe
C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe
C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe
C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe
C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe
C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe
C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe
C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe
C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp" /SL5="$80352,3387544,54272,C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe"
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe
"C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe
"C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe
"C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe" -i
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJECFIECBG.exe"
C:\Users\AdminJJECFIECBG.exe
"C:\Users\AdminJJECFIECBG.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAKFCGCGI.exe"
C:\Users\AdminFCAKFCGCGI.exe
"C:\Users\AdminFCAKFCGCGI.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1352
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HCFIIIJJKJKF" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
"C:\ProgramData\xprfjygruytr\etzpikspwykg.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3560 -ip 3560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1480
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.kinglinkdubai.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 65.108.125.53:443 | www.kinglinkdubai.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.125.108.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 88.221.135.25:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 25.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 95.101.143.202:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.202:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 202.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.4:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.nchsoftware.com | udp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 8.8.8.8:53 | 211.5.149.54.in-addr.arpa | udp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.102.154:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.103:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | 157.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.102.250.142.in-addr.arpa | udp |
| NL | 142.250.102.154:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.nch.com.au | udp |
| NL | 142.250.27.103:443 | www.google.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 173.247.253.164:443 | secure.nch.com.au | tcp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.253.247.173.in-addr.arpa | udp |
| US | 173.247.253.164:443 | secure.nch.com.au | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 173.247.253.164:443 | secure.nch.com.au | tcp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.19.252.146:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 146.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | audiochannel.net | udp |
| US | 173.247.250.125:80 | audiochannel.net | tcp |
| US | 8.8.8.8:53 | 125.250.247.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fOBoUGVOdhpeJ.fOBoUGVOdhpeJ | udp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 54.149.5.211:443 | www.nchsoftware.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| NL | 142.250.102.102:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.102.102:443 | apis.google.com | udp |
| NL | 142.250.102.190:443 | www.youtube.com | tcp |
| NL | 142.250.102.190:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 102.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| NL | 142.250.27.94:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| GB | 88.221.135.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | itch.io | udp |
| US | 45.79.115.66:80 | itch.io | tcp |
| US | 45.79.115.66:80 | itch.io | tcp |
| US | 45.79.115.66:443 | itch.io | tcp |
| US | 8.8.8.8:53 | 66.115.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.itch.io | udp |
| US | 172.67.69.99:443 | static.itch.io | tcp |
| US | 172.67.69.99:443 | static.itch.io | tcp |
| US | 172.67.69.99:443 | static.itch.io | tcp |
| US | 8.8.8.8:53 | img.itch.zone | udp |
| US | 172.67.69.99:443 | static.itch.io | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.102.119:443 | i.ytimg.com | tcp |
| GB | 2.20.12.103:443 | img.itch.zone | tcp |
| GB | 2.20.12.103:443 | img.itch.zone | tcp |
| GB | 2.20.12.103:443 | img.itch.zone | tcp |
| GB | 2.20.12.103:443 | img.itch.zone | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| NL | 142.250.102.119:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 99.69.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.27.154:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 142.250.27.103:443 | www.google.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| FR | 216.58.215.42:443 | jnn-pa.googleapis.com | tcp |
| FR | 142.250.74.230:443 | static.doubleclick.net | tcp |
| NL | 142.250.102.132:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.215.42:443 | jnn-pa.googleapis.com | udp |
| NL | 142.250.102.100:443 | play.google.com | tcp |
| US | 45.79.115.66:443 | itch.io | tcp |
| US | 8.8.8.8:53 | 154.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.102.250.142.in-addr.arpa | udp |
| US | 45.79.115.66:443 | itch.io | tcp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 45.79.115.66:443 | itch.io | tcp |
| US | 8.8.8.8:53 | teamterrible.itch.io | udp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 45.79.115.66:443 | teamterrible.itch.io | tcp |
| US | 8.8.8.8:53 | autolinkmaker.itunes.apple.com | udp |
| GB | 23.53.172.57:443 | autolinkmaker.itunes.apple.com | tcp |
| NL | 142.250.102.132:443 | yt3.ggpht.com | udp |
| US | 8.8.8.8:53 | markhor.organicfruitapps.com | udp |
| GB | 18.245.218.63:443 | markhor.organicfruitapps.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 57.172.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.218.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| RU | 176.111.174.109:80 | 176.111.174.109 | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:443 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.174.111.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtransfer.net | udp |
| CA | 158.69.225.124:443 | youtransfer.net | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.225.69.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| GB | 95.100.245.51:443 | store.steampowered.com | tcp |
| GB | 95.100.245.51:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | 51.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| NL | 142.250.27.102:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | cdn.akamai.steamstatic.com | udp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | shared.akamai.steamstatic.com | udp |
| GB | 2.20.12.100:443 | cdn.akamai.steamstatic.com | tcp |
| GB | 2.20.12.100:443 | cdn.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| GB | 88.221.134.144:443 | shared.akamai.steamstatic.com | tcp |
| NL | 142.250.27.102:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 71.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| GB | 2.20.12.71:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | video.akamai.steamstatic.com | udp |
| GB | 2.20.12.87:443 | video.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 87.12.20.2.in-addr.arpa | udp |
| FR | 142.250.179.65:443 | lh3.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 65.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:27060 | tcp | |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| GB | 23.214.143.155:443 | api.steampowered.com | tcp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 173.222.211.24:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| NL | 142.250.102.156:443 | ep1.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | 156.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| NL | 142.250.102.132:443 | ep2.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| NL | 142.250.102.100:443 | play.google.com | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| NL | 91.92.253.107:1334 | 91.92.253.107 | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| US | 8.8.8.8:53 | 107.253.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.214.75.5.in-addr.arpa | udp |
| DE | 77.105.164.24:50505 | tcp | |
| GB | 2.20.12.87:443 | video.akamai.steamstatic.com | tcp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| US | 8.8.8.8:53 | 24.164.105.77.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 147.45.47.36:30035 | tcp | |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.47.45.147.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| DE | 5.75.214.132:443 | 5.75.214.132 | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.102.91:443 | www.youtube.com | udp |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | 91.102.250.142.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| DE | 5.75.214.132:443 | tcp | |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | 211.208.67.172.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | 35.146.67.172.in-addr.arpa | udp |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| DE | 5.75.214.132:443 | tcp | |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| DE | 5.75.214.132:443 | tcp | |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| RU | 45.132.206.251:80 | gacan.zapto.org | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| US | 8.8.8.8:53 | 251.206.132.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.68.45.147.in-addr.arpa | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| US | 45.152.113.10:80 | 45.152.113.10 | tcp |
| US | 8.8.8.8:53 | 10.113.152.45.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b9569e123772ae290f9bac07e0d31748 |
| SHA1 | 5806ed9b301d4178a959b26d7b7ccf2c0abc6741 |
| SHA256 | 20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b |
| SHA512 | cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795 |
\??\pipe\LOCAL\crashpad_1540_SBRHLVGYRLHCJGGP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eeaa8087eba2f63f31e599f6a7b46ef4 |
| SHA1 | f639519deee0766a39cfe258d2ac48e3a9d5ac03 |
| SHA256 | 50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9 |
| SHA512 | eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f68c7cfbad537ceed24c2a23398384bf |
| SHA1 | 723b75a42383c35d4144dbb881fa5c676dc7452c |
| SHA256 | e9f3aa3239539c0d63d5197e51df2dd53ebe6fdcd7eb8fa19df8c8d6861bfed8 |
| SHA512 | 193db63e409cba915f7ef2431a981c49b60089a5934ec831789d457794d45a7e03fe59c292b92d28f5889a947169cf0c7ff7565f2cecf6fdba4a78dd5e9e65be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 072558515fa6d3a97b5e370828de8253 |
| SHA1 | bed6abb2a1ec6b2cf5d4864ea599217ebbef79cf |
| SHA256 | ab22d564c4e4978034c60e7216ae598734ed0c8de4ab5f9b6f083f2f46ef0826 |
| SHA512 | 3de95380f1f268ce5190a6948025fdb6d344006926ec6b93203104600500825486a5fc02488d8e3796b67e517baebfaba11defc74fe51c90841c2459193a8fa9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b4605e324074b1a0569c3dc8d40ab9f1 |
| SHA1 | c692828cf502a09a146cf1ddb16d24aa7cf546ce |
| SHA256 | 9b6884c06c13bccdbc9f378dfdfd7b3541f0ddf6ca90cea47e9edc43c48fdc4f |
| SHA512 | 9c0095505f8a8f146e87c84c13e6e817dff1c5589ca2694489b7906205cfae0e7e278e4630cfaa1cd16b5469e57f03e38853bdf6fea27a56d3276ba1618b60b5 |
C:\Users\Admin\Downloads\Unconfirmed 310012.crdownload
| MD5 | 1ed0c1859d698038e0925824f139343f |
| SHA1 | 265326a70e8c18ac204f5c06e8071cddb0322d70 |
| SHA256 | 4ed3eef9073cc7922fe6f77fcdf8e9c1d8a09da5f2b7d8218a6f87e7075e7cd5 |
| SHA512 | 38186a14336f17ed00c42026b9805de53e311c155765f0f3b4128e9400df565fc19263cd4d4fbe56c3244d6e40d6faaf0c50c73c96c3f36edc1e055ff12ceae9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 959272233f107c17ece32f9e9e818047 |
| SHA1 | 0eaaea4b88a6f8527f191b49fb8d6c75396e4b45 |
| SHA256 | c8f131e62a5a03d3ef06b7eedbc9dff0fffed42876ebf37c31a9654c7c625a01 |
| SHA512 | 877d93b016bb568ef213e6c591a87b865244f8072862f417354b6e454b1c14f4641856f6fdf1df8dd58704c468c51db1b62c027e2d8821f6aff1b70882920a7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e49202c158825f1233cd1e161bb9708b |
| SHA1 | 1bad974f298949daafd3363cebccfa83bcc9e345 |
| SHA256 | fcfffa5f82865e551bcc55fcf243aed443db9f7cb7307ed863f94b3af54a6c7e |
| SHA512 | ef5fd239f7006de8b64b7d2cee10764b78c90eb6bcad91a1fb249c647634ce08829b25db6f0efedf65472f9a8dc026d7cce5d5d05dc70702b104c43cc497047a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe64102d.TMP
| MD5 | 62f6b13c3ae7ea12c57ad50ba56e8d89 |
| SHA1 | b9a8dc5078c9a2fd92aa79a5068fcf8a29621944 |
| SHA256 | 4d95538aac37a1ec6860316e738848c3a7e608edc6b5d48924dc881516aec983 |
| SHA512 | 99108be56a95896507679620f6392315b66d2d0e4850180b5a0d44fce27f6d578fae6caa97cbc0030be09943877210212439074b1bb934fc70f68190971cfbe9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000
| MD5 | 3bdf96b3e02075e63f1a999ff37db119 |
| SHA1 | 525d559dfca20e676c4653aa9c018ef338ebf7ab |
| SHA256 | ccf9fcac880e8e0d633944a89aa861a8d89961a981b7fa26b0d7fa3f000ca3ce |
| SHA512 | 9575019a8150769c110e0498e1758cdf9e54a5e399b3d5847d45b7d4ee8a84a83128e7cc438575f81da53769a4e8c5a84f3e0dadaa56299ad33fe426ba51d7e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fc99f179478bbcd5712791807667e460 |
| SHA1 | bf6a4b618300dff9ff5f865481d862e76268ff5d |
| SHA256 | 03571e1d3959d0ded485cc1314dbcc9fa7b886b719c385f7d19989181d975079 |
| SHA512 | 55d3814144ee7673039267f2a61d71d0f29c43ea023e288cfa2488fd824d795360ed96dffe3263c17203100ce721f6f479dd80add1dd39bbe4eb075ae1741f14 |
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
| MD5 | bb46e538c5ee51265e3c7dd21d996af6 |
| SHA1 | 1f1d7739e238f631b0ce8892102e8f2224009b4b |
| SHA256 | 1c54ed31c594fdb830f1da9dff6b4daac0100c5970f5401e0a5b60abbe64a446 |
| SHA512 | ef3aa68097b811dfcac683377a345291e6e2535fb91c9944a7628ff941093c5701d0f6da5d7fdf4fc552aa5486d602f803497f44c5a57a6ac57919dfd2a05c4a |
C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat
| MD5 | b9086110e2962badf24196a0de6a0ff8 |
| SHA1 | 707f02bc9c0834720db4588e9a5ff612b9e83ac3 |
| SHA256 | 6aadcf84bda1fc81881dbd9bcd9371f60c0198e73b53c1e13b9c9dda32c02e63 |
| SHA512 | 92462bd513e6a3e7ba40a39176732e86aa1947c0fbde6bb333f6d462f3e3af3e0798b889e595dde0fecffece88f820b76bf16d8a32042588248ab4f652b3dea2 |
C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe
| MD5 | 81d94f5c09ba974ce676909fe5811817 |
| SHA1 | 914b9cef5a6cea203b20658ebe6a9f696a337b82 |
| SHA256 | 3c01370b6eb1f2cabac6e2afe6c9a0141544b554a3a2c146489f1111c41e39d9 |
| SHA512 | 1c9e1cb31b4cbfd07d345bddaccfa6f56abb90f18bcce5583d287daa078cb73544293557e73f946355535ebb4de57b4207eee2a3e7dab8414d76c9dcd95afb45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE
| MD5 | 609ee00dc8d0c80be9a028088167f7a1 |
| SHA1 | a1991b03f27d5c735a3c35b03f14b3c7a184bc69 |
| SHA256 | d94b3a4c3f4ab3f7a0fc27d1554a99b048fa6a9a8c245ba4688a8f4012132d14 |
| SHA512 | c9caa2dd2b9aa61d73c8271b0ae81c5c37e274d595b594827f567e5867f72005c77a4217f49e3eeb554fa108c16ec85c39be22b00f5557c2108c8e2da602e545 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE
| MD5 | 17b3f5125c44a52481cc3abcb3d4181a |
| SHA1 | 0b74bfa0f60dac8000de17115661cda7526eba5c |
| SHA256 | 82dfe5fe4bab81f3acbf9de0b99705450db1b6b5c8557f50680d894eec24a950 |
| SHA512 | 4f0c20f060c604f8351a45dad9e8eca15d07d89cefea91ffb74adee82e265e8e2572b8f61d40a690d6904ef892a3028dce3e420e37df0a42e36a5c71a090ead5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | c210f6689aca680446c0d8ecdef2e46b |
| SHA1 | 66cba496d984f92fed05f77101c45734f193e211 |
| SHA256 | 8f8540c24fcc6ddfddbcabf8f028f8052addf41601d5226ffe378a6e7d4caf5d |
| SHA512 | 9c62a6b2a129a50e2094566d88acd7c25ee29600ed1596e6972f684edd48d11366605dca0d90133d489b51eb38bbb6c1a5ad68d0ec9f81c8d23055d03e9540b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 678f61ea30e42568194b9401aac05b06 |
| SHA1 | 448db80f4f3f221e426a87f852c1a994a1a0d57f |
| SHA256 | 250c16b92379dc8d4a257e355cfbcc83af2505148c1dbf3d2416d42febac0816 |
| SHA512 | 500cd25239a969479694bd8f8782fc315ec9a8b57084b70e56bba6b75715844d6f7c4c12a293f79c29b8e1f231a7a0c818ba51178c1507bd2232ec36fb5026b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 20069500756a1a645a477c9e9d57e4d0 |
| SHA1 | 7d5d14a9feec763954a936318f1d9890b728622a |
| SHA256 | 0b9c59cbdac33da5e2b39a0be1bf9d5861e0188c0442cf300fcdc70cbf9a3cb7 |
| SHA512 | 29ee4033c4552dde83f70d5038593efb9eb5f1afd19edbf003d3996f0615552189f9f9d08ad36628a0da1e82a10efc82233f543a0bc4d622923632228854f91a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 05e3180c2e7e4c82550b1ec617788438 |
| SHA1 | 8860f4b6bdbe3335ec806c826e8eaa77c40d002c |
| SHA256 | 8d77860796749d893f6bcd8c983f03a1e26c308f6009fbb21886894b7328ef4b |
| SHA512 | d6daac486647af9aa38f81f5aa068057529a479e4d4eb52ef00f363ed2d65a736b18e8007bcb9771f081d675bb08166ca81aae4d3e7b7582912030f07ee753f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 675b7aafdf7cf9609da75aec1d88044f |
| SHA1 | 1a391a592e48252a04067cab74e641b1968ed71a |
| SHA256 | b0ce2796d4094e01810dcce9c5013db6436d83144a58342e4e1321d497f78d41 |
| SHA512 | ad4467d5c02e25fc19801964dd6749a073be98753d0491d9d799216b1d7492b2f7d8cbbfd31fb5e8a9aee37790160986090caad63936a487ef32fffad08735cd |
C:\Program Files (x86)\NCH Software\ExpressZip\zipcloak2.exe
| MD5 | aa7a48540eb79ba2280f81da93c1599f |
| SHA1 | e8856c21151b91d6a270964d5541fc09f2f05283 |
| SHA256 | 39edcf477e1463ac9de52ffe4006128546cbf12a19d91b8aaf856f3c19d49aa2 |
| SHA512 | 06ab843d9e8e017b1389282d5d2b005f52f5bb5a815db6f63238258888b03202adc72c415e0f682f53f00940f8acb093129254f69b638f897bd015e9c876844a |
C:\Program Files (x86)\NCH Software\ExpressZip\arj.exe
| MD5 | 014b712a9b591a14c84e7fa1dd199554 |
| SHA1 | 857df15d9e55e018cc5b81c40ff4c1c649f3f01d |
| SHA256 | 00ac8169236b8f9910c661e6d8b82c2f2e5800338a9c7775d691e622f3521ac9 |
| SHA512 | f852e54a6725d5fd8d44ac07bd3ecf2519d707506beeda4d64fee2cbef0e280d0de30c4d27526539213454de272960d963d2f462c320d8d9b268865465284dab |
C:\Program Files (x86)\NCH Software\ExpressZip\unzip32.dll
| MD5 | d636e5b90daa1596718081ede840d03f |
| SHA1 | e5f54ee365a63ff0980f781bbc30547ed54eb12c |
| SHA256 | 59b4d9afd66d8e33c7ba2e4b8617030f364ee905410610f8c96209df62a3a734 |
| SHA512 | 35ee29b25c50ef2aae22fb53077234ca5f2c8c145f95cfa03fb226b736d8f26ff1dbaed3586e93d9ac82b4aa90c64aeea3c25a3930ace993cfa9447cd501c68d |
C:\Program Files (x86)\NCH Software\ExpressZip\zip32z64.dll
| MD5 | ce5fb67da5c10a00cf502728c63b76e5 |
| SHA1 | 97e927e8a670443be87bcde1989fd2d60d705434 |
| SHA256 | 8e40c7805f57da244a20ee289ca2c018b4f3fbb9047fb06fa2fed954da237b67 |
| SHA512 | c678c0e960c8473c9712239ea31d5224baf7a0f7ed05bbe69d422c045f29b5d0b664a3811a5d11ab4b0b9d0b06ad51bbb03707cd21ec36859a4bec7b4f2cb41a |
C:\Program Files (x86)\NCH Software\ExpressZip\par2.exe
| MD5 | bafe41bcaed61df51b17f390ae1cdfe1 |
| SHA1 | c6e502cddaf9031b7fa703a289be11121b01f003 |
| SHA256 | 521900b12c8734a6a56eba855c663cf49cb9b2b352c755c0cd747cbd6f18ee8f |
| SHA512 | 256338f880b5ea8f33a3b4a5b4db5341ec30c37a6c857a342bced7cc37400e51ca1678de6aec888af28f450fde90ca6381b7d8768b0162db1304689b5eddeeea |
C:\Program Files (x86)\NCH Software\ExpressZip\unlha32.dll
| MD5 | ae041e680ae569a4860e600188fa0adf |
| SHA1 | fc86cff5f51df5cc08b9849100e56eee9738d0d3 |
| SHA256 | 126f81c57d54c1ca6bbcdd524c647af635cdb408401a5bc21216b4a0a792dc5c |
| SHA512 | b2ab7e985f0de3dedaeccfac23d43c0b1910cba5401de19be94cf8cb3c7287c6f9a315776819c5a2c8c4c986a2de70ff568e0892cc7a277fcb37a0cb8b55e2b9 |
C:\Program Files (x86)\NCH Software\ExpressZip\ezcm64.dll
| MD5 | 0216981a67cd11ee5803bb1b78f25262 |
| SHA1 | 30919b9d43a65cc69ebbc50c6ce241991f64b179 |
| SHA256 | 17d044f52c7ffe0b737ecfa3563d6afd2dc6a9361036b910b640e73de568b230 |
| SHA512 | 153d63e3ed7ebd65eb00fd9a5eacb0fc357f374ff60b00640506930100d2661e5b6c4f504d347c02ca6e5a64b79ee612b4031adef449736ea00cb337a17afdd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2e22d90c548c5774f1f1345e161f6476 |
| SHA1 | e0451fda429fc4a8fad8a91856e974fc06d43289 |
| SHA256 | 36583f97fe5b0128129e7e2f19b1fb142731ffae7651d72ec3d89d3b05ed34bb |
| SHA512 | ca52bc4a2acf1bb9221d873f59e0547901dec2ae82e990f5901afccf43d099ca863cb6ae81750dea4f7c1197669d3adbca2c1d3a518356a729171be4126667a9 |
memory/3916-641-0x0000000006E00000-0x0000000006E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe
| MD5 | 11eec88dbffa7ba1fc3d7f5796c2de76 |
| SHA1 | 5248dde8554729b5394acf58034f2b61926c3dbc |
| SHA256 | d5795d9b213a8405a85182f9382194b4e0742861635316356ca4dc8fd93a355a |
| SHA512 | 64cfb4417e276cbe24448784bb75f494b883875212431086eba18d2d3f5ed36f048354f38a43d9b651d9cd929f6d670ed640c4cdb459b13a3740e3a2265d9aeb |
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe
| MD5 | e18c1989d43b3760c4b97767ba4cf877 |
| SHA1 | c683ceb15dbae84c885191806c17d1abe6b4209d |
| SHA256 | 055c7bae37fc7ea245396b51521d41d16326d3fb6e46a2d4436901c9fba922d1 |
| SHA512 | 5301b5d5aa843f6ad8e08537ec88d0b8bd60996d02a9f081c6fe7ec2a2ae40129904688fb6aa573b45a5e89cac23b7648d9d038982220ab2dfe03ccdb0d5bbb6 |
C:\Program Files (x86)\NCH Software\Components\7zip\7z.dll
| MD5 | 7580437d0fb8c1ae60d96dafb6883d30 |
| SHA1 | be89b488b258555a8cf971e4d29c40ce92bf881d |
| SHA256 | 3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef |
| SHA512 | e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb |
C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z
| MD5 | c42e50792b48c1f1601103be676bd936 |
| SHA1 | 1b1fd1556c42613d866b89ab51af93bb5db86b37 |
| SHA256 | 188c1da51090a4625023982165ebc4cdbe34f317f13630726b9d6085e2fc415c |
| SHA512 | 23c5b2362f0b96aa55303ac3d9655ef5631076ab3da7863a3f4abe3b5de655e8b4898613784c1804cf4005edacafb299bd43637b17f381e8aa503b21d5d94303 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
| MD5 | a0423f1305547bb6b8f5a4fb1a9fc2d8 |
| SHA1 | 092dcf1fe57e6bb53821eb754e04188ee70602d5 |
| SHA256 | 6add651cb411ed9ce9a17883c1522920a6ee3b4eb676f5b411e72d1a5e7de6e8 |
| SHA512 | b8487c60b40d332e562cc5d4fc7c515e3b3c2c82311700b788905754c1376ce6f0da650583545a4691d51f04ec5da0c0204997214d167c85b788d4c85236c4c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 160d1e0d009ff6e2b6a521d1721b9be0 |
| SHA1 | 20696afd2abaa4e90bb816ce943dcc09279897ba |
| SHA256 | 1f95b4f27f8f2b4c4fc0f5ed52eb0b29965c1ae2fa9cfec6f70be7c7ead7b9cb |
| SHA512 | b8425f1d1e51d82285390e11ae0e1af185d99c1866acbeb6dd5403de890770bd44de4d7f35424bb54875196f79b772bf9e04445575e6009a152a974b6c15cb96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bd92b7cc28b14227cdc34deea80da04c |
| SHA1 | 8c03cb8a32fc605dd21fa80452c5d8014a836a85 |
| SHA256 | cccdebfce7439b4068c224002c5d182e4c19c274fe359d38020e0fd38b5aa291 |
| SHA512 | 743a3025223e644f907e56c21d14038404458b7798d76e87552554dabf2810d02f8f5617f3f010b9660e7dd775d121ec1571bcf19b7c495e384d79ff7c0fe52e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4a2a2b986057f5d819a4da8aa9c2e4ae |
| SHA1 | a87b510f1ba6fb23350e49572b97e83f904e44ce |
| SHA256 | 33a6294cf1f228b55a8cd08328b7c2f2e4880f7417d7ac69255ff355ab3b0c51 |
| SHA512 | e68645390d4bd4eba3bc359137c3e58ddae1a48e63ede7ca19dbe3165b22ded3850b61b6c31f33417e2a31d2f9d97aa85aef7b676d0cf0bf87db5225628763c0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/5676-936-0x00000000012A0000-0x000000000147F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c6c6dd777af40003f927a4e7b684bec3 |
| SHA1 | e85f2cd3da6eb052c6d7f883f3992461c5cae575 |
| SHA256 | c481646487ae705219d997cc22ecffd246e0543ced592e915a57481878139e21 |
| SHA512 | 59365bfd79d733e10edb1d8d0f4a1a6e9725c07a6074731cb27fedc319ade726de919d2de7ea1f194c78773117b2c8c47e15ab5a1015c7a37a934b1c1ff8035f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ebba0a39e27662b1d255e6b9c41b92c2 |
| SHA1 | f9b18fc1b56dadad563fc188697415d5a0ffcafa |
| SHA256 | f82e6e2b80d5694c5caac9b1bbec7c6a2113178f9c4fa28258e61c50d5027463 |
| SHA512 | 7ae40278b32cff8b2fcec6f26c111f474b6127be29f8865f4af8bce16d6c3b8aced34d52a45aacb0cb3a792737d6333c8e36e7b3db6a3eb1fabd13938a37bd21 |
memory/5676-973-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-974-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1094-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1096-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1099-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1097-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1095-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1093-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1092-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1090-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1089-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1100-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1098-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1091-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1088-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1101-0x00000000012A0000-0x000000000147F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe
| MD5 | f10161c3acde4b7dadcd1eeddcf937f1 |
| SHA1 | ebf47c2e0916fbc430ddc8a90cdd1fe98112f979 |
| SHA256 | 445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230 |
| SHA512 | 5024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9 |
C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe
| MD5 | 5f7bdc962aa76f272673ffb86ae8d634 |
| SHA1 | 0d78738b625c66f105c24484920a78ac02bd1533 |
| SHA256 | 9482245f504dc281027c12eed58c987147b2d982c3669e1c7dca3bc0911e7b97 |
| SHA512 | 62b6be5a24108c685a0824399dc78b33b5b52149d0e1b7792ac90a30d6fbd7bb2b0650563861e493c79f2313c33a2112f0bd9366e0947d24bee9b1206b4c0141 |
C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe
| MD5 | e600b6015b0312b52214f459fcc6f3c2 |
| SHA1 | 0e763e33524e467b46d27e5f0603cd2165c47fed |
| SHA256 | 65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad |
| SHA512 | b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464 |
memory/5676-1133-0x00000000012A0000-0x000000000147F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe
| MD5 | aa92bc82a2b3c733b305eef3ccb7ae6e |
| SHA1 | b52729db10f5c62ea03f4280e16cbd5304487bcb |
| SHA256 | ee9e9a1840ff7f83b91b8eb3fc1e03df51aee5a94ac9cb3c63c0a37a9f3fcdd5 |
| SHA512 | de5d0741196ae12200d35736dc37f7d7fb809e63378ba5b0b8f0da962c608037f2e9ff6b35a371fd0a0d7182da86f3338697c47fbd246a0c1831a14edbead8b3 |
C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe
| MD5 | 785a37d8d62771cc35c6f5cc145e1219 |
| SHA1 | 0e35b6c575670d4e8cbe0f13e7a7db9aadc8819f |
| SHA256 | ffb0ca6890b94342d54d26250a6c6104b9e916858fb7242b58709f38c65b93b0 |
| SHA512 | d1fa909e78ba7b9478ffd7f627873a1e0013231cb9436d9f8895b262c7e0ba3efc1225d7d9797cad774062f9781afbdefe72b0ff9b23ddf540869f7b2b11f1be |
C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe
| MD5 | 1777e41c01138cfcd1b8e4b6082ae3b1 |
| SHA1 | bf83c19106c0226d8e3e08fbbd5633ce96472bf0 |
| SHA256 | 7af1ac95d468a1b0d9dfb2dbe0dba8b3aca9a09e2620a0ec35dc087f829f9401 |
| SHA512 | e44f8d2b9c5f33b48c64107b9a1c8fd0ac77bf88b465e6fcdbcc2b1b3253f71922b350048e55b6d97e938892084b0d7cc098cdd208ee1f15b9434426449fa88b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 81dc876d356c4f4f684d59e466270376 |
| SHA1 | d7736cc46a7a07dbed0ce1d165346d213fc4a9c3 |
| SHA256 | dcb6efd18f2ddfb2141b84ab86fac6c153007e18396ed4a0a21d71b08d49cf49 |
| SHA512 | 0eebf43e7e2a5b9ac01f43f07eeebae5e11ab802fa4999913a451259b30b6bf98e2fe130e75ef26c98a31ca72ac594f84a351d9ed19ff00d89fc4516e6e90666 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9c447089330cb72c29a0a9a9fad6274e |
| SHA1 | e149bbce8d4bb46e808bfc531b5ed5494d7853c6 |
| SHA256 | 599bbea4d39c57f45e0fc1f1e1ef4d7c9e6577972e22d2dac40dc8fdecaa492e |
| SHA512 | 34de210db207959f4d492b05bed1b2deeedf9592a6e172f00f82c622ebe47850366416f0a1694bdfa16c4ebe4ff0a2590db9831c6c168e13ffc124745a0a0e20 |
C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe
| MD5 | c883436a51137626711481fed4be79c8 |
| SHA1 | 57c7e6907219e8aae747f64343066963b57508b0 |
| SHA256 | 7e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5 |
| SHA512 | 8b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9 |
C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe
| MD5 | 0de88c2f978a57026e58e6ca90ae5d69 |
| SHA1 | e066a32f87292b1c50bcec3064e76f4fc0781d1a |
| SHA256 | fab479cc1e503225be39c710a3555db1ae1f6d6acfb0504b715d2284f75e3527 |
| SHA512 | 47fd6cdd95e6d08c59340b4e00fe97c4bb987cd2c11628deda02cd59c5739e990f9c94fadca37e4b7c8adb9cafbae12b69f20b569457078c159bbcb180f9163f |
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe
| MD5 | b5887a19fe50bfa32b524aaad0a453bc |
| SHA1 | cd1f3905959cd596c83730a5b03ceef4e9f2a877 |
| SHA256 | fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7 |
| SHA512 | 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bd6b455197e1761130bc8eda3752ee39 |
| SHA1 | faca9abd4f6cfabc179279f05de446b1ccbb3488 |
| SHA256 | edff748a52a82842de21c82b427e0d0745517fc4bc99117539e2a751df72c523 |
| SHA512 | 51d43ba6a56be77d954e838f87bc7e76edd15de5fc1cc170a97482d5c19cdccf67ec497f721c06c55363130b85f13d3964c22af7affbba537e8ad5c4523770a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1f6d7f68c3b14ee258d158047d595c25 |
| SHA1 | aa778ca15367e599b497de962226496e60545c1b |
| SHA256 | d1b35518fa0925c5cfca502d6fe57e809674e792affd25a3c42d76f92f0d0f4b |
| SHA512 | 73e83281b25d10876a61e8c1e5eb5317954c59d921c2ce19de3b3b5cb4e3f33a2ec1469852561bd538e8048a378aed4d0093230399668496a1e461c5ec2a7931 |
C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe
| MD5 | 6a94b94ba557d5d85a1da20213d48974 |
| SHA1 | a311aa3a9243849b883867fa3d772e4c4e95d080 |
| SHA256 | e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd |
| SHA512 | a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74 |
C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe
| MD5 | a79fa370fdeecbb187f96558a76534b5 |
| SHA1 | 5ef78b7d2c21882cec551528c697f12abb1f8b23 |
| SHA256 | 8ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1 |
| SHA512 | e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846 |
C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe
| MD5 | c4d092354c3f964ee1d9671f2517a6c9 |
| SHA1 | 838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b |
| SHA256 | 1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05 |
| SHA512 | c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee |
memory/5676-1480-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1478-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1486-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1482-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1500-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1502-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/4528-1504-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2068-1506-0x0000000000F00000-0x0000000001595000-memory.dmp
memory/5412-1508-0x0000000000170000-0x00000000004DC000-memory.dmp
memory/6064-1510-0x0000000000690000-0x0000000000ED2000-memory.dmp
memory/5412-1514-0x0000000005770000-0x0000000005D14000-memory.dmp
memory/5680-1513-0x000002138E390000-0x000002138E3AE000-memory.dmp
memory/5412-1512-0x0000000004FD0000-0x00000000050DA000-memory.dmp
memory/5412-1509-0x0000000004F10000-0x0000000004FAC000-memory.dmp
memory/6076-1503-0x00000000000C0000-0x00000000009C8000-memory.dmp
memory/5676-1496-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1498-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1494-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1492-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1490-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1488-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5676-1484-0x00000000012A0000-0x000000000147F000-memory.dmp
memory/5064-1519-0x0000000000400000-0x0000000000657000-memory.dmp
memory/6076-1524-0x0000000001330000-0x0000000001331000-memory.dmp
memory/6076-1525-0x00000000000C0000-0x00000000009C8000-memory.dmp
memory/5204-1539-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3092-1542-0x0000000000400000-0x0000000000490000-memory.dmp
memory/3092-1541-0x0000000000400000-0x0000000000490000-memory.dmp
memory/6064-1538-0x0000000005920000-0x0000000005942000-memory.dmp
memory/6064-1530-0x0000000005BB0000-0x0000000005D60000-memory.dmp
memory/5928-1526-0x00000000004F0000-0x0000000000548000-memory.dmp
memory/5064-1521-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5064-1518-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5412-1517-0x0000000004EB0000-0x0000000004ED2000-memory.dmp
memory/5680-1516-0x000002138FD50000-0x000002138FD8C000-memory.dmp
memory/5680-1515-0x000002138E3F0000-0x000002138E402000-memory.dmp
memory/2068-1563-0x0000000000F00000-0x0000000001595000-memory.dmp
memory/5204-1556-0x0000000005320000-0x00000000053B2000-memory.dmp
memory/5032-1554-0x0000000000620000-0x00000000006A4000-memory.dmp
memory/3440-1557-0x00007FFB14D90000-0x00007FFB14D92000-memory.dmp
memory/3092-1555-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4136-1553-0x0000000000480000-0x00000000004CE000-memory.dmp
memory/2912-1567-0x0000000000F70000-0x0000000000FAA000-memory.dmp
memory/5388-1604-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2720-1621-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5204-1631-0x0000000006730000-0x000000000674E000-memory.dmp
memory/1524-1634-0x0000000000400000-0x0000000000643000-memory.dmp
memory/5204-1642-0x0000000006D70000-0x0000000007388000-memory.dmp
memory/5204-1644-0x0000000006800000-0x0000000006812000-memory.dmp
memory/1656-1647-0x0000000000400000-0x0000000000619000-memory.dmp
memory/1656-1648-0x0000000000400000-0x0000000000619000-memory.dmp
memory/5204-1646-0x00000000069D0000-0x0000000006A1C000-memory.dmp
memory/5204-1645-0x0000000006860000-0x000000000689C000-memory.dmp
memory/5204-1643-0x00000000068C0000-0x00000000069CA000-memory.dmp
memory/1524-1636-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2720-1618-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2720-1615-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5204-1587-0x00000000060A0000-0x0000000006116000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpD1FD.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3440-1564-0x0000000140000000-0x0000000141999000-memory.dmp
memory/5204-1566-0x00000000053E0000-0x00000000053EA000-memory.dmp
C:\ProgramData\DAC Core Library 9.5.45\DAC Core Library 9.5.45.exe
| MD5 | bb93e0794549090f9b51330f4cf18174 |
| SHA1 | aff16714e0aca8b6f8e86d2b34d7810bfc693e36 |
| SHA256 | 969d33b5f4aedbe805282a630da8cb43c80d3d81f466c59d292ecd6682a69e1d |
| SHA512 | 2a9a3fb67009b57991872cf78c42b3d4a75085bb6afb27640f73b39bb06e7345f3143c48dd403be22dd9ea2c6e2269598e40a440fe4f27f11fdb1fd1e6bcfdca |
memory/5064-1652-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5680-1653-0x00000213A89E0000-0x00000213A8BA2000-memory.dmp
memory/5680-1654-0x00000213A90E0000-0x00000213A9608000-memory.dmp
memory/5680-1655-0x00000213A8660000-0x00000213A86D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e97992a0c79a783be7997f3b2fa0bc1f |
| SHA1 | 0b06e7475910473767d58668a770e37eea5477a3 |
| SHA256 | 98f3421d02c55a67ca1517ca9a8dd7d54eb2bc6b0d37443d2af5b8e4edea1d51 |
| SHA512 | 0dc4b79ac1f9f9ec8552403177e59a86ff980e903ef19cb652473768d685c8995249a727fb3df7e48d95fdb12e6dd9562501acb020966eb74965c611992b61f7 |
memory/5680-1666-0x00000213A8630000-0x00000213A864E000-memory.dmp
memory/5064-1665-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5064-1667-0x0000000022530000-0x000000002278F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0c8f837678a0a686dbc26c6788cfb3c3 |
| SHA1 | 266de6ae76db7055632146d809b7c8cc29dad1f3 |
| SHA256 | 02c0d4e9c0dd918515f774ba62fb3aa1fe5c5b76a8f0f7236f5106ffa48942df |
| SHA512 | 683b97356a914d619b7e8d8f54d14f38e34250c2e182077db207934181428b3ee9f417eaf7acf088fec3d0e3c3a99e2be85cd4b174ed3d6f4c4132d294df3212 |
C:\ProgramData\HCFIIIJJKJKF\EBAKFI
| MD5 | db26309558628fa1ef6a1edd23ab2b09 |
| SHA1 | 9bfb0530d0c2dcc6f9b3947bc3ca602943356368 |
| SHA256 | e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070 |
| SHA512 | 4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c |
C:\Users\Admin\AppData\Local\Temp\tmpEAC7.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\tmpEB29.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpEB3E.tmp
| MD5 | f27bd194d4aa758a07c49756b4c34905 |
| SHA1 | 78bba20d0bb1830d5bacabf6bed4b3b95702684b |
| SHA256 | 9cec6313a340ed6ea2d32f6a4a29bdd57fe35a4ff087d8811bbd4ad512b74451 |
| SHA512 | 4e73860d71404f37b37728af9324fe663924054319c1e369efa1b6d2a7aeaeb24b35ebc4ee89fb23118fe47e9c0b9f0ac76fd4eb1c4276c28717a9ec8d8c82ea |
memory/5680-1834-0x00000213A8750000-0x00000213A87A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEB5F.tmp
| MD5 | 567e60454ed777fd39912ab26e689b80 |
| SHA1 | 9cb5d0d87c1b092a0dc0256d5d8772487b834848 |
| SHA256 | 23fa6ef15f88d7e3a0d0eb04b2adfe755be809e4d1543aa2b8988cdf6c2276e0 |
| SHA512 | 989f0f9e231c23730c0c5f28ccbefdbc46ee5b032b2dcac7897c1e966b2d355a83248dd416508ecd562879bebfc9e61c325cf4657ff8a8ac8c8b3268c9ae1daf |
C:\Users\Admin\AppData\Local\Temp\tmpEB8B.tmp
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
memory/5388-1894-0x0000000008DA0000-0x0000000008E06000-memory.dmp
memory/5204-1917-0x0000000007590000-0x00000000075E0000-memory.dmp
memory/5388-1926-0x0000000009E60000-0x000000000A022000-memory.dmp
memory/5388-1927-0x000000000A560000-0x000000000AA8C000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminJJECFIECBG.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/1656-2015-0x0000000000400000-0x0000000000619000-memory.dmp
memory/5516-2020-0x00000000000D0000-0x000000000012A000-memory.dmp
C:\ProgramData\HCFIIIJJKJKF\BGCFBG
| MD5 | fe776dd032bebe227d52e0a0fce3bf43 |
| SHA1 | a681f3dc51cb61b627eab1291f0728253e2f234c |
| SHA256 | e582d57e1b6ebcd262052d02149530a8077b4d14c6e3855fc7ebc823eca56af2 |
| SHA512 | be322e942264d9f161ad2f44b17eabcd5db36a6746db1a9f107481307081cc6d074d56f7f95eec8734a256377b73e466d89d8c20657e9bec53404ec262f50f15 |
C:\ProgramData\KFBFCAFCBKFI\KFBFCA
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\ProgramData\KFBFCAFCBKFI\DGCBKE
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\KFBFCAFCBKFI\IJJJEB
| MD5 | 79ae7ac8836dadd84a38235a63831048 |
| SHA1 | 55b1b4aabb5edf4e44d5211461b4d059c5e457cd |
| SHA256 | acbfe327bd4e8c3c9f77742b5feb9733effad9e1ce4172f5f28a64dbf83aea0d |
| SHA512 | 0a9cbd3a4f4f766767218679f0fdf10404a7de18ca0f019a12867cf55cb9c233c34e11f82936cfdecd8ca1ed69694c19ae10c1456652dc92248032bf839daba1 |
memory/6076-2216-0x00000000000C0000-0x00000000009C8000-memory.dmp