Analysis Overview
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Threat Level: Known bad
The file NewTextDocument.exe was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Lumma Stealer, LummaC
Amadey
RedLine
SectopRAT payload
RedLine payload
Vidar
Detect Vidar Stealer
SectopRAT
AgentTesla
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Deletes shadow copies
Renames multiple (7760) files with added filename extension
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Identifies Wine through registry keys
Drops desktop.ini file(s)
Power Settings
Enumerates connected drives
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Program Files directory
Launches sc.exe
Embeds OpenSSL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Delays execution with timeout.exe
Checks processor information in registry
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 08:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 08:54
Reported
2024-09-09 08:56
Platform
win10v2004-20240802-en
Max time kernel
18s
Max time network
151s
Command Line
Signatures
AgentTesla
Amadey
Avoslocker Ransomware
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (7760) files with added filename extension
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\pclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\v.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\l.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3748 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\a\s.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3260 set thread context of 2880 | N/A | C:\Users\Admin\AppData\Local\Temp\a\v.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4068 set thread context of 3428 | N/A | C:\Users\Admin\AppData\Local\Temp\a\l.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_single_filetype.svg | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\uk-UA\wmpnssui.dll.mui | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\uk-UA\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\defaultagent.ini | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\DenyExpand.php | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bn-IN.pak | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\vi.pak | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msado60.tlb | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\modules\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Offline\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-64_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\v.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\l.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\s.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\pclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\pclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\pclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\pclient.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fugu.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe
"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"
C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
C:\Users\Admin\AppData\Local\Temp\a\s.exe
"C:\Users\Admin\AppData\Local\Temp\a\s.exe"
C:\Users\Admin\AppData\Local\Temp\a\v.exe
"C:\Users\Admin\AppData\Local\Temp\a\v.exe"
C:\Users\Admin\AppData\Local\Temp\a\l.exe
"C:\Users\Admin\AppData\Local\Temp\a\l.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe
"C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c wmic shadowcopy delete /nointeractive
C:\Windows\SYSTEM32\cmd.exe
cmd /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\cmd.exe
cmd /c bcdedit /set {default} recoveryenabled No
C:\Windows\SYSTEM32\cmd.exe
cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\cmd.exe
cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Users\Admin\AppData\Local\Temp\a\fugu.exe
"C:\Users\Admin\AppData\Local\Temp\a\fugu.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe
"C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\434945227.png /f
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe
"C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe"
C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\JEGDGIIJJE.exe"
C:\ProgramData\JEGDGIIJJE.exe
"C:\ProgramData\JEGDGIIJJE.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f612cc40,0x7ff9f612cc4c,0x7ff9f612cc58
C:\Users\Admin\AppData\Roaming\1000026000\c2f184ac9f.exe
"C:\Users\Admin\AppData\Roaming\1000026000\c2f184ac9f.exe"
C:\ProgramData\IEHJJECBKK.exe
"C:\ProgramData\IEHJJECBKK.exe"
C:\Users\Admin\AppData\Local\Temp\1000030001\57725f46c1.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\57725f46c1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\AAEBAKKJKK.exe
"C:\ProgramData\AAEBAKKJKK.exe"
C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe
"C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RRTELIGS"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHCGIIDGDAK" & exit
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RRTELIGS"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe
"C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe
"C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe
"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe
"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"
C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe
"C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe"
C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe"
C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe
"C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Temp\a\ywp.exe
"C:\Users\Admin\AppData\Local\Temp\a\ywp.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe
"C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 45.9.148.254:80 | 45.9.148.254 | tcp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.148.9.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | voinformatica.com.pt | udp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | 23.227.172.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| GB | 89.197.154.116:80 | 89.197.154.116 | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | ignoracndwko.shop | udp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 116.154.197.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | preachstrwnwjw.shop | udp |
| US | 172.67.147.51:443 | preachstrwnwjw.shop | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | complainnykso.shop | udp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | basedsymsotp.shop | udp |
| US | 104.21.78.130:443 | basedsymsotp.shop | tcp |
| US | 8.8.8.8:53 | 164.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.78.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | charistmatwio.shop | udp |
| US | 104.21.90.30:443 | charistmatwio.shop | tcp |
| US | 8.8.8.8:53 | grassemenwji.shop | udp |
| US | 104.21.48.158:443 | grassemenwji.shop | tcp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 30.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.godaddy.com | udp |
| US | 192.124.249.41:80 | crl.godaddy.com | tcp |
| US | 8.8.8.8:53 | stitchmiscpaew.shop | udp |
| US | 172.67.136.135:443 | stitchmiscpaew.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 135.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | commisionipwn.shop | udp |
| US | 104.21.38.33:443 | commisionipwn.shop | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 33.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.179.107.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 10.39.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| IR | 37.156.29.141:80 | 37.156.29.141 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 141.29.156.37.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| DE | 91.107.179.108:443 | tcp | |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| DE | 91.107.179.108:443 | tcp | |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 172.67.147.51:443 | preachstrwnwjw.shop | tcp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| DE | 91.107.179.108:443 | tcp | |
| US | 104.21.78.130:443 | basedsymsotp.shop | tcp |
| US | 104.21.90.30:443 | charistmatwio.shop | tcp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| US | 104.21.48.158:443 | grassemenwji.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.136.135:443 | stitchmiscpaew.shop | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.21.38.33:443 | commisionipwn.shop | tcp |
| US | 8.8.8.8:53 | 10.126.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 12.179.89.13.in-addr.arpa | udp |
| NL | 91.92.253.107:1334 | tcp | |
| SE | 5.42.92.222:7880 | tcp | |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| NL | 91.92.253.107:1334 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.73.42.20.in-addr.arpa | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | ipvplasticos.com | udp |
| US | 147.135.121.216:80 | ipvplasticos.com | tcp |
| RO | 65.38.121.166:8568 | 65.38.121.166 | tcp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 166.121.38.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.121.135.147.in-addr.arpa | udp |
| NL | 91.92.253.107:1334 | tcp | |
| GB | 89.197.154.115:80 | 89.197.154.115 | tcp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 115.154.197.89.in-addr.arpa | udp |
| CH | 147.45.44.131:80 | 147.45.44.131 | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| CN | 106.13.33.204:443 | tcp | |
| US | 8.8.8.8:53 | 131.44.45.147.in-addr.arpa | udp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | limitadmitiwo.shop | udp |
| US | 172.67.188.237:443 | limitadmitiwo.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | 173.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.188.67.172.in-addr.arpa | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| NL | 91.92.253.107:1334 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.172:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 8.8.8.8:53 | 172.117.168.52.in-addr.arpa | udp |
| SE | 5.42.92.222:7880 | tcp | |
| US | 52.168.117.172:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.20:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| NL | 91.92.253.107:1334 | tcp | |
| US | 8.8.8.8:53 | 20.173.189.20.in-addr.arpa | udp |
| US | 20.189.173.20:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 20.189.173.20:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 20.189.173.20:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| NL | 91.92.253.107:1334 | tcp | |
| CN | 111.229.236.116:443 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 89.197.154.115:7700 | tcp | |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| GB | 2.18.109.111:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | 111.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gitlab.com | udp |
| US | 172.65.251.78:443 | gitlab.com | tcp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 78.251.65.172.in-addr.arpa | udp |
| NL | 91.92.253.107:1334 | tcp | |
| US | 8.8.8.8:53 | 94.16.208.104.in-addr.arpa | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| NL | 91.92.253.107:1334 | tcp | |
| SE | 5.42.92.222:7880 | tcp | |
| US | 8.8.8.8:53 | www.pdf-conversa.com | udp |
| DE | 217.160.0.68:80 | www.pdf-conversa.com | tcp |
| US | 8.8.8.8:53 | 68.0.160.217.in-addr.arpa | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
memory/2652-0-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp
memory/2652-1-0x00000000009A0000-0x00000000009A8000-memory.dmp
memory/2652-2-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
| MD5 | 54d967f9eb61177beabd0c5c826fd4c6 |
| SHA1 | 01f797c0cca83c2f23050977a29bde11f336b781 |
| SHA256 | 5b9481d9022b0efcaed04513d338048de4aa3e1328bacc0966486ef322c0d086 |
| SHA512 | a606421bd73cd192a61748ffed9b0be05433ba35b4c7e79fa5a8d811aac6036d61a5c5e803b413ca659c6d8365941e34b0af0409a1a85d4efe6dd97eeea5a111 |
C:\Users\Admin\AppData\Local\Temp\a\s.exe
| MD5 | 45fb3cd11b294fe8a05691cdab474786 |
| SHA1 | cfec8cb59f94b534280f47fcadd68af89107f124 |
| SHA256 | b16ef1bdc9bcba0db197bba5bca6fa08ece713de76412e6bea6de5a8dab2af6f |
| SHA512 | e1e26c7706f8d74ae1a0d6d9b1765ee81440746428ea9c6ca9127326dc8fdb2b2419a79109734848978866f52741902f99031b47cb2c9a09427e5a13f51f1f81 |
C:\Users\Admin\AppData\Local\Temp\a\v.exe
| MD5 | 65208d6a2c36c758bab95b17fb22e19e |
| SHA1 | ef43d4bae09cfeaff0396f339056ac64437cd36e |
| SHA256 | 1071d6290a7dd366135a37c2667366e6642d719c34f25a6ed02bba9de9fa99d0 |
| SHA512 | 23223f7571699ba9e654bad651a9b23876dc286d72676a60d93466cbc6cc7bb7a514686d107dd769526874aac84d8c56fee7e7b54d1cf78cba08a38e8bda9e85 |
memory/3748-35-0x000000007466E000-0x000000007466F000-memory.dmp
memory/3748-39-0x0000000000C30000-0x0000000000C68000-memory.dmp
memory/3260-38-0x0000000000330000-0x000000000037A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\l.exe
| MD5 | 1c67f687230addd2815b74bc892a047f |
| SHA1 | 38f238cad4286ea4ef25d909979b5cd456a7cac5 |
| SHA256 | 2c0f008432d2604d3578b9ba1f896ecaff4add7d6ece6051f5940de892c26c91 |
| SHA512 | 1c5cabf89e98a2d87aca4143b93db5dc9b1c0c9c2557052abe888422afc4e79dd9a641122bd0bbb92d13049b5c7fea8014f4945efbf23c5dd33703f99d80f6b0 |
memory/2880-53-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2372-55-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2880-58-0x0000000000400000-0x0000000000657000-memory.dmp
memory/3428-69-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe
| MD5 | 8da384b2427b8397a5934182c159c257 |
| SHA1 | 7bcd2d32a19c1ac7bd014dc9e64b806fdff5f5de |
| SHA256 | f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78 |
| SHA512 | 3c4b1736efa48a4897769f12df488e60737523eaffc886ecfbd5b7191f058749bdb4a36feb067e8ca0ef418a7602b3390b6cf465412b88a4ba2fce8a4d670a89 |
memory/3428-67-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3428-64-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2880-60-0x0000000000400000-0x0000000000657000-memory.dmp
memory/4068-57-0x00000000004E0000-0x0000000000534000-memory.dmp
memory/2372-51-0x0000000000400000-0x0000000000643000-memory.dmp
memory/6824-8768-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/840-15609-0x00000188564E0000-0x0000018856502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\fugu.exe
| MD5 | bedf1e9ec2eb9267c9fd963418d18688 |
| SHA1 | d12ade2952263cf1f56dfa2d29db48a3bad303a2 |
| SHA256 | 74043f1b65beb765b165993d916ee738bcaa0dab0e4e14bd8c9766519f753864 |
| SHA512 | fbe75625aaacbc0d4b96b5f02ded6f27bc5a132990103f12ff9066adb4172743bf05ffe3a8e4eb92479ac3e7def9dcbc3ec27dbe5bac2aeb5491e7d05c921a96 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34lvgjda.kxu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\GET_YOUR_FILES_BACK.txt
| MD5 | 01188d22b1675e3437b1418e14f4ffab |
| SHA1 | 6e7127f3bbfce49485ed8f1acf8f697bcb952818 |
| SHA256 | e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2 |
| SHA512 | 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d |
C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe
| MD5 | 64034db3a0ce29dcb4cfb658ab805226 |
| SHA1 | d4f1cc6d18b4bebcbc89459583e45d5a0456151d |
| SHA256 | 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d |
| SHA512 | 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f |
memory/38448-16860-0x00000000008E0000-0x0000000000952000-memory.dmp
memory/2652-18211-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe
| MD5 | 751e3d161454b4c4aa4cf9ff902ebe1c |
| SHA1 | 25ea26e9037576f135a8f950ba47afe70195b2e9 |
| SHA256 | 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144 |
| SHA512 | 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435 |
memory/6824-22759-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/6824-22751-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/2652-22750-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
memory/26108-22784-0x0000000000E20000-0x0000000000EA4000-memory.dmp
memory/6824-22786-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/6824-22790-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/6824-22827-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/2880-22831-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2880-22835-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2880-22847-0x00000000052A0000-0x00000000054FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe
| MD5 | 079d166295bafa2ab44902c8bf5ff2a5 |
| SHA1 | 46e728a035c3fd9618f823a5d0b525a9aa22e1c1 |
| SHA256 | dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8 |
| SHA512 | 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b |
memory/2880-22861-0x0000000000400000-0x0000000000657000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe
| MD5 | b8010780cbccba9ec2e20d7b3c17c6be |
| SHA1 | 30904082c6866796d664f0042780207c5fcf59ba |
| SHA256 | 49c25f225e9c5a3ffb651a2ede3505b0faccfbef4f43652d7321388ce6c4b864 |
| SHA512 | a98c9acbb1be1802ab2b430fee7aaf0db166ca3dc25b728c6da7535ce884f9dfbef63f45cac55f4ed208630da8f587378ddf5504e5479b85eec62e4d84460205 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2880-22891-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2880-22907-0x0000000000400000-0x0000000000657000-memory.dmp
C:\ProgramData\CGHCGIIDGDAK\KKFHJJ
| MD5 | e228c51c082ab10d054c3ddc12f0d34c |
| SHA1 | 79b5574c9ce43d2195dcbfaf32015f473dfa4d2e |
| SHA256 | 02f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309 |
| SHA512 | 233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822 |
memory/23264-22914-0x0000000000560000-0x00000000005B4000-memory.dmp
memory/23640-22915-0x00007FFA199F0000-0x00007FFA199F2000-memory.dmp
memory/2880-22924-0x0000000000400000-0x0000000000657000-memory.dmp
memory/23640-22916-0x0000000140000000-0x00000001419FB000-memory.dmp
C:\ProgramData\CGHCGIIDGDAK\HDBKJE
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/2880-22943-0x0000000000400000-0x0000000000657000-memory.dmp
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\CGHCGIIDGDAK\JKEHII
| MD5 | 3b93f6244d44cb33dce9bab0d8e93a53 |
| SHA1 | d642e65b852bbd2b56ab3332f1ce0e7950b09a69 |
| SHA256 | 02d40c6f764e46978fb4bd8b324e2f97525c4d3d8b5af7f5054a0edc94e07396 |
| SHA512 | fc7ff071bf7fd1269e91af7b7f8ccafb7784b5f722d596a1c067c9ec737e1dfda0e13a5efa222e0c7d1c6589e20e19e6cdfc8a9cc23ca1a6bb7741bb2c158d05 |
memory/6824-22946-0x0000000000230000-0x00000000008BE000-memory.dmp
memory/2880-22945-0x0000000000400000-0x0000000000657000-memory.dmp
C:\ProgramData\JEGDGIIJJE.exe
| MD5 | 34c7ab92d1a35ce4ba88bc394e2a25f2 |
| SHA1 | 72cec5d2f3bcd4c72a8bac0824655446220d0cf7 |
| SHA256 | 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476 |
| SHA512 | e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0 |
memory/21604-22955-0x0000000000540000-0x00000000009FA000-memory.dmp
C:\Users\Admin\Desktop\GetHide.emf.avos2
| MD5 | be676ed86a394b4a808d0616dbda8d97 |
| SHA1 | 82c523f0309524fe356b1e3d0772d89b80ea13c8 |
| SHA256 | 5f98122b947ffa701006bc452773da695f40e2f3c787a1b78103170a1d235c44 |
| SHA512 | b995eb5606f3f114530c442c636e94d8d97595e1b15ca7e628259ef45df0c07e60e02a28df63d864a97be68c2ebf3ed687313cd97014d13cb4468352805335c1 |
memory/2880-22962-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2880-22970-0x0000000000400000-0x0000000000657000-memory.dmp
memory/21060-22976-0x0000000000750000-0x0000000000C0A000-memory.dmp
memory/21604-22973-0x0000000000540000-0x00000000009FA000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | ebd1e0c475994371b3998462615f0d05 |
| SHA1 | 14e355cb59a4e518018b776164c6d0217aca50e8 |
| SHA256 | 6982055c717bbdaed4aeec95fd9209e1f933093cf5419bc09194366ee80b0541 |
| SHA512 | 7aa0bc09e0f291418fe3b6683c2e6e83781a2d96af1d36fd47162a132cfb1fe0051135fe401c6f953c85948974aa79343fb88a0d40ed31be7c60249ae21a3a32 |
memory/20124-23022-0x0000000000AA0000-0x000000000112E000-memory.dmp
memory/19728-23047-0x0000000000260000-0x00000000008EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
| MD5 | dcb050a81038862531cf2e23a095dbd0 |
| SHA1 | 3340822daaacb341a036a062503db2691f652559 |
| SHA256 | 3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c |
| SHA512 | 5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea |
memory/19532-23052-0x000001DF1E2C0000-0x000001DF1E5A4000-memory.dmp
memory/20124-23061-0x0000000000AA0000-0x000000000112E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe
| MD5 | ef32a1aad76d27f00ee9134721d9b6e8 |
| SHA1 | fdfb0262d8cacd567fe03d2e68c1702b32216c8f |
| SHA256 | 665a4e8e49ccc2b3b36f58d627acebc6dfe6d3791a81b3b0d9dc9b43d4e98857 |
| SHA512 | 8e0ce2ace1a4f0c526daec2ab017a7ac50489efdac7bb6d10bfb14a433a72c4fc643530ca619a78725e35621790b8278e350ef1fd94e87c46aa9c00443e87412 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 4e8379d5d9aa5bc2433db8fed2d95f9c |
| SHA1 | 0573f716394e9de03d5ec71d6122865ddf9c001e |
| SHA256 | b290cd5104a7f6fcf4718beace1a937a452710519ad5a90397eaad591088ba70 |
| SHA512 | 1242f51706a1f6a98bdebd665c3bc659c86e317909bb025c7ee0c852f6587897c146bd88f1d981079f15ac874b0e105322df2e0ea074ca33b7bf62db1bd68167 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AAEBAKKJKK.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | b294047e57e6fdaa62aee0a81c2cb43f |
| SHA1 | d25f879c1db50ffbf8fc15feb2184bb913b4f1b8 |
| SHA256 | b81e0f982bc81f1eb081fc7741d8d43b3b90035bd51bf104c6202d8830da02a6 |
| SHA512 | 389a4bd6e01d6f133cf28f4fc2908543be5559a756469903a9e9b395f2d1d27456cb4a6622e0fae0c61c8f89239cab0d3a750dc893c421917ca2b72898979c24 |
memory/21060-23113-0x0000000000750000-0x0000000000C0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe
| MD5 | fdf999d19df6b5c6a03bdbe1990347b3 |
| SHA1 | 3266aa1f4ee746d69601c42afcda7666efd08ea2 |
| SHA256 | 7a15dd944f05b7280ae9d297f7707f5ee712821fbae770930bae1539cf9e0b4e |
| SHA512 | 3232b2b0e373104b0f3d31d0275e0d40d247abd3b3fc288cc75d29ed26161726d31728f7ac25a771b277f74fe9a274346820f7087596caf6184ea7c7ce340274 |
C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt
| MD5 | 06d49632c9dc9bcb62aeaef99612ba6b |
| SHA1 | e91fe173f59b063d620a934ce1a010f2b114c1f3 |
| SHA256 | e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079 |
| SHA512 | 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355 |
memory/15928-23128-0x0000000000400000-0x0000000000452000-memory.dmp
memory/21060-23127-0x0000000000750000-0x0000000000C0A000-memory.dmp
memory/15928-23132-0x0000000005740000-0x00000000057D2000-memory.dmp
memory/15928-23130-0x0000000005C50000-0x00000000061F4000-memory.dmp
memory/15928-23134-0x0000000005730000-0x000000000573A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpD8A8.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/15928-23151-0x0000000006380000-0x00000000063F6000-memory.dmp
memory/15928-23154-0x0000000006B00000-0x0000000006B1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe
| MD5 | 6a94b94ba557d5d85a1da20213d48974 |
| SHA1 | a311aa3a9243849b883867fa3d772e4c4e95d080 |
| SHA256 | e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd |
| SHA512 | a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74 |
memory/15928-23164-0x0000000006BD0000-0x0000000006BE2000-memory.dmp
memory/15928-23166-0x0000000006DA0000-0x0000000006DEC000-memory.dmp
memory/15328-23169-0x000002629AF70000-0x000002629AFAC000-memory.dmp
memory/15328-23168-0x0000026282720000-0x0000026282732000-memory.dmp
memory/15328-23167-0x00000262826B0000-0x00000262826CE000-memory.dmp
memory/15928-23165-0x0000000006C30000-0x0000000006C6C000-memory.dmp
memory/15928-23163-0x0000000006C90000-0x0000000006D9A000-memory.dmp
memory/15928-23162-0x0000000007140000-0x0000000007758000-memory.dmp
memory/13336-23179-0x0000000140000000-0x000000014000E000-memory.dmp
memory/13336-23178-0x0000000140000000-0x000000014000E000-memory.dmp
memory/13336-23177-0x0000000140000000-0x000000014000E000-memory.dmp
memory/19728-23198-0x0000000000260000-0x00000000008EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 4e7521beb1ffe91d22551b0488a96c6c |
| SHA1 | 82ad3588f9ae5e9012458b6ce7b66fea0a272734 |
| SHA256 | eb30c3e85fc9e3a848d52c6d21ce8696eca4422c0eb19c185f6c514873c47fa7 |
| SHA512 | 7789e30bb39d4e8fb05e364ec048c6ffcdd9286ec86d6bf86e8f6e577025a5613601eefe735bc53e7043ed433de75ace05f46326eeb3aca800b2c7cd9a076f1b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\aa1b87ef-357b-48c3-a384-1d0967da554a.dmp
| MD5 | 3d609a3749c1550ec824ad4391da4c7b |
| SHA1 | 275ba208bc81673b11ced03df0181c542c5bbba3 |
| SHA256 | 811803409dc81f578777615ebd39c0cade3bf0fc234e04aa6604446178fe1997 |
| SHA512 | 562959d1634f46351a047244f50b47a0dc0f906c171243725422e2e8d0e16617fb8bc504965e2dabcb274f98ec894a84ab5b50eba5d989d383e4a0f6c416f782 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\watson_metadata
| MD5 | 13b739e31979f1d1680bc1c75b95101d |
| SHA1 | 861403baa82e9fa7a6f2901504486e252a01dacd |
| SHA256 | e445cc56f5c47ed2d1da66c58a4446ac002db069163ba9ef873cda1567be97a6 |
| SHA512 | f541d9c6ef9fbdda577422e208c3ff7c7444aaba9c15818fe4b7df22ab0f571d6666ab5b264ead6f709cab1ffb478aec43637b2658c5d6f5ce316109e2de89db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | ab69cc1475aab17afdfbad6e9c47765d |
| SHA1 | a3c3cc9c075ad509c519a9d072910224b4873ebb |
| SHA256 | 15764cd4b081c7f9615b4c424ffae9f33c8c31999d278bd68e572f8cdf15ae56 |
| SHA512 | a2711df04db532a6937bc990beebb1754a121017d4343dedb3b217f9fa4d375e2bc1497609f45d2a62471c3cd6ebeac510125b7ee8d840d8afe690901b7863c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ec10c213-ebc5-41cc-bd59-4eed611dd295.dmp
| MD5 | 118deea38a6032a9f55427d8765361db |
| SHA1 | a609af986805b836ac57ec7f6b12e33e1ecf6939 |
| SHA256 | 4e00f054109e0006b011910e54a3051d77d6644b8d73b8f39b589e4d42fc5cc8 |
| SHA512 | 331059c475f2977016cf8dd97701f7e7cc736b96c402e16848b5f226eb6339945baec05f6d21349757d27e57c3a1075d2dc958c0fd8c90a67c4ea3779ac80ac0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | aadaa79ae0d07ee9e1e05f2b8e1128ca |
| SHA1 | 949e8c49510f59f209c09ebecbb56617c9dff1c8 |
| SHA256 | c984fbb3678e06cb682dde5efeabddb85c50275257066da064587db2a0ef7fb3 |
| SHA512 | ab46d8b3ab191b8922c6121508526db0ff50e363f77f8e050262d0c855643db432fa9c7567fd59bb1a37d36d7e27c94c70e484c49b0b2aaf3c0ca473ece10274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\55e5fd4d-1bc1-4ad4-8444-c4ab4ab6fa70.dmp
| MD5 | 6f26608df6a4afa078e8bc2eab72934c |
| SHA1 | a025fd00e26dde0541b1f9e50b021a67433c8964 |
| SHA256 | 8c8c875d8d63e64da54a4d9de44436f50e9cfc7fb0eafeabbb87d5cb20572b61 |
| SHA512 | 79ae7db1422b01deae38d445be693982f8246a0b29e07f8410a27542835a96e1759d630bc9f59ea0b4c99aacbd010a5d191017a46813264e5e8ff9d84d6ea2e4 |
C:\ProgramData\JJDBAAEGDBKK\CAKKJK
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 3378935712e8c1cd4a3cd73395ce68c9 |
| SHA1 | 8292248dca12838830955320b0021cd4ce5f5453 |
| SHA256 | 958ee6ba7c1dab6a313edf778f496b01ff1d32bf0b70eb228334d76c22493a87 |
| SHA512 | 1257742bd4aae45eaee995feef6de2c18eddb7df39718f74018d6d21e095d399295c47efb3de6556669bed036b570656c689cc6718dd04549f6634ce29b4b4f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\456e97f3-a6cd-4061-b263-432d44e6a351.dmp
| MD5 | cc574fcfb0d651a647b365d654c7d02a |
| SHA1 | d26e3ebda76d79b77427acf1554d44552695cc45 |
| SHA256 | a264ac16ede5af9b74693ba89d9636ae0e8adc54d6b2081b2b8ba9e2b198c453 |
| SHA512 | da2abb5e5087a19167b4ce141b90ec9e478c1e52f05f5938b72238648cb886a7efe826643da1d8c3d41dc0cc600f35c75305170b35444f8ce07484b7bc40c8ac |
C:\ProgramData\JJDBAAEGDBKK\IDAEBG
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\JJDBAAEGDBKK\IDAEBG
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\55af97d2-e0ae-4471-8c6f-217b2f509859.dmp
| MD5 | ab1ac515e47b7322a005a1756a8d8671 |
| SHA1 | e88be915f484695572bdd4de0c706a328d27766c |
| SHA256 | 58340a0e9d03cd27882d62367fdbdcc04f9bb0438d86e88dc8eafdd3d040a98f |
| SHA512 | 3a9221693410eaf1ad9388b0208060fdf9009cd7bc9db4f9cf76c7376abd9ae09a4c6ef6a759ddbdee611428c4bc55709222f039c50e4b55e26b1ef3daec315e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 6a15a6fac1988531bd322acfc95f7732 |
| SHA1 | c7fce77d9ef972797eabf08bd6893abfa0565c63 |
| SHA256 | 30c83c1e2f76fa1186d14943d3bb716bf381069b80a4aa5eb191d10ad7cb8e00 |
| SHA512 | c20c00b84d29c00319747b57351294b261f0decb8a5dfefb4a53bd46e54fcde868e67df15fee06eb41c30281bca89160de8111b5963a3a8e7ffb2d6077369c7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 3cbd2ce34cf8e4084f7aea003aa3f933 |
| SHA1 | 2aebd8b6836c03b22c3bb802fc4707b9e84e0926 |
| SHA256 | a06bbdaf75ce8fb0e1649e8b97abe58699336711c58fbba1d2616b0a96642876 |
| SHA512 | b36577bf92db6a785a16e4cc802b2fadaa23b9e4198b689b90830ae338e9ea2b068cd1ab786f793aad14b0738dac3eef27d8860f562c19e3e0ec33e1289d4ed6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\97d7bdac-2a38-4a41-ab81-8fd60e0ef17e.dmp
| MD5 | 869054d2c11e6b1990dddd1d3661cff0 |
| SHA1 | 414c0fb506c4463b730a1158146d0039c8b66de6 |
| SHA256 | 831340ed2f5f3c55c26aa97ee726b239be4675cf34496c8a573df5b2b4015495 |
| SHA512 | dc1a441bc68592f02a215bfd80c06d9605779917fecfdc43fd0f6e7e94ea63b0b1f0963c3eb22eeffc1ed40c0484580999dcf6860ed9b0765919bf7bd77dfba3 |
C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe
| MD5 | df763cc3afd7e98d660e5db9de5b1d95 |
| SHA1 | e50abf286735649267da3024aa27544eaf095845 |
| SHA256 | aee46fb12d8bd25b4033b3ef7fb04703961e68e6cbc40d6aa410b01b05e4b411 |
| SHA512 | a7622cf295023ca9073d3ae239b98268705f1b9ea850bc6c8f6db66f175b546df95a1dd4978bf376af4a6d4568ae0f78b66b3fa885a5146f6692a35c69b879c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | b7e9a3bd17230feb40caee7c16f71f11 |
| SHA1 | 91353d058d2438e1ee5a2596e1c7d3e79b6bc153 |
| SHA256 | 17cc61680a083b64297ed07840d6b8153d1315c7268ca86ad9b37517d4083474 |
| SHA512 | d5bc4ae673309da7f2fd0ee95de5ca8bc2da1e599f9c734875ffa26dd91945815a22e24c71d100525c8dc68a8e32986e5548c77dd474465a427f2df421e1d600 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\f557236a-8302-4d97-a087-203ac65f2eb6.dmp
| MD5 | f1d0d8a26229bdc0be15c1ff955ad34f |
| SHA1 | a3d9d6534706c4eabba2104fe9404c80f7c0d3a4 |
| SHA256 | 618953c1ce6a173dd2f16a8ee7a76c8268e741f59621f780f52dc201013b1c05 |
| SHA512 | 2575231c50760f0162830d2daf577eb7a590458d2c58664394fee33112c22cc14d504c35d62a8832bba7fa92c8592a00bf138a1ae66cb79b95fb9f46b64e8cc4 |
C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe
| MD5 | 387d4b12ac9e87b9db76589fcca2b937 |
| SHA1 | 4a51340e1817d7ab2c739b1237c541b58e3b7c9a |
| SHA256 | 30d91ef269ca652f181ba1985cf2cf8a5790305927c6887e0c298c38ae87afcf |
| SHA512 | 35bd0a53169d56a12260ec280977fdf0e3c07b41baa836a931667aaaeffebad902f7fb1b61b3d33072a02823a959a54a6327aed57580b970bc0bcee464cd4f87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | c251965f2d3af87e21d766351dcf9e8d |
| SHA1 | 8cb9864ac87264228fa6ec2aa8af25276ee10d78 |
| SHA256 | 174e6a498deac47f767923de085d4e219445f88a6997df065b02d7eb816d72a4 |
| SHA512 | a2a807f3f64fc0c797572e5fd8d9f9ecfb0250d11f6d39a06b29b5660e074a0f2a6f195a21536127349f9c955d3e0a888e02ea47f2d8c6d0bf25475756c57719 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\81919a83-847c-4d34-b747-09a64529b6c4.dmp
| MD5 | 466836e189646335275f771abdcc685e |
| SHA1 | ad043916b3f021b981e31503b31abc8436c8fe89 |
| SHA256 | b226ad49de8977c0547b6367796141b53a6fe81c36607bc7c7d85604d1faf965 |
| SHA512 | 415f937cc9fa6ee7e89832603fd845b258962d979d9d0b54ef3a35fab4168df197c2c95ee4df5a6ea3eaa7d4382e07783565ac63e9630d3b6367573147ad8239 |
C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe
| MD5 | 7a8463b22eb60bf18f4df8444e006d96 |
| SHA1 | f1577856bf96eea03ba84a5fd85dfc9426d60def |
| SHA256 | 07dfcd4aad4d53de15bd688a17d31ce50d591173d60fa2cb629b9ed94179cc2a |
| SHA512 | 5bc787b6e6cc02c96481bfa87fa3336ba53aa596c1c4b053de40e18d400305481a7059a71c9ee9ad1e6ce3260a743860595a7cddbdbcffd7dfeb8eed06de9779 |
C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe
| MD5 | 8a4f0f41b42e3f0027066f418e5436c5 |
| SHA1 | 3ce8dec5bcfd824805e40ec6f9d43ac45b6f029c |
| SHA256 | a0b724fea63d02a4b665dfb5c047da345e949385758e6bdc20b3c42951c549e4 |
| SHA512 | 19c0c02ba0fa3899f1f67cc19daab651a4384217cf81f50c3b3774cae09c5f2117bc2d43698866156e93a00948014345f96db1c8a637daf0a146862531ce3ef2 |
C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe
| MD5 | 1a679e0ccedfb2c3b8ebaf8d9b22f96a |
| SHA1 | 6ae0ff6690d0a857d145f671589a97620c1e43e5 |
| SHA256 | d16eb8da5c5ce99f1a2e38677eff8d2ae532cb1ad0eddf10a311583004675960 |
| SHA512 | 8e60833f266f1a092846892659b117e06f96d5f7017ce0847333a7ae38f30b2a274bf6fe0ee43d5e94c1aa87a84ce340c4b66de256883bcf2bbc17038353a4d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 460f20d51f93d7da79e5be4bc3134397 |
| SHA1 | 0511f833b6c677d4332fc6d1d5179f4518f5b287 |
| SHA256 | a7f45af73296be18358e6e679a93d67e0e098a9bed8a84574ad9190566722046 |
| SHA512 | 3d1670212246334467c1979d09bedbaeb10ab6b369a844578e4ab6d632061a1bbc3f5b2efd81955c9caf3a4cfcb02bafd04526c72b9b0da8593e42f4d2891742 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\34e1b215-af8e-4750-a8af-d60db40e2ac5.dmp
| MD5 | 0e5aa5543d83072489f9db5d6996a3c4 |
| SHA1 | 01b3869d0b27fa5b33621951aa429465feffc16b |
| SHA256 | 4410d62b79720e61d4889b560e4c32a47a3cabe2c7fcb3e91b890470ce76ec79 |
| SHA512 | e5b08f9b2cf71920ec2f07f6beaf8df64f93afc752b4ff5e830ea907606e35ff64f683d4b1a64b9c5f70e81f7e56d6af1962a398d68efb90050580be37191444 |
C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe
| MD5 | 1ebcc328f7d1da17041835b0a960e1fa |
| SHA1 | adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c |
| SHA256 | 6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a |
| SHA512 | 0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6 |
C:\Users\Admin\AppData\Local\Temp\a\ywp.exe
| MD5 | 6a9213568bc6a19895240ff14fd57329 |
| SHA1 | bd18494cb4d7f652bcf9ce187e11ed0eccda65f8 |
| SHA256 | 5618de81f0a47570c7048019102af4664a7402b657dcc060148243e97159ad97 |
| SHA512 | d6c658c22dd0e70f09c0a3d07b656ea6315c39a99bd7855f202447f88359272efdc8cfba17b5243b26fac69b5159ce2cec106f42df22bdb72f948c4f9618335d |
memory/7052-23517-0x0000000000750000-0x0000000000C0A000-memory.dmp
memory/6820-23521-0x0000000000400000-0x0000000000480000-memory.dmp
memory/7052-23523-0x0000000000750000-0x0000000000C0A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | cd646216ed7eab2218d1e185722eed94 |
| SHA1 | cb3918010a4dbfd5aae4a290dcba7ef40c397cd8 |
| SHA256 | 68092f16e2a53ced0a0fa8b934fbf49e16b9eabeaba096378f2ad6a502b50efb |
| SHA512 | 580f4ea6e55ab124e77a1dcf022ced4abbbb805046b84dcabe9cb2bde38c4014f068c125a4b88cccb09108d9b0d5e52acd1e04d09bdff6959ef661c30267f0f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\122f7b64-79c8-421c-a1f0-a2ea5d540941.dmp
| MD5 | d67f2c76d795758fb49a947f79c85d92 |
| SHA1 | cbcb3a6673d772f33d6431c11e3ca069bd240360 |
| SHA256 | 76c3d52a2b25c90894cb2a0655b2e7bde946abc7f2fc498e1a0c25407cdd5fb8 |
| SHA512 | 96fe7cde3e2114ab5893261cf77745ede1197aa71180368cc70b663882510e56e47585ec370913a966f5f7204dd4a9b5e13a06e7be0d4445a37513a7bc66e80f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | c7a9e5380d253a54d98cdc7e3301a402 |
| SHA1 | c83bef06d501e466dea225e1040fb135b8143d6e |
| SHA256 | 7fab1901508200609896981bd137b470e6fce24fd460c9fbaf75b7e574ea2856 |
| SHA512 | 06946fb9a435a2c9c380ae385b1b76f88a3d15faf7c6f8fd3e8a9f6ef95e48fef020422ed1a3c0a0572954258835f0ee11fb98f60e2e72aea48b1ce177df8077 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\9be57386-9232-4932-b4b7-aa7cdd47eee8.dmp
| MD5 | dc0525570780e0c2baed250c7d5ff899 |
| SHA1 | 0d5c5d4998a3323c0b8ecbdd8f2c12c78af4b291 |
| SHA256 | 703cb92b79b4034f9d657ad385cbf23872e2683a8f23915bd816dfa17c76ca30 |
| SHA512 | 6aac232ca699f72e119be02698556551a681c1dad700a1b25896541d027be82e327244578d14fc6677335d3ca423cac1f72670a6f140038ef0206ea1af043b8a |
memory/5292-23575-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5292-23576-0x00000000059A0000-0x0000000005A06000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 577f258414da82354c5a879615202791 |
| SHA1 | bcbf5331866cc86b0020870b8ddae017a7859a4e |
| SHA256 | 0f4d5e866484c7da7c31425ceafc1fd0dfb88efcaa43357d6e409802d85589a8 |
| SHA512 | d2882324bc5f1814352d056d74bdf58bc37d3bc96e5ecce981c12de7b7d05c5cfa756baf686a44de0e2eb08d61c19412e0b36f130194c4d1e44312d836b5f17f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\fb559c99-5e3e-434d-a5cf-8c8bbc263a83.dmp
| MD5 | 3c427b0efc569efb57467dd5f13b0e48 |
| SHA1 | 9f07141589aea57dc03b03867685742199f485b6 |
| SHA256 | cc4317afa9c1367a4ab57390f9154a49ac75f4389dc714ef7e5232f4ac44dfca |
| SHA512 | 1e0e9e9452e77083cf644d95370dc71a835d5baaf26d3a824b0e9d930df7b7cd023a9e1ec0f5abd437256320787f2b5d3f2b901c393abdef4d43c6fde6bb54a1 |
memory/38128-23600-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | a2db3a57f248a8dfec0e78966f08ffa1 |
| SHA1 | 39292dfca1b3812e31d7d1c760c46dd556ec5279 |
| SHA256 | 097b3bb8f664f60cdf0bff42acb905e1cc695fa42c10e5f00ce0104ef4c59af7 |
| SHA512 | 3155cbb9c5a8d6d12def5a6a90d79197122e141b0e6b6f7d199a6b1826885707fb950d016d5d62af35fbd08bd707c93f5b9ca610fa262236a54b67914e3b9d3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\c57f71f3-2501-4ece-8d7c-8cf2cfdab5f0.dmp
| MD5 | 8011738caa28ce9763e27b98a6acfdb1 |
| SHA1 | afa577394ee342ee1d172ef77268d3ef7b22613f |
| SHA256 | 3623b5f9fa6e9a626bf23dc8bdf29646a1490c397314cd6f6df14348419bf3d3 |
| SHA512 | 1262335ccd9583d4fc1cd576b727e126ca9df93fbdc898b20b8445a2bff354435419468b0308bcf12bc464cde76eb9a35dc7188c65fa3c56f36ca32bdeb85814 |
memory/38128-23625-0x00000000068C0000-0x0000000006910000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 014427bd9d2e47455a6293179bbeb8e4 |
| SHA1 | 73021cec7d4719953b27fa21739799cfeeb65ff9 |
| SHA256 | f4fdd86f608c735bd5ecdba8565f84c13c18be28c5d4cd712181608bd1fc5af1 |
| SHA512 | 1be1c0fdeca5720c0c6f6de9d2bf36e5a60836fd32b986f0e9b0f6f69996844eaa2c769f58158cae49f91856e39bbf1a585575d6a2786794b586d0b9409513ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\b22cd904-c946-42fb-9971-a99937926136.dmp
| MD5 | 651124b6683d012a3ef5e8377c64d02e |
| SHA1 | 367a82dbaa18f72de73315760a77a285f72295c7 |
| SHA256 | e0897386405fcd1471246a26f07bf3e0f6f97c66759f1b37cc3e01f8009cddac |
| SHA512 | 531f4f91d6423fe88674bb7fd7023ad0fb5737f50ac53125f23b596d10b3fa22f0d350d623cbb66b40706a031e29b16bd11e41cccdbf4870c09c2566adca2ee8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\bf094322-3cc5-41e8-80fb-a139aaca695c.dmp
| MD5 | 7a7baaad01344fd9f803f4309d9ea87b |
| SHA1 | fa1d7d529f0f2ae02e76bd7558d31eaf6ecf48f7 |
| SHA256 | d8832e78000c9484bb082861f8f5c9f553b34a029fbdd156c5348bab5556b1b7 |
| SHA512 | 258b224366593e3132648c102f8ef8e2e06fb1db44d2e1837e78f3c8b65043eff4e5dadf963b27b43620d0769dbb287845aa6d34e2c29ee9347f014ace459d5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 90fa1a686687a5587622763d0f273101 |
| SHA1 | b79b7f380b8a4e06d1cb1e0d837ae44ab99d3868 |
| SHA256 | 248368c0386032a211e40d2b309f3f543407e0d16d6c0514b98449294dac363d |
| SHA512 | 92c4e993f59cbfffe43145364c2b1bb4b1d309b2082a7e0155a7d82c39261e9cce2971abd27fc7ffadab05f8ef780c3593ec4d779929d9a812980587ed8bbdaf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | bd3363e61dc57d1d078ebd3ea4f5841e |
| SHA1 | 4e8fa246140ac15aeb19af365c5ea2b70475d941 |
| SHA256 | 60eafcbcda7bed0cf3ac85ee57dae96d09e0ccff1c8885090380a42e24d62c4c |
| SHA512 | e78b3b8a1c2b6c759cee1be8ea8d0d2e95b61ee678e33b6f946cb1626a5c5b05d2b62797ada4f14f8e3579fb4bf336e4da50bdede610cee028b8592b16029ce1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\f9cbdce3-c4af-4f4c-85e6-01ab691ff937.dmp
| MD5 | ff5954062dfd36d866e59b486d1791c0 |
| SHA1 | 8d0a3d206b4bd1ac052654ce47dd406fbe9a09bd |
| SHA256 | 13f6c58ff5a3158f539166b1083181e3dd8ccc0c19465db7b5418eb07d27aff7 |
| SHA512 | 553d585e78a3c40a2491ad9874f116dcb2c82225ab9df6dfc7aafef851580f56f5b0a108ec45bae08b50724ee315409a65d6526ee2181c4e31794b8f0fae0757 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 67c30ea6aa5b69517ff34a2ccdf05e76 |
| SHA1 | 3c57a24fcee7d9146fecb72322b8b2db2da651d2 |
| SHA256 | 3b2f767462d3319a183de77101f7eb9a10dc8bc19679fa6415cca855bcf117c0 |
| SHA512 | 2779d2ef892743db4cedee7cf9321886ddf6482dfac3fd35cd78fe6aeb9476f69febabb424a10363e0a6e26cfed806397cbea058530e47c22fc3d54cd70fd665 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\fab1ee35-5747-4802-a31e-3414c56e045d.dmp
| MD5 | 4332a7269dbc3f1cf2634ee8b719abfa |
| SHA1 | 21e8ac4515578b3e0ffb552d1fd1a72f4baaa878 |
| SHA256 | 5c50268804f19b7e30a84a9a8ddc2234593aafb6d2a4e67871004dae3c2cb090 |
| SHA512 | ffce3993b55f3b73164624a63652dc4998ceb2283ea450569825586a70c453472a8251e90211e33b2848a8a740f1dadc6eca546639cc420549ce50e57164deb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | c47bc2d7130f883efffa79894e896808 |
| SHA1 | 5c3ee91e64fc2e5123641113d94800070e00d382 |
| SHA256 | 011c2f1096d821fb89cec320780582645fdf1df0632b9c7959b3a31be8581300 |
| SHA512 | 60d2512f5136d08ca6b683195bd21403c6349ead621be6810eb2fdadc07bc9b5597ed50cc7fef1003584ea53466e5c073b63bdbde34ff82ec6031571bfe9524e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ae39179b-5ca6-45d0-8db7-293ac34ee66c.dmp
| MD5 | 46aa61c6331b14a41310b652ce9ae65c |
| SHA1 | 48bf5a9cf925185d88b8fc8f611d6664c88027bb |
| SHA256 | 38a85a4f5a84e752f0bd49bf8287e4a3dd549fbeeff27f157e876bfa1837f2c2 |
| SHA512 | 905882c49619f5a158054a57234cc1569c3ec277f24e56fe0f8be5df8e28b69defcbaf3999b1f8027463155b9fd40ff4acb279122cc4db62aa086871c8aa04b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\cce53f9a-184c-459e-8e1c-db7624f0abd2.dmp
| MD5 | 5828740be4e132bb4e49abf5dfe41a73 |
| SHA1 | 464f02483aed1587157a489b51e715ae96767133 |
| SHA256 | d77faefa98ee6cc8d1e9019c5a9f787afc71afb1e733809e21a4f45696a1bfab |
| SHA512 | 433fd188562568dd14dbb7a5c491222113854c509a8f188ef142aa9ee4b2977447b577d38224ce73ffe2b3c0ec2039825f670573e18dbd073e63a2ace32c761d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\78958706-0afe-47e5-bf8a-eb9e86451fb3.dmp
| MD5 | 9427aca6e2f69b2fe7de6cc560efca95 |
| SHA1 | 23d62f4f7a6d3451e39207826e2eef5113eb5c2c |
| SHA256 | bbc95bb301a8249196543594ea3d29b68df762aea4fcd79b0051b13f38a89111 |
| SHA512 | ec7ea1691c9439518b63ed14ecc63bb7d28f5d1dba3fc399a856eb5a3e74e74cb4e7022e20b47f4bad36752f66d8502a0619804c651abbba802e4a20f7f3d689 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | fc88e25223f131ad995e0107d034f019 |
| SHA1 | f2d6a078e52ab5ae14cc6ae0cc577aec6225ac48 |
| SHA256 | b6d0c8771633ea1f819b68e946ec7162049d9f37a660c1130fb5f63bc2b9a38b |
| SHA512 | c17e56216de345839d4c17d4f2cbacdf727b9b6fea70df1a7869519c9d9a4b607dbb6536afaa17228ed54448b5b8a6312ca9f4d3431d51f36a7f58e6c94045a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\9f9d6f1b-9fe9-4368-bc55-bacc01ee17ee.dmp
| MD5 | 2f9e79eb31e1ea8575377b3d2e7b8b74 |
| SHA1 | b8cd3a09993e154d4c7a0c1df15bdb65bfe6be69 |
| SHA256 | 30e2f71d335c6f826958a24b50ee10cc88a636ee097429c5d00a216ea230818b |
| SHA512 | 5eba9f20d3cd34eada849736023bd92b54df347604943184cdcc541ffd006c8e1c5274b9a21aa7ab6ddd3e9aed4768125265444e29e613494b6dff29d3220637 |
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe
| MD5 | 7366d8ddcc9fb6721c53f5feef334b1e |
| SHA1 | 91f437cf6b6dd98da5ccbb543020b5e6f1f30f27 |
| SHA256 | b3b91381d1df6f08d06ac4f74bca4e597b596001966cee4bc4401a46f1b318b0 |
| SHA512 | 41990b1d6338bdd865f5f3f0915fd85ca3d165d27ca4d2f85e2def8d27d3363a28387689a3d1e4bb3b581ca71b0c2dc62cd54bf9e99537750d2f934ddfb81de1 |
memory/7976-23852-0x0000000072B10000-0x0000000072B95000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | 10959b6a0c0e7ce577fd1db64d28816f |
| SHA1 | 382c8ac8918c3a8d3d9652dc2bb0290fe895c3e4 |
| SHA256 | db5c2b1ec219ed31e06912f7b39cab934a97a3273acb892a0f05af0fcfeb30a4 |
| SHA512 | 34f348f499d88d5174655445bda34a312bcfdac5225df726b8c34748538c61c712934d2ae70dd5415356de37abcf93c589314b23d57d194ec4f1cfe400938c73 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\b40b8069-2f59-4245-9284-1ff402cca15d.dmp
| MD5 | f0494eb4c0e651bbbc940db2638e8d50 |
| SHA1 | e5fa54cadd0fb77e4c01954f204aaba0606a32ca |
| SHA256 | a9cdd7fac0671e86762b5d632ca9d2dd1b1e7c186ad3eab25dda02a9a2b1650f |
| SHA512 | 65d91d43b1776470c32aa492a534cf4f3e0561cb4355560e4156ac328c760b7146443dc03d7b8d4e0feb50c0c7b693376a9fe8420ce5baafd74badd5717b1dc2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\64e64cb7-b577-4383-9913-07b5e6b8f851.dmp
| MD5 | 29f54c94ad9b63b217bfdb7e798ead28 |
| SHA1 | 08c88288d2678610890ed3d7ac9d2c3f4727f26a |
| SHA256 | f6719c2ad11e68c1d968cccbbad9a5aac5c7bc5b74c1e1ca48a84442e30e45fe |
| SHA512 | 7061c6b908451a8d534fd8d72aadd322de958956fe8931889f7ac1b270f6d800cfc885418c9006b7aa117cb6114ea7598ce502d582e0b1f27fb4377aadca87ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ecdcb9dc-41cc-4960-a71e-28ea37e6d02c.dmp
| MD5 | 57954eb38b0e7c8d7007c8f69258a396 |
| SHA1 | 4bcbdab9df0a0bb032a1313c0c532ab84ab8eeb9 |
| SHA256 | 049db39d75c9e6c4470c24e2d91d4e7ebf45930467d963d1c0182335bf09d9b9 |
| SHA512 | 997d52a1e5e9daae01c52de2a48c966a441b577272bbcfb1a7d81a972dbc971553ef0383aba1dca5f41eb1b9dd789000fa784068dee8b24a9a09d819a4a1957a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata
| MD5 | ada00df8ebf29423ac944b873fa69b05 |
| SHA1 | 54eaf75a8c7362592bbcf5f670b52c404126312c |
| SHA256 | 5ce5cc8beb2bd727cea4a2ede74b7cf54eebd7f095e2a648af7340dd64cbb6aa |
| SHA512 | 338a39e1c6419e2df056c7f5ae401d278ed54f3d371216f61f933bd06f8009eddf50f5cca048877681fe005f271812890c51bb6ee7651e7cab9b402428a6929f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\840a6147-08b4-47b8-bfa1-2668b8341da9.dmp
| MD5 | e6bd8559d40afd0962a56eaf5ab9f8cf |
| SHA1 | d21e25372d868c3f5312da6bd87a8b23766de809 |
| SHA256 | 42a9ecfa2f0be150d0eb7825ced03bd078858f45047cbedb539ab2b45686137e |
| SHA512 | 95968f027b1cc9dfefd4632ef1652c44049b93503fd5c018b5945883e63ab9562bb3ff707c7eca9acc8a38ac38cc104b587663a0b525f8385c5da6be70ef96be |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 08:54
Reported
2024-09-09 08:56
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | C:\Windows\system32\WerFault.exe |
| PID 2540 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | C:\Windows\system32\WerFault.exe |
| PID 2540 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe
"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2540 -s 1076
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
Files
memory/2540-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp
memory/2540-1-0x0000000000F30000-0x0000000000F38000-memory.dmp
memory/2540-2-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp
memory/2540-3-0x000007FEF6263000-0x000007FEF6264000-memory.dmp
memory/2540-4-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp