Analysis Overview
SHA256
d6db4b1243311484640d253149f19eff7196163e706884d4b5676f8c47309abc
Threat Level: Known bad
The file File.zip was found to be: Known bad.
Malicious Activity Summary
RedLine
Vidar
RedLine payload
Detect Vidar Stealer
Lumma Stealer, LummaC
Stealc
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Checks BIOS information in registry
Reads data files stored by FTP clients
Identifies Wine through registry keys
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Unexpected DNS network traffic destination
Drops startup file
Power Settings
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-10 08:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-10 08:55
Reported
2024-09-10 09:17
Platform
win7-20240903-en
Max time kernel
837s
Max time network
840s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2044 set thread context of 572 | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\HackPhotography | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\SuggestUsc | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\ReducesWarranty | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\MakeupSocieties | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\DoingReleased | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\SplitCareer | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 807188
C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomCompositionInjection" Participants
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Cry + ..\Analyses + ..\Discs + ..\Karaoke + ..\Louisville + ..\Literary + ..\Cat + ..\Duty + ..\Closer + ..\Bloggers + ..\Guinea + ..\Joyce + ..\Archived + ..\Complete + ..\Af + ..\Precise + ..\Valve + ..\Pe + ..\Disabled + ..\Mx + ..\Stem + ..\Ejaculation + ..\S + ..\Belt + ..\Mason + ..\Oval + ..\High + ..\Fda + ..\Powerseller + ..\Raising + ..\Starring + ..\Puerto + ..\Confirmation + ..\Individually + ..\Org + ..\Teachers Q
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
Segment.pif Q
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aSrgKXZxBg.aSrgKXZxBg | udp |
| DE | 212.113.116.202:80 | 212.113.116.202 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | 176b9a8eb5a7e3785f71c567867cf1cd |
| SHA1 | 9308f6a788600a5e12f046b80878e4efa53c7a00 |
| SHA256 | 3769af4676ec43ac7031e390f6dc255785b3a0185679d6eee3eb05c26f8fc931 |
| SHA512 | 4e313a3d9278f82ef0a180942484fc2224a3723fe17653696976d4b13d41e97d1dc81a3b86e2defea13e5e37c39400e503211e4dd795d6498661d4b9fa6465a2 |
C:\Users\Admin\AppData\Local\Temp\Participants
| MD5 | f0e725addf4ec15a56aa0bde5bd8b2a7 |
| SHA1 | 1f54a49195d3f7fd93c5fec06cc5904c57995147 |
| SHA256 | 7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca |
| SHA512 | 00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269 |
C:\Users\Admin\AppData\Local\Temp\Rick
| MD5 | e0d37e7b879f4b4e0dde5006da5009bd |
| SHA1 | 33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5 |
| SHA256 | 27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77 |
| SHA512 | 68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60 |
C:\Users\Admin\AppData\Local\Temp\Cry
| MD5 | 65d7a17dffbf3852a3c115c3ccac0430 |
| SHA1 | abe6099ef17b95ffe913b6f0942c125cb76a6337 |
| SHA256 | 32d25c105acfeeefceab4f6319640187c48141358b1fc66453195343a81cbd1c |
| SHA512 | 9da8e6847e5c66300c28da9227710c93c9b83497c3fe190fc8f2841bfd7232148117d4e58b5b3f9a375857f53dc69067b8e414311514bf33b1b3b1500bbf3244 |
C:\Users\Admin\AppData\Local\Temp\Analyses
| MD5 | cf8638dc0454e04d2db4e8e515f332f8 |
| SHA1 | 89b0fbbeebc1c69b43bc2c9c8a767c692d403531 |
| SHA256 | d45e461c3bf797e0986f88dfeec99a7266b2ed0ac526cbc5e9c60c0754e1c98d |
| SHA512 | 84313e8541044efe904dcb5be0ac436dc050e7282874975a405869634ddcf53d3f0d2f37edc91254d12754c906af207b2e27a48289f9481308b9efc438b5c515 |
C:\Users\Admin\AppData\Local\Temp\Discs
| MD5 | 837271f2daebb75b19ccf82908e66c74 |
| SHA1 | 91f2668bd1242e2214b326401faea65f1ad0c6d5 |
| SHA256 | e7f58b3426fc44e91e5f83ee9c85c0566bb74c9efee1a95bbc1a7534800adc68 |
| SHA512 | 168682ab967f6dfe9fd9e88f946e253b483dc39cce564b4e976c1e5c4d1463b17547d2d6c54c3f24973ca524f8181e8cc77babf49b1b7454522838fe12eb6a80 |
C:\Users\Admin\AppData\Local\Temp\Karaoke
| MD5 | e3b66b4ed3a4b2556eba40a1d6825ff5 |
| SHA1 | 666c0249df6d26ee365db6b419ccd9ab09da605f |
| SHA256 | 22d8e59e2bbb925961d2157b377c9c7377f7b0ce3ab479c63e6f0c60378ab506 |
| SHA512 | 31ad8fbeb0a46290fcf10b26fd9c34f8cd5a599da4d4558431c16c65a7fc83949710a52b12e6b89104395770a16b0d409b6e19b1f1ed5d4b7b2cd7af5ce7ea63 |
C:\Users\Admin\AppData\Local\Temp\Louisville
| MD5 | 7e197e556d6c8ea27fe3ecd22703374f |
| SHA1 | 6ac97052805ba243a9d0e46bcde9e175d7f7d041 |
| SHA256 | af5870dd58489c31691922c266d4b63260c58e2480fd23cf9ad1aee73ccefa55 |
| SHA512 | 6e9c7467c7e9bf3530e549aa4f8266d52d04de4a263576a1e1c3d4701fa911f1d89ad23e7c95896698f0708bdebf3028f4b47c11eaa2c1f66cc21a1e5ae3304a |
C:\Users\Admin\AppData\Local\Temp\Literary
| MD5 | 77583ac20b1d5f2dc69e3479dca57633 |
| SHA1 | e0b3d0e063012b7edad32ea29f12e73a52628bbc |
| SHA256 | 7e19c99333229a597798864e6a40ca4f261a6a5df5efa77946a94bc5203a42c1 |
| SHA512 | 236c0f7e843e728b5d0afd60e1d5a133bf29bcf6adf35a6b2493c9f3169e9d52d30e258a10f6fedfd1e0a06a8c9371690f9b230f0319fd0f856c7c637a63ee2c |
C:\Users\Admin\AppData\Local\Temp\Cat
| MD5 | a00f3584018d6f843c7847b0e6e9e1e7 |
| SHA1 | 843d7d07d731445770effd440e7ce82e384e54d7 |
| SHA256 | 6dfa7f0c8062c8f18647c528fe6925d0a6c0622f0e9be1984107c43dd84543a0 |
| SHA512 | f31a4c293ad95ebb22d2c7535409d8c1e5de1658db9f752465089f5a25b5e430d13400f2fe300489ae936ea77df56ad7995e576ef04137ac276ff6214dd0d22c |
C:\Users\Admin\AppData\Local\Temp\Duty
| MD5 | aeba4e35372e018312fc452961ae1b4b |
| SHA1 | 64a4731e00d6e230f96c9848484ffdac34a9503e |
| SHA256 | 9a504bb93766422f71511e34290251922f27fa990b721f35d904325fd07100b7 |
| SHA512 | 5734ca56cdc0b948845a1f27df1d945048e4793d4e66f157910c5d9116d11f50726a867861321a16cc917d621b3fc69caa85f1a9a83e2aeff0a0afd4d090facb |
C:\Users\Admin\AppData\Local\Temp\Closer
| MD5 | ac3f0aec1c46508a4126248ed4c5bfaa |
| SHA1 | 27848811669b59fa4bb59392d78e0ad5a57679a3 |
| SHA256 | c2aa764d2f3cb30c838ddda6e6cc1430405a1fd8f727be59ded6bc2af991054c |
| SHA512 | 8d501ce5671f64feec75b2e95ee2483965af1cf59b65265e5c76fc741fb1a0e00522726c150664a1f39ac14efa55ddd6f78539d4e0c1cdaaea1d85b612c94ce1 |
C:\Users\Admin\AppData\Local\Temp\Bloggers
| MD5 | 72bf0f4140a82305fd1be3b0bf16490c |
| SHA1 | 3a3f10c99328d1fd9cecacc043edcd59c491838f |
| SHA256 | 3975ff441f861bb7cdc721cc419639cd149c09397c556750d8d096ef5a4b7ca0 |
| SHA512 | fd62fb9f43423f10b19485210268679b3efb1c778ddeaa2367bb91ce291a07f8881900388e7d7beb6a7b369f03a518c8a9a0a23cbae0a1eb528d9784965b0514 |
C:\Users\Admin\AppData\Local\Temp\Guinea
| MD5 | 077cb0f1a95b777ab3a18108e8c8f33e |
| SHA1 | 28e3124f7c6b155facb26e4ceb3820ce2cb7c8a5 |
| SHA256 | d7b94bfbff4782c2ae4c10598a019f859894486e6b38eb4d2df1a58891a36dd5 |
| SHA512 | ce2b4ab82f5e558a50fb28382cb32a7856899a83a05c2f7ccf5a2f1ce49ce3f768bef29da001d6ee08ce35aea574ad8101c3f89d4223dd718d04288d6086dc5d |
C:\Users\Admin\AppData\Local\Temp\Joyce
| MD5 | be207b4acdc615cb9e9fda47cb407103 |
| SHA1 | e0db032339f343b88c6726fc928288fb94066b74 |
| SHA256 | 426f568d01db6512e7e0fcdfce1f03fad0beacf3f235981d60a9aa8fa726f6b9 |
| SHA512 | 51b83a2ef394d973e5cae977e21599959b58100c7cf8d45f73c003b1691c3c5619d74eb09e1e46961f7de3ef34631cd50db43c31c633f31d9ed2f9cbbc7fa956 |
C:\Users\Admin\AppData\Local\Temp\Archived
| MD5 | 6da6992c075cfa769210afd7f431035c |
| SHA1 | 93ccf63e9bead7d6138f8d3b23becf63a400413e |
| SHA256 | 0c2d193e0b52f4706ab96b4c0cce156fcf1baeb1417c16af7e84894c822e6c77 |
| SHA512 | ece9ecf48397b5c7d5ae0ba1e60097541a6ac1dbf1d6f33f01f0b2b9640cf985a3e7bbea08e56484c323e1e3c912356e8d975d0db184d16d4209b05809bb0a51 |
C:\Users\Admin\AppData\Local\Temp\Complete
| MD5 | 07e7b5e4495ed6a1776c3517353fc2f3 |
| SHA1 | b3d86a4c8d722b0e307c1060f52f518c4e88a634 |
| SHA256 | 7514c1c24c8137681e991d56eae26feb3ed8e98e3aa94c7cacfc1009f3ea0776 |
| SHA512 | cc6984495a8680cb030adcf7162676355a1950698695952cc3347b90e89e2858b745e5903cea05bfa5e821007c30e626fc7d20f6e5455978780eb8da3f0bcc59 |
C:\Users\Admin\AppData\Local\Temp\Af
| MD5 | 154dadfcb2e53e70f4335459955ac8b4 |
| SHA1 | 3e4f796bdc8e88f65c93deb66496872ea9134c8e |
| SHA256 | 9098db9dd063b78ccaa0b4419cb69268e1faa30a7b1fafa25cb170c1cb41052d |
| SHA512 | 8c76df7b8fb2ce883f94a859e04015f4c2e0b22289fa531d7c4e7a1abb6e90073d29eeb39d4ec3219acd8af67aaae5aa1945797372e5874410b0a3ad998acbb8 |
C:\Users\Admin\AppData\Local\Temp\Precise
| MD5 | eecf81e1a1e4710851876a9c9d0c954e |
| SHA1 | 25cad3ae6628549841e1ebb213636297a9c9cd7e |
| SHA256 | 640e368eaab42d3b729dd4169b0c4c0fe48914da6d84a4d382096560c0b57450 |
| SHA512 | 432a017c9c15c54fb3d40cc94ac26f18412751b1f1374d0d8c4dd2f41edd1ffcbcab35bdd03a1be782c8598fceb2aed72c85acefc43c088ebf0a5fb2cc358ee5 |
C:\Users\Admin\AppData\Local\Temp\Valve
| MD5 | caa040d38a6ceea5a84cb145f9f6d266 |
| SHA1 | c3f8ec1e479f5bb243474332711a2fc9ba2a6fe7 |
| SHA256 | a0a90920b7e76c874101d686ea8248b77771bed34f80fb8fbb9b2dafaf108a44 |
| SHA512 | d62781b92acfc67b23117d11d58696c8f641f3d54ce0eeccc2e167945704edfa06b04471f3a1d54bcb5cd55f62b10ca1e4a147ddd318f67703e709b886612d9e |
C:\Users\Admin\AppData\Local\Temp\Pe
| MD5 | 4c2d380c8787b61b246c34b8f0d03411 |
| SHA1 | 3e1a9294e03118434d20422ae9069a0b263706e7 |
| SHA256 | 7c7890d5aef212b91e58e4bed2b0fd4eb7236d1245d1692132060d3c8a0476ee |
| SHA512 | 9c1a85ad2cb889881b8a12a3e6954be4b189a4da52131accde081b1d76e9ab40477a100b92a426b89ba2d54da798b4db9ce672507e938862dae2ebd93c3bbcc9 |
C:\Users\Admin\AppData\Local\Temp\Disabled
| MD5 | e85f8d36e333475932c9aec51ccc6447 |
| SHA1 | 9461354c1adbce519cd3008b410b8a98b160e867 |
| SHA256 | 3d8e90062bbafa36304af6c5625af0fc0c2ddd4bed44b286c6992bf6b0b6053a |
| SHA512 | cd098c26e975eb3067eb8060c7fc33428d581c4fafa7d40cc4d4ed914d4682f36f8dc772b6c7e70fbe4d67f1fd924860b999d379574c803324ce29838b3e5714 |
C:\Users\Admin\AppData\Local\Temp\Mx
| MD5 | 0afaf2b8f17dc851db0ea48813bca372 |
| SHA1 | e4a21efe4db9ccffb54fe86042c5a5931b845da8 |
| SHA256 | 0f411d161705a1cdd7cd0d9a9b344bb5f8f101a5c816581e65e2b547b1df178a |
| SHA512 | b1447fc8e88463c3c175e1b3ca8b2caa2689d4519569c12c2d05ff3f08644cc20acafe99df93ce7c90921815306cb30a94cbd57e1c9f55e0dda1565e9e7219f8 |
C:\Users\Admin\AppData\Local\Temp\Stem
| MD5 | 357266acb5102b7db46a6acfbdc68472 |
| SHA1 | ae894024e1181e842207b360e9eb34abb2b18e4d |
| SHA256 | dcc12a54080adc7f95797e7d9e2309f44f4659b47579900ea39c93c249b6fa37 |
| SHA512 | b18dc6fe85315a71ee43f340cf2b47b797910f30a6d7849c1cf3808361b5006352c0bde7fdb4899525f09ba5668a6a07778b4624260fa43ed1e50b2d3e151cbd |
C:\Users\Admin\AppData\Local\Temp\Ejaculation
| MD5 | 5fddf876c0e37604ffd50ef89f0227e1 |
| SHA1 | d7455a9bb1d8d2ef07b0c84de5c2610b173ab801 |
| SHA256 | b452fa697df40e8f1a354492cf811a3f68493d6fca3ce4facb9ebfcb21fdbdcf |
| SHA512 | a692dda5a5250a4e5e2d6d41e740652cb58831f7987f72889aeb4eaa0cba31db832b0a857da95b4b2c676c55a796bdcde9c407e29173b6aa80cc6ae45d2667b4 |
C:\Users\Admin\AppData\Local\Temp\S
| MD5 | d3672d40e34a99fdbb77e03415fdde0a |
| SHA1 | f28a310bfb320cece9976462f818ea1dbc804073 |
| SHA256 | 4cf3c8a01c1647d5957dace309efea82da3ac54b704f7edc398082b53071b7a8 |
| SHA512 | 0a4a96df1a5cc4628300fb5820b13abb4d29edcda15e400db5879ac94971170a8eecd28a87315b0a6abe024b528aa02f6732c37bbf8dc308e335b99627fc62af |
C:\Users\Admin\AppData\Local\Temp\Belt
| MD5 | ad6415a5da7c14dd6aaeba77185d4036 |
| SHA1 | 9d41a8c15656e9b9b90b2e81d17ad33a57d19d47 |
| SHA256 | 55c5b2679371cdc57befa0a6802af044f38d0e92a1942e394e6279f871ced2cb |
| SHA512 | 1626128528c9d7cc986697504b70a4130fac357010ab94316230dbe1c52f7bd22d36031bbf2e5a27ce21439fba93aba345fa2f00fada04c26dca5baa534e4513 |
C:\Users\Admin\AppData\Local\Temp\Mason
| MD5 | 820066477d710e173616b3a00e5edb59 |
| SHA1 | 2418926bc8e6da40abd0c9946e1ff0260ece4605 |
| SHA256 | da39c3263a54293819c81306a8a2ecf79b3451cb684bc10cc84f0f0747e63dab |
| SHA512 | f1103ab07c455085e7a3bf0ce343b404ace54f66aa4465953dd9731bb127a469ed8c146b7cba3a5f5825d347b3d6f9efff5cae2fe151e3db863894ce35de58d8 |
C:\Users\Admin\AppData\Local\Temp\Oval
| MD5 | 7565469bfdddc142192f30b401869f92 |
| SHA1 | 0ad1a321f89708625c4ba6f6837bb4a17821d6aa |
| SHA256 | f0ba3f5cf601f6192d9a5e578c0806acdc3cdf51aa8a1e781ddc09f74e75861a |
| SHA512 | 89f53f4c734122ca91dfe903a6a26700d6288ecc077f6c90ecbcdc989f256175da0756454331c95c92a6424f5e53d99b40821577a269667ad2eed045bf2a5265 |
C:\Users\Admin\AppData\Local\Temp\High
| MD5 | aecbe9e1ff8bdf70fadfdef6096ceef5 |
| SHA1 | 0e718c7007043e2872fa84cb07758e6abdb8526d |
| SHA256 | 826784cf2e35faf75b7ae647b7bc70d2f6e9103adca586b7e368575b342309fb |
| SHA512 | e7cbe981aca209ee3a259b24623a5360f07e0a304faeefac23d41c92e823f5ac1a2dc8213201e51da6b9c4ad3c1e0d1030b38969eb287c201d53ce854ca70e9c |
C:\Users\Admin\AppData\Local\Temp\Fda
| MD5 | cce1292aea0d2b6e41467a677053bb06 |
| SHA1 | 1e6b4f4d0650c0bd187c140bfbaad573059b1496 |
| SHA256 | 5eee75f8d08e77312b9094516d2bf2af555d11f6e3e50475383dc7348767d27d |
| SHA512 | 58c83ecbd8453e27aa5e831a54861b7ba3e4f4b1750cfc4e99c073ee743d9a75e3590f7b80df6469e2efa45bc2c9d7bac0d4980327dcf80f402b8cd53d3f1023 |
C:\Users\Admin\AppData\Local\Temp\Powerseller
| MD5 | c109153fcddc0aff6ef2b02be3c31ed4 |
| SHA1 | d7209f9d74ccb669e18d7445a2b254d4f599b33e |
| SHA256 | d4eb937c1e578d8f682050a869869c4e3d543780b0058c006db9d392c67b684d |
| SHA512 | eaf2054dc9475ebdffa942a6b0466125ff1b459499c14586a96e3e6b26d0b1b532bfa6a1f75a4eaa3f4ce4f99383b6e1b7cc4d71ab3290148b99c88b4633d8d4 |
C:\Users\Admin\AppData\Local\Temp\Raising
| MD5 | 490098bf9cb4dc370dd34d70fcc50c87 |
| SHA1 | 209e000dd68e75bf04d496f99ad28cef604c18a0 |
| SHA256 | 9c6e9724325a670c078ec32f2a29fbe93ebfc1a772b88946bebc896b37f3ce95 |
| SHA512 | 2061b3596038f7274007fa9990530f15b2602980269eafb56ae81f3fa284c5bebd880690eeadca6c71597ee0d00bc04bee76659d58862893ea300615166eae8f |
C:\Users\Admin\AppData\Local\Temp\Starring
| MD5 | 4ffe89ba3278f7f8165034fedce952fc |
| SHA1 | 8fd2e51472a5c574b29e5f69c89a1b281f37bc2e |
| SHA256 | cad7ee17918c24ecc85d5c9a8ce749f6a784f682857ac64fc90c6a847950afdb |
| SHA512 | 5164b75c125f77c9ad1691ae4294424e0e26db287ee94f8cab3eec89b420b214530e8280c8328fb2e11ff1ef0d8248b0492d6b58df5c708062fc074a66b4b69a |
C:\Users\Admin\AppData\Local\Temp\Puerto
| MD5 | 1a9c8241ea6718a1f791b7d0c90918b8 |
| SHA1 | 59c2d89b7203cd6532f00c7d1dadbe9c5cf50936 |
| SHA256 | 065fb7019c84b4fd9796e86f408288b0429456b41e45cb71117f83c3c4c5391b |
| SHA512 | b286012207a0ea3d0bce682c596be830bba2f90915b16edd01577996ac5ca75e7d40b2e330e90f8c4694487cf9be827eb9bc683b6ece0b69a4302b90d60686b7 |
C:\Users\Admin\AppData\Local\Temp\Confirmation
| MD5 | ed63b261ac5ec4c2fd428b585fc6a633 |
| SHA1 | a19080d710bc9c00601f6e9ccf57d3841f5949f3 |
| SHA256 | e8d114d045c7ec424dacfba4076471cc2c3f83036d1ff99b63304759ec91b443 |
| SHA512 | 78b691d4344e1405a904bb3220e84752954296f3bf03047e6d036929720bb82416ac6c917578ad56d68dd5b2975fa55888d8e160c217d3723244ea416b9fba06 |
C:\Users\Admin\AppData\Local\Temp\Individually
| MD5 | fef95b3ff12d1821b8965f5d8dd11068 |
| SHA1 | 8e7a148a2b037f27c8ffb3bc709002c606c133cf |
| SHA256 | 5becbf1a2f5d0c0bdb752b9a3f6b5a949fafab35ad30c514a44a8b888901a21b |
| SHA512 | ae440f5b19eb3b23ef3afc51d39e1a282b1153aa88e00c068c105a8ef094da28f8d69dffbc463654315d623ca216faac6fbad3e3cebc566d8e85fa645f76ff91 |
C:\Users\Admin\AppData\Local\Temp\Org
| MD5 | 1962ec05ef55e0fb56ccee36f4019785 |
| SHA1 | 7ddd023a2ab5e19c54714244344344cda084d794 |
| SHA256 | fa10d4522d9130a5002999ccfdbe96b71c5b0b28daf488046cafc9c262a59e73 |
| SHA512 | 5f35145c28aaa05bb66345d1e22fb635925a6ce31b64738fa48d0170e4ec261d30b39b62eb389b727c0fb40f24a869e7ded34d66d738c829ea1caf12a9cc9adc |
C:\Users\Admin\AppData\Local\Temp\Teachers
| MD5 | 7f0d542e9fee29f25f122fcbd0ec515e |
| SHA1 | e04026a484006dbcd5939cd6b9b836280bad00aa |
| SHA256 | 8b149afed6517eb2a8561d0f73189b3e67490dc4c755d5789178c34b1ec0c723 |
| SHA512 | 9ea5c08412eb689ce7958987b9d04471a3434279ee21305aeaf1809e94ca52f50d5a621077ed7d9a35224ab877c68bb710be91a7198f485ea2bbf21afe46c72a |
\Users\Admin\AppData\Local\Temp\807188\Segment.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\807188\Q
| MD5 | aee44d3760cc23691b96247814be7157 |
| SHA1 | 586222219b28f7a9ebe5d492776e905fe7b97f05 |
| SHA256 | 0aa8148123108e52de933b235562827fe62b883ae7fd1afaa009e85a2081716e |
| SHA512 | 20ec5dea80a26db6f0e13cad27cb65f46dc6536a1a4c3b0de976ebd06505a330a154c10870d78bb93d375dbb1238044470c2786eeca5abe47dc2f1e4efcb6a10 |
memory/572-89-0x0000000000710000-0x00000000008F1000-memory.dmp
memory/572-90-0x0000000000710000-0x00000000008F1000-memory.dmp
memory/572-92-0x0000000000710000-0x00000000008F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-10 08:55
Reported
2024-09-10 09:02
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
264s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 141.98.234.31 | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9fa356fdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b9fa356fdf.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\794bbdaba1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\794bbdaba1.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\RegionAnt | C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe | N/A |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| File opened for modification | C:\Windows\SuggestUsc | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\ReducesWarranty | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\MakeupSocieties | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\DoingReleased | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\TerritoriesFundraising | C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe | N/A |
| File opened for modification | C:\Windows\HackPhotography | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| File opened for modification | C:\Windows\SplitCareer | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminKFIJJEGHDA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminBFBGDGIDBA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 807188
C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomCompositionInjection" Participants
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Cry + ..\Analyses + ..\Discs + ..\Karaoke + ..\Louisville + ..\Literary + ..\Cat + ..\Duty + ..\Closer + ..\Bloggers + ..\Guinea + ..\Joyce + ..\Archived + ..\Complete + ..\Af + ..\Precise + ..\Valve + ..\Pe + ..\Disabled + ..\Mx + ..\Stem + ..\Ejaculation + ..\S + ..\Belt + ..\Mason + ..\Oval + ..\High + ..\Fda + ..\Powerseller + ..\Raising + ..\Starring + ..\Puerto + ..\Confirmation + ..\Individually + ..\Org + ..\Teachers Q
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
Segment.pif Q
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe
C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe
C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe
C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe
C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe
C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe
C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp" /SL5="$90054,3079827,56832,C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Notice Notice.bat & Notice.bat
C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
"C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe
"C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe" -i
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe
"C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe"
C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFIJJEGHDA.exe"
C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe
"C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFBGDGIDBA.exe"
C:\Users\AdminKFIJJEGHDA.exe
"C:\Users\AdminKFIJJEGHDA.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0xd8,0x104,0x100,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Users\AdminBFBGDGIDBA.exe
"C:\Users\AdminBFBGDGIDBA.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1312
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7398545601516268299,9868563646000204953,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RRTELIGS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1296
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RRTELIGS"
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\KKKJEBAAEC.exe
"C:\ProgramData\KKKJEBAAEC.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\CAKFIJDHJE.exe
"C:\ProgramData\CAKFIJDHJE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGDHDHJEBGHJ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5456278957942703644,12659214221136234904,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1324,2966804576113074497,1833929505312385125,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1332,16390132193021089751,11275990692438435406,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1332,7042273899255775909,11248769122096677587,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,15615559060124666936,3080197563232617526,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1332 /prefetch:3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718
C:\Windows\SysWOW64\cmd.exe
cmd /c md 639278
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\findstr.exe
findstr /V "alcoholweekskeepsmercedes" Cyber
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Was + ..\Ll + ..\Rx + ..\Pursuant + ..\Competitions z
C:\Users\Admin\AppData\Local\Temp\639278\Assumptions.pif
Assumptions.pif z
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff42f546f8,0x7fff42f54708,0x7fff42f54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aSrgKXZxBg.aSrgKXZxBg | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 135.200.91.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| RU | 62.204.41.151:80 | 62.204.41.151 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:443 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtransfer.net | udp |
| CA | 158.69.225.124:443 | youtransfer.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| DE | 77.105.164.24:50505 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| US | 8.8.8.8:53 | 24.164.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.126.45.147.in-addr.arpa | udp |
| NL | 89.105.223.249:29986 | tcp | |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| US | 8.8.8.8:53 | 249.223.105.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 8.8.8.8:53 | 63.202.91.45.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tventyv20pn.top | udp |
| RU | 194.87.248.136:80 | tventyv20pn.top | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ignoracndwko.shop | udp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| US | 8.8.8.8:53 | 50.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | preachstrwnwjw.shop | udp |
| US | 172.67.147.51:443 | preachstrwnwjw.shop | tcp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.147.67.172.in-addr.arpa | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| US | 8.8.8.8:53 | complainnykso.shop | udp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| US | 8.8.8.8:53 | basedsymsotp.shop | udp |
| US | 172.67.221.198:443 | basedsymsotp.shop | tcp |
| US | 8.8.8.8:53 | 164.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.212.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | charistmatwio.shop | udp |
| GB | 216.58.212.238:443 | play.google.com | tcp |
| US | 172.67.193.197:443 | charistmatwio.shop | tcp |
| GB | 216.58.212.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 198.221.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | grassemenwji.shop | udp |
| US | 172.67.154.82:443 | grassemenwji.shop | tcp |
| US | 8.8.8.8:53 | 82.154.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stitchmiscpaew.shop | udp |
| US | 104.21.26.150:443 | stitchmiscpaew.shop | tcp |
| US | 8.8.8.8:53 | commisionipwn.shop | udp |
| US | 104.21.38.33:443 | commisionipwn.shop | tcp |
| US | 8.8.8.8:53 | 150.26.21.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | 33.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 10.39.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| US | 172.67.147.51:443 | preachstrwnwjw.shop | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| US | 172.67.221.198:443 | basedsymsotp.shop | tcp |
| US | 172.67.193.197:443 | charistmatwio.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.154.82:443 | grassemenwji.shop | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| US | 104.21.26.150:443 | stitchmiscpaew.shop | tcp |
| US | 104.21.38.33:443 | commisionipwn.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | eWEfoDGDuVljckZyMvxSQPAdL.eWEfoDGDuVljckZyMvxSQPAdL | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| GB | 216.58.212.238:443 | play.google.com | tcp |
| GB | 216.58.212.238:443 | play.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| RU | 62.204.41.151:80 | 62.204.41.151 | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| HK | 141.98.234.31:53 | erdrlfb.ua | udp |
| US | 8.8.8.8:53 | 31.234.98.141.in-addr.arpa | udp |
| CH | 185.196.8.214:80 | erdrlfb.ua | tcp |
| US | 8.8.8.8:53 | 214.8.196.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | 176b9a8eb5a7e3785f71c567867cf1cd |
| SHA1 | 9308f6a788600a5e12f046b80878e4efa53c7a00 |
| SHA256 | 3769af4676ec43ac7031e390f6dc255785b3a0185679d6eee3eb05c26f8fc931 |
| SHA512 | 4e313a3d9278f82ef0a180942484fc2224a3723fe17653696976d4b13d41e97d1dc81a3b86e2defea13e5e37c39400e503211e4dd795d6498661d4b9fa6465a2 |
C:\Users\Admin\AppData\Local\Temp\Participants
| MD5 | f0e725addf4ec15a56aa0bde5bd8b2a7 |
| SHA1 | 1f54a49195d3f7fd93c5fec06cc5904c57995147 |
| SHA256 | 7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca |
| SHA512 | 00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269 |
C:\Users\Admin\AppData\Local\Temp\Rick
| MD5 | e0d37e7b879f4b4e0dde5006da5009bd |
| SHA1 | 33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5 |
| SHA256 | 27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77 |
| SHA512 | 68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60 |
C:\Users\Admin\AppData\Local\Temp\Cry
| MD5 | 65d7a17dffbf3852a3c115c3ccac0430 |
| SHA1 | abe6099ef17b95ffe913b6f0942c125cb76a6337 |
| SHA256 | 32d25c105acfeeefceab4f6319640187c48141358b1fc66453195343a81cbd1c |
| SHA512 | 9da8e6847e5c66300c28da9227710c93c9b83497c3fe190fc8f2841bfd7232148117d4e58b5b3f9a375857f53dc69067b8e414311514bf33b1b3b1500bbf3244 |
C:\Users\Admin\AppData\Local\Temp\Analyses
| MD5 | cf8638dc0454e04d2db4e8e515f332f8 |
| SHA1 | 89b0fbbeebc1c69b43bc2c9c8a767c692d403531 |
| SHA256 | d45e461c3bf797e0986f88dfeec99a7266b2ed0ac526cbc5e9c60c0754e1c98d |
| SHA512 | 84313e8541044efe904dcb5be0ac436dc050e7282874975a405869634ddcf53d3f0d2f37edc91254d12754c906af207b2e27a48289f9481308b9efc438b5c515 |
C:\Users\Admin\AppData\Local\Temp\Discs
| MD5 | 837271f2daebb75b19ccf82908e66c74 |
| SHA1 | 91f2668bd1242e2214b326401faea65f1ad0c6d5 |
| SHA256 | e7f58b3426fc44e91e5f83ee9c85c0566bb74c9efee1a95bbc1a7534800adc68 |
| SHA512 | 168682ab967f6dfe9fd9e88f946e253b483dc39cce564b4e976c1e5c4d1463b17547d2d6c54c3f24973ca524f8181e8cc77babf49b1b7454522838fe12eb6a80 |
C:\Users\Admin\AppData\Local\Temp\Karaoke
| MD5 | e3b66b4ed3a4b2556eba40a1d6825ff5 |
| SHA1 | 666c0249df6d26ee365db6b419ccd9ab09da605f |
| SHA256 | 22d8e59e2bbb925961d2157b377c9c7377f7b0ce3ab479c63e6f0c60378ab506 |
| SHA512 | 31ad8fbeb0a46290fcf10b26fd9c34f8cd5a599da4d4558431c16c65a7fc83949710a52b12e6b89104395770a16b0d409b6e19b1f1ed5d4b7b2cd7af5ce7ea63 |
C:\Users\Admin\AppData\Local\Temp\Louisville
| MD5 | 7e197e556d6c8ea27fe3ecd22703374f |
| SHA1 | 6ac97052805ba243a9d0e46bcde9e175d7f7d041 |
| SHA256 | af5870dd58489c31691922c266d4b63260c58e2480fd23cf9ad1aee73ccefa55 |
| SHA512 | 6e9c7467c7e9bf3530e549aa4f8266d52d04de4a263576a1e1c3d4701fa911f1d89ad23e7c95896698f0708bdebf3028f4b47c11eaa2c1f66cc21a1e5ae3304a |
C:\Users\Admin\AppData\Local\Temp\Literary
| MD5 | 77583ac20b1d5f2dc69e3479dca57633 |
| SHA1 | e0b3d0e063012b7edad32ea29f12e73a52628bbc |
| SHA256 | 7e19c99333229a597798864e6a40ca4f261a6a5df5efa77946a94bc5203a42c1 |
| SHA512 | 236c0f7e843e728b5d0afd60e1d5a133bf29bcf6adf35a6b2493c9f3169e9d52d30e258a10f6fedfd1e0a06a8c9371690f9b230f0319fd0f856c7c637a63ee2c |
C:\Users\Admin\AppData\Local\Temp\Cat
| MD5 | a00f3584018d6f843c7847b0e6e9e1e7 |
| SHA1 | 843d7d07d731445770effd440e7ce82e384e54d7 |
| SHA256 | 6dfa7f0c8062c8f18647c528fe6925d0a6c0622f0e9be1984107c43dd84543a0 |
| SHA512 | f31a4c293ad95ebb22d2c7535409d8c1e5de1658db9f752465089f5a25b5e430d13400f2fe300489ae936ea77df56ad7995e576ef04137ac276ff6214dd0d22c |
C:\Users\Admin\AppData\Local\Temp\Duty
| MD5 | aeba4e35372e018312fc452961ae1b4b |
| SHA1 | 64a4731e00d6e230f96c9848484ffdac34a9503e |
| SHA256 | 9a504bb93766422f71511e34290251922f27fa990b721f35d904325fd07100b7 |
| SHA512 | 5734ca56cdc0b948845a1f27df1d945048e4793d4e66f157910c5d9116d11f50726a867861321a16cc917d621b3fc69caa85f1a9a83e2aeff0a0afd4d090facb |
C:\Users\Admin\AppData\Local\Temp\Closer
| MD5 | ac3f0aec1c46508a4126248ed4c5bfaa |
| SHA1 | 27848811669b59fa4bb59392d78e0ad5a57679a3 |
| SHA256 | c2aa764d2f3cb30c838ddda6e6cc1430405a1fd8f727be59ded6bc2af991054c |
| SHA512 | 8d501ce5671f64feec75b2e95ee2483965af1cf59b65265e5c76fc741fb1a0e00522726c150664a1f39ac14efa55ddd6f78539d4e0c1cdaaea1d85b612c94ce1 |
C:\Users\Admin\AppData\Local\Temp\Bloggers
| MD5 | 72bf0f4140a82305fd1be3b0bf16490c |
| SHA1 | 3a3f10c99328d1fd9cecacc043edcd59c491838f |
| SHA256 | 3975ff441f861bb7cdc721cc419639cd149c09397c556750d8d096ef5a4b7ca0 |
| SHA512 | fd62fb9f43423f10b19485210268679b3efb1c778ddeaa2367bb91ce291a07f8881900388e7d7beb6a7b369f03a518c8a9a0a23cbae0a1eb528d9784965b0514 |
C:\Users\Admin\AppData\Local\Temp\Guinea
| MD5 | 077cb0f1a95b777ab3a18108e8c8f33e |
| SHA1 | 28e3124f7c6b155facb26e4ceb3820ce2cb7c8a5 |
| SHA256 | d7b94bfbff4782c2ae4c10598a019f859894486e6b38eb4d2df1a58891a36dd5 |
| SHA512 | ce2b4ab82f5e558a50fb28382cb32a7856899a83a05c2f7ccf5a2f1ce49ce3f768bef29da001d6ee08ce35aea574ad8101c3f89d4223dd718d04288d6086dc5d |
C:\Users\Admin\AppData\Local\Temp\Joyce
| MD5 | be207b4acdc615cb9e9fda47cb407103 |
| SHA1 | e0db032339f343b88c6726fc928288fb94066b74 |
| SHA256 | 426f568d01db6512e7e0fcdfce1f03fad0beacf3f235981d60a9aa8fa726f6b9 |
| SHA512 | 51b83a2ef394d973e5cae977e21599959b58100c7cf8d45f73c003b1691c3c5619d74eb09e1e46961f7de3ef34631cd50db43c31c633f31d9ed2f9cbbc7fa956 |
C:\Users\Admin\AppData\Local\Temp\Disabled
| MD5 | e85f8d36e333475932c9aec51ccc6447 |
| SHA1 | 9461354c1adbce519cd3008b410b8a98b160e867 |
| SHA256 | 3d8e90062bbafa36304af6c5625af0fc0c2ddd4bed44b286c6992bf6b0b6053a |
| SHA512 | cd098c26e975eb3067eb8060c7fc33428d581c4fafa7d40cc4d4ed914d4682f36f8dc772b6c7e70fbe4d67f1fd924860b999d379574c803324ce29838b3e5714 |
C:\Users\Admin\AppData\Local\Temp\Mx
| MD5 | 0afaf2b8f17dc851db0ea48813bca372 |
| SHA1 | e4a21efe4db9ccffb54fe86042c5a5931b845da8 |
| SHA256 | 0f411d161705a1cdd7cd0d9a9b344bb5f8f101a5c816581e65e2b547b1df178a |
| SHA512 | b1447fc8e88463c3c175e1b3ca8b2caa2689d4519569c12c2d05ff3f08644cc20acafe99df93ce7c90921815306cb30a94cbd57e1c9f55e0dda1565e9e7219f8 |
C:\Users\Admin\AppData\Local\Temp\Pe
| MD5 | 4c2d380c8787b61b246c34b8f0d03411 |
| SHA1 | 3e1a9294e03118434d20422ae9069a0b263706e7 |
| SHA256 | 7c7890d5aef212b91e58e4bed2b0fd4eb7236d1245d1692132060d3c8a0476ee |
| SHA512 | 9c1a85ad2cb889881b8a12a3e6954be4b189a4da52131accde081b1d76e9ab40477a100b92a426b89ba2d54da798b4db9ce672507e938862dae2ebd93c3bbcc9 |
C:\Users\Admin\AppData\Local\Temp\Valve
| MD5 | caa040d38a6ceea5a84cb145f9f6d266 |
| SHA1 | c3f8ec1e479f5bb243474332711a2fc9ba2a6fe7 |
| SHA256 | a0a90920b7e76c874101d686ea8248b77771bed34f80fb8fbb9b2dafaf108a44 |
| SHA512 | d62781b92acfc67b23117d11d58696c8f641f3d54ce0eeccc2e167945704edfa06b04471f3a1d54bcb5cd55f62b10ca1e4a147ddd318f67703e709b886612d9e |
C:\Users\Admin\AppData\Local\Temp\Precise
| MD5 | eecf81e1a1e4710851876a9c9d0c954e |
| SHA1 | 25cad3ae6628549841e1ebb213636297a9c9cd7e |
| SHA256 | 640e368eaab42d3b729dd4169b0c4c0fe48914da6d84a4d382096560c0b57450 |
| SHA512 | 432a017c9c15c54fb3d40cc94ac26f18412751b1f1374d0d8c4dd2f41edd1ffcbcab35bdd03a1be782c8598fceb2aed72c85acefc43c088ebf0a5fb2cc358ee5 |
C:\Users\Admin\AppData\Local\Temp\Af
| MD5 | 154dadfcb2e53e70f4335459955ac8b4 |
| SHA1 | 3e4f796bdc8e88f65c93deb66496872ea9134c8e |
| SHA256 | 9098db9dd063b78ccaa0b4419cb69268e1faa30a7b1fafa25cb170c1cb41052d |
| SHA512 | 8c76df7b8fb2ce883f94a859e04015f4c2e0b22289fa531d7c4e7a1abb6e90073d29eeb39d4ec3219acd8af67aaae5aa1945797372e5874410b0a3ad998acbb8 |
C:\Users\Admin\AppData\Local\Temp\Complete
| MD5 | 07e7b5e4495ed6a1776c3517353fc2f3 |
| SHA1 | b3d86a4c8d722b0e307c1060f52f518c4e88a634 |
| SHA256 | 7514c1c24c8137681e991d56eae26feb3ed8e98e3aa94c7cacfc1009f3ea0776 |
| SHA512 | cc6984495a8680cb030adcf7162676355a1950698695952cc3347b90e89e2858b745e5903cea05bfa5e821007c30e626fc7d20f6e5455978780eb8da3f0bcc59 |
C:\Users\Admin\AppData\Local\Temp\Archived
| MD5 | 6da6992c075cfa769210afd7f431035c |
| SHA1 | 93ccf63e9bead7d6138f8d3b23becf63a400413e |
| SHA256 | 0c2d193e0b52f4706ab96b4c0cce156fcf1baeb1417c16af7e84894c822e6c77 |
| SHA512 | ece9ecf48397b5c7d5ae0ba1e60097541a6ac1dbf1d6f33f01f0b2b9640cf985a3e7bbea08e56484c323e1e3c912356e8d975d0db184d16d4209b05809bb0a51 |
C:\Users\Admin\AppData\Local\Temp\Stem
| MD5 | 357266acb5102b7db46a6acfbdc68472 |
| SHA1 | ae894024e1181e842207b360e9eb34abb2b18e4d |
| SHA256 | dcc12a54080adc7f95797e7d9e2309f44f4659b47579900ea39c93c249b6fa37 |
| SHA512 | b18dc6fe85315a71ee43f340cf2b47b797910f30a6d7849c1cf3808361b5006352c0bde7fdb4899525f09ba5668a6a07778b4624260fa43ed1e50b2d3e151cbd |
C:\Users\Admin\AppData\Local\Temp\Ejaculation
| MD5 | 5fddf876c0e37604ffd50ef89f0227e1 |
| SHA1 | d7455a9bb1d8d2ef07b0c84de5c2610b173ab801 |
| SHA256 | b452fa697df40e8f1a354492cf811a3f68493d6fca3ce4facb9ebfcb21fdbdcf |
| SHA512 | a692dda5a5250a4e5e2d6d41e740652cb58831f7987f72889aeb4eaa0cba31db832b0a857da95b4b2c676c55a796bdcde9c407e29173b6aa80cc6ae45d2667b4 |
C:\Users\Admin\AppData\Local\Temp\S
| MD5 | d3672d40e34a99fdbb77e03415fdde0a |
| SHA1 | f28a310bfb320cece9976462f818ea1dbc804073 |
| SHA256 | 4cf3c8a01c1647d5957dace309efea82da3ac54b704f7edc398082b53071b7a8 |
| SHA512 | 0a4a96df1a5cc4628300fb5820b13abb4d29edcda15e400db5879ac94971170a8eecd28a87315b0a6abe024b528aa02f6732c37bbf8dc308e335b99627fc62af |
C:\Users\Admin\AppData\Local\Temp\Belt
| MD5 | ad6415a5da7c14dd6aaeba77185d4036 |
| SHA1 | 9d41a8c15656e9b9b90b2e81d17ad33a57d19d47 |
| SHA256 | 55c5b2679371cdc57befa0a6802af044f38d0e92a1942e394e6279f871ced2cb |
| SHA512 | 1626128528c9d7cc986697504b70a4130fac357010ab94316230dbe1c52f7bd22d36031bbf2e5a27ce21439fba93aba345fa2f00fada04c26dca5baa534e4513 |
C:\Users\Admin\AppData\Local\Temp\Mason
| MD5 | 820066477d710e173616b3a00e5edb59 |
| SHA1 | 2418926bc8e6da40abd0c9946e1ff0260ece4605 |
| SHA256 | da39c3263a54293819c81306a8a2ecf79b3451cb684bc10cc84f0f0747e63dab |
| SHA512 | f1103ab07c455085e7a3bf0ce343b404ace54f66aa4465953dd9731bb127a469ed8c146b7cba3a5f5825d347b3d6f9efff5cae2fe151e3db863894ce35de58d8 |
C:\Users\Admin\AppData\Local\Temp\Oval
| MD5 | 7565469bfdddc142192f30b401869f92 |
| SHA1 | 0ad1a321f89708625c4ba6f6837bb4a17821d6aa |
| SHA256 | f0ba3f5cf601f6192d9a5e578c0806acdc3cdf51aa8a1e781ddc09f74e75861a |
| SHA512 | 89f53f4c734122ca91dfe903a6a26700d6288ecc077f6c90ecbcdc989f256175da0756454331c95c92a6424f5e53d99b40821577a269667ad2eed045bf2a5265 |
C:\Users\Admin\AppData\Local\Temp\High
| MD5 | aecbe9e1ff8bdf70fadfdef6096ceef5 |
| SHA1 | 0e718c7007043e2872fa84cb07758e6abdb8526d |
| SHA256 | 826784cf2e35faf75b7ae647b7bc70d2f6e9103adca586b7e368575b342309fb |
| SHA512 | e7cbe981aca209ee3a259b24623a5360f07e0a304faeefac23d41c92e823f5ac1a2dc8213201e51da6b9c4ad3c1e0d1030b38969eb287c201d53ce854ca70e9c |
C:\Users\Admin\AppData\Local\Temp\Fda
| MD5 | cce1292aea0d2b6e41467a677053bb06 |
| SHA1 | 1e6b4f4d0650c0bd187c140bfbaad573059b1496 |
| SHA256 | 5eee75f8d08e77312b9094516d2bf2af555d11f6e3e50475383dc7348767d27d |
| SHA512 | 58c83ecbd8453e27aa5e831a54861b7ba3e4f4b1750cfc4e99c073ee743d9a75e3590f7b80df6469e2efa45bc2c9d7bac0d4980327dcf80f402b8cd53d3f1023 |
C:\Users\Admin\AppData\Local\Temp\Powerseller
| MD5 | c109153fcddc0aff6ef2b02be3c31ed4 |
| SHA1 | d7209f9d74ccb669e18d7445a2b254d4f599b33e |
| SHA256 | d4eb937c1e578d8f682050a869869c4e3d543780b0058c006db9d392c67b684d |
| SHA512 | eaf2054dc9475ebdffa942a6b0466125ff1b459499c14586a96e3e6b26d0b1b532bfa6a1f75a4eaa3f4ce4f99383b6e1b7cc4d71ab3290148b99c88b4633d8d4 |
C:\Users\Admin\AppData\Local\Temp\Raising
| MD5 | 490098bf9cb4dc370dd34d70fcc50c87 |
| SHA1 | 209e000dd68e75bf04d496f99ad28cef604c18a0 |
| SHA256 | 9c6e9724325a670c078ec32f2a29fbe93ebfc1a772b88946bebc896b37f3ce95 |
| SHA512 | 2061b3596038f7274007fa9990530f15b2602980269eafb56ae81f3fa284c5bebd880690eeadca6c71597ee0d00bc04bee76659d58862893ea300615166eae8f |
C:\Users\Admin\AppData\Local\Temp\Starring
| MD5 | 4ffe89ba3278f7f8165034fedce952fc |
| SHA1 | 8fd2e51472a5c574b29e5f69c89a1b281f37bc2e |
| SHA256 | cad7ee17918c24ecc85d5c9a8ce749f6a784f682857ac64fc90c6a847950afdb |
| SHA512 | 5164b75c125f77c9ad1691ae4294424e0e26db287ee94f8cab3eec89b420b214530e8280c8328fb2e11ff1ef0d8248b0492d6b58df5c708062fc074a66b4b69a |
C:\Users\Admin\AppData\Local\Temp\Puerto
| MD5 | 1a9c8241ea6718a1f791b7d0c90918b8 |
| SHA1 | 59c2d89b7203cd6532f00c7d1dadbe9c5cf50936 |
| SHA256 | 065fb7019c84b4fd9796e86f408288b0429456b41e45cb71117f83c3c4c5391b |
| SHA512 | b286012207a0ea3d0bce682c596be830bba2f90915b16edd01577996ac5ca75e7d40b2e330e90f8c4694487cf9be827eb9bc683b6ece0b69a4302b90d60686b7 |
C:\Users\Admin\AppData\Local\Temp\Confirmation
| MD5 | ed63b261ac5ec4c2fd428b585fc6a633 |
| SHA1 | a19080d710bc9c00601f6e9ccf57d3841f5949f3 |
| SHA256 | e8d114d045c7ec424dacfba4076471cc2c3f83036d1ff99b63304759ec91b443 |
| SHA512 | 78b691d4344e1405a904bb3220e84752954296f3bf03047e6d036929720bb82416ac6c917578ad56d68dd5b2975fa55888d8e160c217d3723244ea416b9fba06 |
C:\Users\Admin\AppData\Local\Temp\Individually
| MD5 | fef95b3ff12d1821b8965f5d8dd11068 |
| SHA1 | 8e7a148a2b037f27c8ffb3bc709002c606c133cf |
| SHA256 | 5becbf1a2f5d0c0bdb752b9a3f6b5a949fafab35ad30c514a44a8b888901a21b |
| SHA512 | ae440f5b19eb3b23ef3afc51d39e1a282b1153aa88e00c068c105a8ef094da28f8d69dffbc463654315d623ca216faac6fbad3e3cebc566d8e85fa645f76ff91 |
C:\Users\Admin\AppData\Local\Temp\Org
| MD5 | 1962ec05ef55e0fb56ccee36f4019785 |
| SHA1 | 7ddd023a2ab5e19c54714244344344cda084d794 |
| SHA256 | fa10d4522d9130a5002999ccfdbe96b71c5b0b28daf488046cafc9c262a59e73 |
| SHA512 | 5f35145c28aaa05bb66345d1e22fb635925a6ce31b64738fa48d0170e4ec261d30b39b62eb389b727c0fb40f24a869e7ded34d66d738c829ea1caf12a9cc9adc |
C:\Users\Admin\AppData\Local\Temp\Teachers
| MD5 | 7f0d542e9fee29f25f122fcbd0ec515e |
| SHA1 | e04026a484006dbcd5939cd6b9b836280bad00aa |
| SHA256 | 8b149afed6517eb2a8561d0f73189b3e67490dc4c755d5789178c34b1ec0c723 |
| SHA512 | 9ea5c08412eb689ce7958987b9d04471a3434279ee21305aeaf1809e94ca52f50d5a621077ed7d9a35224ab877c68bb710be91a7198f485ea2bbf21afe46c72a |
C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\807188\Q
| MD5 | aee44d3760cc23691b96247814be7157 |
| SHA1 | 586222219b28f7a9ebe5d492776e905fe7b97f05 |
| SHA256 | 0aa8148123108e52de933b235562827fe62b883ae7fd1afaa009e85a2081716e |
| SHA512 | 20ec5dea80a26db6f0e13cad27cb65f46dc6536a1a4c3b0de976ebd06505a330a154c10870d78bb93d375dbb1238044470c2786eeca5abe47dc2f1e4efcb6a10 |
memory/3752-86-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-87-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-89-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-93-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-96-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-102-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-101-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-100-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-99-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-98-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-95-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-94-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-91-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-97-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-92-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-90-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-106-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-111-0x0000000000BB0000-0x0000000000D91000-memory.dmp
C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
| MD5 | 66f4c467d6f87afe16daafb012f27e76 |
| SHA1 | 5015e438c3413b43bd08051ecccefcb136f2080a |
| SHA256 | d3b79435a3f7f45d17f4e21bffeacea894eb97bf3cda0e362d3a5ae11c736de1 |
| SHA512 | b601880669b6b406e304622eb0b5158561f4f450a87a9e6525b9ae532c6546110088dd8a564037ce9710233cae6b5d2cf9790f8008a5477d8d5ccb3ae281c4b3 |
C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
| MD5 | 2cb1c73af8654380163945a77f86896f |
| SHA1 | 22cbd618e82552811463acbaa949dbf7d607f866 |
| SHA256 | acfe88688eaabeca673714b9a3a4d7b5a2c7817440356c857cb868aea21e497d |
| SHA512 | 6c35d80e61bf783d1895c065ed9e7acbe10e718bf69c899272e1b188f2d70e89089043fe94e45530daeb6aa3a9585370f67658b0da4f5f7e312a09c0beb1a1ce |
C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
| MD5 | fb715bbfab832a6a7b4e05fc94a74b88 |
| SHA1 | b2f10e8bcd6e86d52d2e40d45fa79801e45cc4bc |
| SHA256 | 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377 |
| SHA512 | 448ff097de5c6bb92ed9fa4e09f303408729f14b7156bcf4fcb2d6fa8b5859aa04cbbaeb8791e9cbad6ab437cb5e86e582b715a07a13142215341a8ce8c3f9d5 |
C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
| MD5 | b36f21ca653ea179246c98cda2373879 |
| SHA1 | e51277a723ca0cc7f48d8e99dbc471f42b57cb62 |
| SHA256 | ce083654b6506740c3a45c15e4fb24dcd05cd39e6509bdeeeedd330750a9511a |
| SHA512 | 9c4baec021ce15717366fa2e29af22b28673515e5e837b4a2441842d6eaa1fe4b29d2e9f24809a38b637e18f2ba43db7848708d0ad53552fe26dcd7daa107e80 |
C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe
| MD5 | 079d166295bafa2ab44902c8bf5ff2a5 |
| SHA1 | 46e728a035c3fd9618f823a5d0b525a9aa22e1c1 |
| SHA256 | dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8 |
| SHA512 | 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b |
C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
| MD5 | 84354d3c9965d9a0878596e347a34f39 |
| SHA1 | f8e6d9f00d72f6f023e8d793462b7bb90cc31583 |
| SHA256 | 4e20a0aa3d323c0a1aa676c7eb3656cdd34cb69da614b4dc8aa946f5bcb2be39 |
| SHA512 | 2356ba4867985b609e1727f2a4877649f6c1b415d089dcef22c695baa42d3051cb6fb799eb7056ca75301a1aba47e71354e5051868f5bda04a62932a3ef72ad3 |
C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe
| MD5 | 46a221059a8fae9bbbc96fdf1f794884 |
| SHA1 | 8917f7e3f471c5eaa6fb8a026236fd229b4e3af3 |
| SHA256 | 00c66edc8b41592e299f449a6b7a4e3ab949f7cca0c27bba9a279feacc6e5b6b |
| SHA512 | b6914b29eebed8592c3c8974969b127ad07a0b147126d0656959ff9175a7da5e989a0cf2fdd4883c777aa98f8cae7382cc2247676526f975390693ee5342aa3b |
C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe
| MD5 | 64034db3a0ce29dcb4cfb658ab805226 |
| SHA1 | d4f1cc6d18b4bebcbc89459583e45d5a0456151d |
| SHA256 | 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d |
| SHA512 | 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f |
C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
| MD5 | 751e3d161454b4c4aa4cf9ff902ebe1c |
| SHA1 | 25ea26e9037576f135a8f950ba47afe70195b2e9 |
| SHA256 | 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144 |
| SHA512 | 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435 |
C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
| MD5 | db1fbaf680dc245b486db86fa852f655 |
| SHA1 | 355caa80363bc44607efcce4c64d3752a0edf286 |
| SHA256 | 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32 |
| SHA512 | ec923d035cd6d608315c7a7dbd3ffd66afea22dace6f0854e7e97346ca758f6344c32a6a7336e9fd1506207bdee1e408f4a328b7671c7d9248a64e8a56c2e840 |
C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
| MD5 | b5887a19fe50bfa32b524aaad0a453bc |
| SHA1 | cd1f3905959cd596c83730a5b03ceef4e9f2a877 |
| SHA256 | fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7 |
| SHA512 | 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538 |
memory/3752-202-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-204-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/2396-230-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3752-226-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-224-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-222-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-220-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-218-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-216-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-214-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/3752-212-0x0000000000BB0000-0x0000000000D91000-memory.dmp
memory/1568-255-0x0000000000D20000-0x0000000000D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp
| MD5 | a2b6b3a5c9cc4ef83680b4cf5fe14f2b |
| SHA1 | 3f64365e8f9d8f0451f343c629245349a4f9b849 |
| SHA256 | cb18e81b7bf4748beefc4fe5b2ec925417cafbfe89cc03ed1c47fd8ab2f95116 |
| SHA512 | 5ad7ba7f3b43770cb393fcbb07c3885228e05c4eeaf3da5ad6349c16262cc7b05588958533f6676f1a8b8ed76a60fadb2ddd6925f75f6484dbf174ff37d91dab |
memory/2796-258-0x0000000000140000-0x0000000000982000-memory.dmp
memory/4648-254-0x0000000000450000-0x000000000049A000-memory.dmp
memory/2420-251-0x00000000008F0000-0x0000000000DBF000-memory.dmp
memory/2796-260-0x00000000052E0000-0x000000000537C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-B8987.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2524-274-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2796-277-0x00000000054F0000-0x00000000056A0000-memory.dmp
memory/2524-272-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2524-269-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2796-278-0x0000000005C50000-0x00000000061F4000-memory.dmp
memory/4860-280-0x0000000000A30000-0x0000000000A84000-memory.dmp
memory/2796-281-0x00000000052B0000-0x00000000052D2000-memory.dmp
memory/2936-283-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2936-282-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4164-286-0x00000000000A0000-0x00000000000D8000-memory.dmp
memory/2416-293-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2440-291-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2936-284-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2584-279-0x00000000009F0000-0x0000000000A74000-memory.dmp
memory/2416-319-0x0000000005220000-0x00000000052B2000-memory.dmp
memory/2440-295-0x0000000000400000-0x0000000000643000-memory.dmp
C:\ProgramData\DH Diatonic Scale 9.10.45\DH Diatonic Scale 9.10.45.exe
| MD5 | 2d468d33d16327a87ab729707f85926e |
| SHA1 | 785db1860d17c1df0cd2e91ed1823cfece31ab71 |
| SHA256 | 3727014076c49533ef56ca04e8fa928a93e5d74a22444abd58b8f662e9629376 |
| SHA512 | c12a7577bdba93ec7ee75fb0eed11853191f495c06216df69bae238c13b2d2d9e620285cff6d42c72104a45e67c31cc9124d2ab8620c099faf377a901c16c21c |
memory/4936-323-0x00007FFF60B90000-0x00007FFF60B92000-memory.dmp
memory/2416-328-0x00000000051D0000-0x00000000051DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpA55E.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2420-356-0x00000000008F0000-0x0000000000DBF000-memory.dmp
memory/1568-355-0x000000001BC20000-0x000000001BC32000-memory.dmp
memory/1568-357-0x000000001DDE0000-0x000000001DE1C000-memory.dmp
memory/1568-354-0x000000001DEB0000-0x000000001DFBA000-memory.dmp
memory/2416-352-0x0000000005DE0000-0x0000000005E56000-memory.dmp
memory/4244-351-0x0000000000BC0000-0x000000000108F000-memory.dmp
memory/2416-358-0x00000000065B0000-0x00000000065CE000-memory.dmp
memory/4936-324-0x0000000140000000-0x00000001419FB000-memory.dmp
memory/2416-365-0x0000000006680000-0x0000000006692000-memory.dmp
memory/2416-367-0x0000000006850000-0x000000000689C000-memory.dmp
memory/2416-366-0x00000000066E0000-0x000000000671C000-memory.dmp
memory/2416-364-0x0000000006740000-0x000000000684A000-memory.dmp
memory/2416-363-0x0000000006BF0000-0x0000000007208000-memory.dmp
memory/2348-322-0x0000000000400000-0x000000000068F000-memory.dmp
memory/2348-320-0x0000000000400000-0x000000000068F000-memory.dmp
memory/2440-368-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2524-402-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2524-412-0x0000000000400000-0x0000000000657000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe
| MD5 | f47cc7dc355ae01926f6065316c3bd68 |
| SHA1 | 6b575930185f216e4fa5116fdcc8906eb9f53af9 |
| SHA256 | 25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794 |
| SHA512 | cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e |
memory/1568-413-0x000000001E700000-0x000000001E776000-memory.dmp
memory/1568-428-0x000000001B9B0000-0x000000001B9CE000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1568-449-0x000000001F1E0000-0x000000001F3A2000-memory.dmp
memory/1568-458-0x000000001F8E0000-0x000000001FE08000-memory.dmp
memory/2524-466-0x0000000022710000-0x000000002296F000-memory.dmp
memory/2416-483-0x0000000006990000-0x00000000069F6000-memory.dmp
C:\ProgramData\CGDHDHJEBGHJ\JDBGHI
| MD5 | e228c51c082ab10d054c3ddc12f0d34c |
| SHA1 | 79b5574c9ce43d2195dcbfaf32015f473dfa4d2e |
| SHA256 | 02f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309 |
| SHA512 | 233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822 |
C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe
| MD5 | 38f98be80e6670f46efc8544d762cfd4 |
| SHA1 | fcad2e65d0977f0ab297049d5c9c32450b230d2a |
| SHA256 | fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996 |
| SHA512 | 60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf |
C:\ProgramData\CGDHDHJEBGHJ\EHJKKK
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/1540-550-0x0000000000930000-0x0000000000984000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminBFBGDGIDBA.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 610f1bc45de64295c38660516bb4e0a3 |
| SHA1 | eacfa919fbe112716663e98029c7840abe31cb0e |
| SHA256 | 56ceab522f6cffdcf5f465c1e641e8870a89498a0b3e16480a76d6fb51c5919c |
| SHA512 | dfc005d32faf63841380bcae7dbde9943862be3e327a8f5c91038b756d14fbb45b55c204a4a0d4a02c140bdc72ce81396ddf12d1a584529ce655ef77e84cc673 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 8bb6cb0cd26570e6340d9037e76cfbc1 |
| SHA1 | 8e894c56e0e40f0f5e86ed7186634157d5221202 |
| SHA256 | 8952d0c7c7ac10133b41a0cde764a0e213a5098f7f8ec67d4d218571b0821ddf |
| SHA512 | c67cda3e21ee556af7a9cf543345fe85659ce52bd4d14a112be5bab60a32659f17e6761bb8a5e0d48125f6c2619f3dc18257f7628332f4d28bf0e267db75a279 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\nss3[1].dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\f74e9847-ed1f-481f-88eb-66c13dae70d7.tmp
| MD5 | e001aa8fb8a965daa588d8a61c743013 |
| SHA1 | 952bca389ba2f3382e4197851745b9043740a773 |
| SHA256 | 29922f7e98dbd2e61c40a9a9004faabf591490c1f283ebba0db6caea4b6d0ee4 |
| SHA512 | 1a9479a631ab6eebf228a33958db4ed061e98bb9ac55238e83b0f32f45a3098c9e37d20c49d3839c1e514c67f58a5e901547c184a9ca080ebf8cd0901a30fc4e |
C:\ProgramData\CGDHDHJEBGHJ\FIJKEH
| MD5 | 94bbb7462484acfa9fc2107993b4eddd |
| SHA1 | 57d56dab69de80cc5ef794b3d6ef112ae207fd31 |
| SHA256 | bd82f4ad6922273d87d0c5871f8b2039bb6ade4fe4ec921467d1a425c00f610a |
| SHA512 | 64b415279d124e730e3a514e5970678a7bf5257a006afebd95d30c5fceede8a818ebed957efb8cc9b88e9e55271c23ebf537a3fdc0e8eade2b49ec8ac8242e87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk
| MD5 | ddef384bbc1d1f39973d0fea90cf664f |
| SHA1 | 06aae0ea45bf39f22b36c11ad87a08812cd893fd |
| SHA256 | 60c0b345b1af7eff99e43bc378d1d3579a007ba1951f590f1065d3a9f212c400 |
| SHA512 | 8652e1b523d34e136e2be453dfaa0d5da23e3458837a81f6a0f765a1ddd01ba4d9a87d05d7e8e3d6742c8fb0dbfdda3100a121e24e93616e5edd2df141a76bec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 94c8e05cab2408ea6f06a49a08166efd |
| SHA1 | f5e19d951df5ae2498ab632962b6f781084ade5c |
| SHA256 | 38486fde97fb3c598fd1dd53b6a56f345ec393ca367f3ef89701f8a3690edb04 |
| SHA512 | 1375a81f30de76dd5f0d79a3123686910611084842c12fef3f4e20a809125db001da2e711626c48848c0f733f54c87db6dfd2c01fe6b95bb9a253194675daa5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\2c3e8f2d-5333-43d5-96d3-65df8531bd4d.tmp
| MD5 | 36250ec2fca99e89e308ecc2ffacb806 |
| SHA1 | f37b886b7053282d9f4b62a39d8d9f8862134b4c |
| SHA256 | 930018b1ca5500780b5dd26827f5050cc553537f97be40d2d57f7949904750e1 |
| SHA512 | 5f6ac74a64bae833d55f0115976186f6c626bcfc50c9f6db6c6c771c49a6a5f70eae6d168f5cea0467da579767028ed4826ea9b3e44b8c65c18c420f612cec70 |
memory/2348-739-0x0000000000400000-0x000000000068F000-memory.dmp
memory/4244-742-0x0000000000BC0000-0x000000000108F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G40JFEW9\66df1689df956_l[1].exe
| MD5 | e318c6ab13d30b93d2d43bf5d2c31fe5 |
| SHA1 | 2096056b203ea938312af04ce137353eac6a03d3 |
| SHA256 | f43e034a2bee82ed71caf1f838be515abef3bd8bb562bdae3d5abb4f194c492d |
| SHA512 | bc0bfbdf77a6da47f67201f6a1f049072ff0bb1c289eccc739c07b49c4eafe3b9053d31671f08ffdb833ee469dfcab95374ed199267fab86f38e9db7d7fbce75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State
| MD5 | cfaf8bab3d8f9fea161b9d3d69a8a31b |
| SHA1 | 3a33de44f24e28553c7823e8111733f960a5a336 |
| SHA256 | ff70c0d3c32977be292ed1cb764128534b1f20800e1d964e83222175286836b0 |
| SHA512 | 7bd04229ea0c5d29cdcbe3323d2ca9f63b097e5e6df7a4cb5a40fb11cb79bca18059a3299dedc56acc0657f9a82284e7e6f4a7e6f39c07c82de50d77a235be3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | 1e0b22520a35aa1443a6a586f4b43d25 |
| SHA1 | c60453405a3c3af29b8fd4753c698eb60f03615c |
| SHA256 | b218a9363843a2dc67d00d1cc4eac6c8471c7389dcc9ec14e410de742f447b2c |
| SHA512 | 62a14ff66b3eac7df3133b5e1f1af614d4163fe7b521860770e8edfc32e223f335b9704f5cf13ff9a84e5e411cc3f6308634d4f6965887a55c6ea7936036d2a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences
| MD5 | 4118f1bfbc622ec4aa1d0f282a7b2110 |
| SHA1 | 201761c32ef7990f7588c9bf1dcff821648f9d63 |
| SHA256 | 6613e299e91478b3b6d2e2110b91c484da91ceb8ad3648d43fef47bebb2ed0bc |
| SHA512 | 7fb09f6109362675f0123ea552da59bd615277fa3fb77e381127e1770c31734f19849483e954dfcc21e7fd0a0bc5ae50af59f1762eb704ee341e3d820a3c76b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe59fcb5.TMP
| MD5 | ee99aedfed0e9439771bc5c1c2dbe00c |
| SHA1 | dbb39d6ef5a9b1275055a4f4fb49df582cd73c5e |
| SHA256 | 55f85d2c5df6973f90c5319bbaf758ec6883d2d4e3ae7478ea16278b979c8a28 |
| SHA512 | 0ca1d78484b6b71653ae460decdf26f1011bdddd9125532204c4cbe6e21e04c466d61e18d8c431f94980361208ebb222aa292bf986efc7254063ae1391cdab65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State
| MD5 | 9af15df14380de316920d8f88f4f8084 |
| SHA1 | dbcc1362ff51c2849d39f24d00cdb3f2c6c049b9 |
| SHA256 | 41a9c193ba345713c9522666c17479bc2eaf602feed92dcd3a83a1bc9306fdea |
| SHA512 | 88d395d3faaa1a004d16de5c41e28080a6717c6fd8dd1c17cfaa8ef67d8c7f23d12c89742f15381cdedf3d6c053eb7f498be3c73b591a7e3ae7998880bfe426a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\ProgramData\CBFBGCGIJKJJ\JKJECB
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\ProgramData\CBFBGCGIJKJJ\KJKKKJ
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\ProgramData\CBFBGCGIJKJJ\BAKKEG
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
memory/2416-953-0x0000000005490000-0x00000000054E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2HRIUAM0MFJOTNSPIN0W.temp
| MD5 | aa01c0ee2b1a6acc0a276373a6604af7 |
| SHA1 | 5e3c0318e19e63252a482151ed1509caae5a33f3 |
| SHA256 | 8f239349d545ff409d5c1ca8347cb4d4f92b2581e896bdaa729a582d73a00f9e |
| SHA512 | 825425aaebaa5bff339723770c17402f1dd069399112c8de83cf38e348898564c3bf22e3e962df1e14c70cc9d741ad8cb1748fb1b64a2014a4d8b30dd284410e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | 97c95661da8e3c4c6531e4e775ce3489 |
| SHA1 | b84b46d26ca8735c1b6da5ffef8d505074789855 |
| SHA256 | 76118464d4861a4912e3b7c5955ddf762e87256ef3ebf2639c428c80910db1b0 |
| SHA512 | 8d7e0e97eaf60cd0363b54c1af68c88240e26b3e4613b4657680510b3cdee12380ff02339dcc9e1847ee974ddf7cddf7897b169c292ebc924c5b8e9eade63002 |
memory/2416-1029-0x0000000009320000-0x000000000984C000-memory.dmp
memory/2416-1028-0x0000000008C20000-0x0000000008DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | bcdfc7a3592479eb9854f8bc6e927561 |
| SHA1 | c0ec536d876cfb5141acb6f21e30865a605a0fd2 |
| SHA256 | 68fc5787d5678e5f406ef88af1196af2c706381556690689554461b225a1d8ea |
| SHA512 | daab83dddb2f11b085180bdae911a8ad209c1b8153891ceb48539702afdaf8099cbd1058792784282340f0c9873d116f66e8b4e52677d109caff9e1ed7485b3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | e172b474518f0c94f7b0ca9f72e10aed |
| SHA1 | 06fb60fb8fd137edcd95650563d11fdc5aca5bfa |
| SHA256 | e5061776d73d9793885675ab7f2aea4db854882bc1236a356de68005c5f34fb2 |
| SHA512 | 401819ce8ce0c055b4360c67d461ec6e85c82e4d3275a6eb6d2082352fca59656d9bfb8d01014e8e4e9ada4aedf74918f6fda211bba498b75a5069cc9e1dbfa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | a944a4960cd87ed05e6f615b469907d4 |
| SHA1 | 0f8476437cc3cea6fcbf7b4389ec062aaea95d13 |
| SHA256 | 5d72c864db27a815a37ecedd966633138a9ae0275b516573128cc74c60699c1e |
| SHA512 | 78d1684c486f7da0d14959364c99b9509211dc4ff472f5c7ea6b48b4dddac366d7f917cbddca141b65551ffcf4e90f446f1c14baafdba77d905eed07fec7a377 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 778c9ca06cadf7c71ee3ad85127a05d3 |
| SHA1 | ed031910e90d6371ac414c36b0018c536054a145 |
| SHA256 | dbdd5438f6d0fc5d14221eb90ebee8d294d5739bbb02a2d5f2e1fc981dddcfe9 |
| SHA512 | f538115a65ea9142a5716c719e915f5a656c6e4826fa074b88fbd6e86be0e2899ff25c0865f3faf24e0de454b486427c175c6a79d125b0d136f3fc9bb95ddfed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 17b4af859b2531dcba8263ec4f07d1bb |
| SHA1 | 4c5e9ed56eb1a2b07569bdd87bbc1540a2f6360e |
| SHA256 | 2eb1542f1ea9b358401e9a0a5fb2296a1d2efffe99e4ba1e8049f60998cfdfe3 |
| SHA512 | dda430adcb3991c13b56b4ed157d00f55f519170757f7dcce868b5c05d8e6a309ffe957f6d945c616c45d6910b6fbeefc7d7b2db00c7795ee94de6b2d60e0c92 |
memory/3368-1192-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | a588247943bdbd98678aad31cd2826c2 |
| SHA1 | 9502ad34b03e6c470bd01a94eee04a7cb8c4ffd9 |
| SHA256 | badb78f7d2b9fba35601a3860961b55df54850492a949b52187cb049036ca9fa |
| SHA512 | c23d44e832ba53eba7e5b75e50830dfdc39d05f7d180277edf7d2382a35a04fc2cd1793778cbb031693952f6e38383e3df9af36a760b4e4eaa932271dc46bd20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat
| MD5 | 2eeaadcb6482b9b8de4f3ed52cc5d20d |
| SHA1 | de7c7d65b3398852bcb4fa3103c2cae04d4829ea |
| SHA256 | d10122065101c04f015c1c280b59f05945f7715433db5ad7eaa2bb714feb2763 |
| SHA512 | e37172ab1714ac2cf8cbd9bf50fbe74fa0c0c20ca40ed6a0354cda8bf5b6eb6e02a28926b1291b47eaf325e119761d5998966d928640d4cccc92842b0bf8993e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | 2286a7129f21feb7bb54b5cc4550d6ab |
| SHA1 | 62cdafd08dcb527634cc7a5d64ead5cb05d6b970 |
| SHA256 | dba3169bf251fae1db19251c87371f5af5ccaff265740d4814239b0294462834 |
| SHA512 | 241a048eab713c339a8b134fe94a6de7a4246110f3b28e4446e79d9d54aed46b6395f96794fd3e4c5cef35952f690d65bc9d9915743b6626a23e835fa4acc3e1 |
memory/3368-1240-0x0000000007F00000-0x0000000007F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\04af3c4a-d6e4-4a69-8567-b2604d332df4.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | 35d5a6939e646089207eb441d911be1d |
| SHA1 | 9e332e64cd10bc686b7b5b7b7766fbeb86fcc317 |
| SHA256 | d8db9e00b4c04ee1ac754a03f9732830baba40be8a61d1dccf8315f078a8cc44 |
| SHA512 | 41e76c2e43615422df576e7819efd1ffec1e917d5fbf8a01779722b2cfa9b5a7cff4c57d5b47c7a429fc4f6562b180abe7c9629782fbd4466d05a015266c9dd9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | d2ea458ab787e60ac5f01c33920872a6 |
| SHA1 | e5a55b3cfa4540589fa3083127ddec2c3faf4925 |
| SHA256 | 0db771b3fc78192cf633be72fbe5a553dbfb36afb65016a235db25833a49de49 |
| SHA512 | 17fb6e7deedb784541262e6487c4df1e7d1f7755ea2faf614417aed7cc4cdb3f61235ae2d25ba94ef09a9f906845532969f378b4947075beb25e0332094a8ddc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences
| MD5 | fedd054a77818b94c3294cee003f79b6 |
| SHA1 | de235980f95156a85b6032ebd2aba43044532723 |
| SHA256 | 0b642db1582f97bf0560e8b7b2aa456745c30ca34c30ee1e9c036a8ca42b007a |
| SHA512 | f5c4ff7da7dd9a0358e29a367d1c3d3ec002dcab075a954a0a3cddbae40c936a449081e99e2eac95b6329cf2e01bf936c3568d7f42d2e7ed1c8fc9c2b8692855 |