Malware Analysis Report

2024-10-23 21:52

Sample ID 240910-kvj1bsvhkj
Target File.zip
SHA256 d6db4b1243311484640d253149f19eff7196163e706884d4b5676f8c47309abc
Tags
discovery amadey lumma redline stealc vidar c7817d default logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6db4b1243311484640d253149f19eff7196163e706884d4b5676f8c47309abc

Threat Level: Known bad

The file File.zip was found to be: Known bad.

Malicious Activity Summary

discovery amadey lumma redline stealc vidar c7817d default logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer trojan

RedLine

Vidar

RedLine payload

Detect Vidar Stealer

Lumma Stealer, LummaC

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Unexpected DNS network traffic destination

Drops startup file

Power Settings

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 08:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 08:55

Reported

2024-09-10 09:17

Platform

win7-20240903-en

Max time kernel

837s

Max time network

840s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\HackPhotography C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\SuggestUsc C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\ReducesWarranty C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\MakeupSocieties C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\DoingReleased C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\SplitCareer C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2732 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2732 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2732 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2732 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 2044 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 807188

C:\Windows\SysWOW64\findstr.exe

findstr /V "MaskBathroomCompositionInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Cry + ..\Analyses + ..\Discs + ..\Karaoke + ..\Louisville + ..\Literary + ..\Cat + ..\Duty + ..\Closer + ..\Bloggers + ..\Guinea + ..\Joyce + ..\Archived + ..\Complete + ..\Af + ..\Precise + ..\Valve + ..\Pe + ..\Disabled + ..\Mx + ..\Stem + ..\Ejaculation + ..\S + ..\Belt + ..\Mason + ..\Oval + ..\High + ..\Fda + ..\Powerseller + ..\Raising + ..\Starring + ..\Puerto + ..\Confirmation + ..\Individually + ..\Org + ..\Teachers Q

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

Segment.pif Q

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 aSrgKXZxBg.aSrgKXZxBg udp
DE 212.113.116.202:80 212.113.116.202 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 176b9a8eb5a7e3785f71c567867cf1cd
SHA1 9308f6a788600a5e12f046b80878e4efa53c7a00
SHA256 3769af4676ec43ac7031e390f6dc255785b3a0185679d6eee3eb05c26f8fc931
SHA512 4e313a3d9278f82ef0a180942484fc2224a3723fe17653696976d4b13d41e97d1dc81a3b86e2defea13e5e37c39400e503211e4dd795d6498661d4b9fa6465a2

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 f0e725addf4ec15a56aa0bde5bd8b2a7
SHA1 1f54a49195d3f7fd93c5fec06cc5904c57995147
SHA256 7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca
SHA512 00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

C:\Users\Admin\AppData\Local\Temp\Rick

MD5 e0d37e7b879f4b4e0dde5006da5009bd
SHA1 33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5
SHA256 27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77
SHA512 68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

C:\Users\Admin\AppData\Local\Temp\Cry

MD5 65d7a17dffbf3852a3c115c3ccac0430
SHA1 abe6099ef17b95ffe913b6f0942c125cb76a6337
SHA256 32d25c105acfeeefceab4f6319640187c48141358b1fc66453195343a81cbd1c
SHA512 9da8e6847e5c66300c28da9227710c93c9b83497c3fe190fc8f2841bfd7232148117d4e58b5b3f9a375857f53dc69067b8e414311514bf33b1b3b1500bbf3244

C:\Users\Admin\AppData\Local\Temp\Analyses

MD5 cf8638dc0454e04d2db4e8e515f332f8
SHA1 89b0fbbeebc1c69b43bc2c9c8a767c692d403531
SHA256 d45e461c3bf797e0986f88dfeec99a7266b2ed0ac526cbc5e9c60c0754e1c98d
SHA512 84313e8541044efe904dcb5be0ac436dc050e7282874975a405869634ddcf53d3f0d2f37edc91254d12754c906af207b2e27a48289f9481308b9efc438b5c515

C:\Users\Admin\AppData\Local\Temp\Discs

MD5 837271f2daebb75b19ccf82908e66c74
SHA1 91f2668bd1242e2214b326401faea65f1ad0c6d5
SHA256 e7f58b3426fc44e91e5f83ee9c85c0566bb74c9efee1a95bbc1a7534800adc68
SHA512 168682ab967f6dfe9fd9e88f946e253b483dc39cce564b4e976c1e5c4d1463b17547d2d6c54c3f24973ca524f8181e8cc77babf49b1b7454522838fe12eb6a80

C:\Users\Admin\AppData\Local\Temp\Karaoke

MD5 e3b66b4ed3a4b2556eba40a1d6825ff5
SHA1 666c0249df6d26ee365db6b419ccd9ab09da605f
SHA256 22d8e59e2bbb925961d2157b377c9c7377f7b0ce3ab479c63e6f0c60378ab506
SHA512 31ad8fbeb0a46290fcf10b26fd9c34f8cd5a599da4d4558431c16c65a7fc83949710a52b12e6b89104395770a16b0d409b6e19b1f1ed5d4b7b2cd7af5ce7ea63

C:\Users\Admin\AppData\Local\Temp\Louisville

MD5 7e197e556d6c8ea27fe3ecd22703374f
SHA1 6ac97052805ba243a9d0e46bcde9e175d7f7d041
SHA256 af5870dd58489c31691922c266d4b63260c58e2480fd23cf9ad1aee73ccefa55
SHA512 6e9c7467c7e9bf3530e549aa4f8266d52d04de4a263576a1e1c3d4701fa911f1d89ad23e7c95896698f0708bdebf3028f4b47c11eaa2c1f66cc21a1e5ae3304a

C:\Users\Admin\AppData\Local\Temp\Literary

MD5 77583ac20b1d5f2dc69e3479dca57633
SHA1 e0b3d0e063012b7edad32ea29f12e73a52628bbc
SHA256 7e19c99333229a597798864e6a40ca4f261a6a5df5efa77946a94bc5203a42c1
SHA512 236c0f7e843e728b5d0afd60e1d5a133bf29bcf6adf35a6b2493c9f3169e9d52d30e258a10f6fedfd1e0a06a8c9371690f9b230f0319fd0f856c7c637a63ee2c

C:\Users\Admin\AppData\Local\Temp\Cat

MD5 a00f3584018d6f843c7847b0e6e9e1e7
SHA1 843d7d07d731445770effd440e7ce82e384e54d7
SHA256 6dfa7f0c8062c8f18647c528fe6925d0a6c0622f0e9be1984107c43dd84543a0
SHA512 f31a4c293ad95ebb22d2c7535409d8c1e5de1658db9f752465089f5a25b5e430d13400f2fe300489ae936ea77df56ad7995e576ef04137ac276ff6214dd0d22c

C:\Users\Admin\AppData\Local\Temp\Duty

MD5 aeba4e35372e018312fc452961ae1b4b
SHA1 64a4731e00d6e230f96c9848484ffdac34a9503e
SHA256 9a504bb93766422f71511e34290251922f27fa990b721f35d904325fd07100b7
SHA512 5734ca56cdc0b948845a1f27df1d945048e4793d4e66f157910c5d9116d11f50726a867861321a16cc917d621b3fc69caa85f1a9a83e2aeff0a0afd4d090facb

C:\Users\Admin\AppData\Local\Temp\Closer

MD5 ac3f0aec1c46508a4126248ed4c5bfaa
SHA1 27848811669b59fa4bb59392d78e0ad5a57679a3
SHA256 c2aa764d2f3cb30c838ddda6e6cc1430405a1fd8f727be59ded6bc2af991054c
SHA512 8d501ce5671f64feec75b2e95ee2483965af1cf59b65265e5c76fc741fb1a0e00522726c150664a1f39ac14efa55ddd6f78539d4e0c1cdaaea1d85b612c94ce1

C:\Users\Admin\AppData\Local\Temp\Bloggers

MD5 72bf0f4140a82305fd1be3b0bf16490c
SHA1 3a3f10c99328d1fd9cecacc043edcd59c491838f
SHA256 3975ff441f861bb7cdc721cc419639cd149c09397c556750d8d096ef5a4b7ca0
SHA512 fd62fb9f43423f10b19485210268679b3efb1c778ddeaa2367bb91ce291a07f8881900388e7d7beb6a7b369f03a518c8a9a0a23cbae0a1eb528d9784965b0514

C:\Users\Admin\AppData\Local\Temp\Guinea

MD5 077cb0f1a95b777ab3a18108e8c8f33e
SHA1 28e3124f7c6b155facb26e4ceb3820ce2cb7c8a5
SHA256 d7b94bfbff4782c2ae4c10598a019f859894486e6b38eb4d2df1a58891a36dd5
SHA512 ce2b4ab82f5e558a50fb28382cb32a7856899a83a05c2f7ccf5a2f1ce49ce3f768bef29da001d6ee08ce35aea574ad8101c3f89d4223dd718d04288d6086dc5d

C:\Users\Admin\AppData\Local\Temp\Joyce

MD5 be207b4acdc615cb9e9fda47cb407103
SHA1 e0db032339f343b88c6726fc928288fb94066b74
SHA256 426f568d01db6512e7e0fcdfce1f03fad0beacf3f235981d60a9aa8fa726f6b9
SHA512 51b83a2ef394d973e5cae977e21599959b58100c7cf8d45f73c003b1691c3c5619d74eb09e1e46961f7de3ef34631cd50db43c31c633f31d9ed2f9cbbc7fa956

C:\Users\Admin\AppData\Local\Temp\Archived

MD5 6da6992c075cfa769210afd7f431035c
SHA1 93ccf63e9bead7d6138f8d3b23becf63a400413e
SHA256 0c2d193e0b52f4706ab96b4c0cce156fcf1baeb1417c16af7e84894c822e6c77
SHA512 ece9ecf48397b5c7d5ae0ba1e60097541a6ac1dbf1d6f33f01f0b2b9640cf985a3e7bbea08e56484c323e1e3c912356e8d975d0db184d16d4209b05809bb0a51

C:\Users\Admin\AppData\Local\Temp\Complete

MD5 07e7b5e4495ed6a1776c3517353fc2f3
SHA1 b3d86a4c8d722b0e307c1060f52f518c4e88a634
SHA256 7514c1c24c8137681e991d56eae26feb3ed8e98e3aa94c7cacfc1009f3ea0776
SHA512 cc6984495a8680cb030adcf7162676355a1950698695952cc3347b90e89e2858b745e5903cea05bfa5e821007c30e626fc7d20f6e5455978780eb8da3f0bcc59

C:\Users\Admin\AppData\Local\Temp\Af

MD5 154dadfcb2e53e70f4335459955ac8b4
SHA1 3e4f796bdc8e88f65c93deb66496872ea9134c8e
SHA256 9098db9dd063b78ccaa0b4419cb69268e1faa30a7b1fafa25cb170c1cb41052d
SHA512 8c76df7b8fb2ce883f94a859e04015f4c2e0b22289fa531d7c4e7a1abb6e90073d29eeb39d4ec3219acd8af67aaae5aa1945797372e5874410b0a3ad998acbb8

C:\Users\Admin\AppData\Local\Temp\Precise

MD5 eecf81e1a1e4710851876a9c9d0c954e
SHA1 25cad3ae6628549841e1ebb213636297a9c9cd7e
SHA256 640e368eaab42d3b729dd4169b0c4c0fe48914da6d84a4d382096560c0b57450
SHA512 432a017c9c15c54fb3d40cc94ac26f18412751b1f1374d0d8c4dd2f41edd1ffcbcab35bdd03a1be782c8598fceb2aed72c85acefc43c088ebf0a5fb2cc358ee5

C:\Users\Admin\AppData\Local\Temp\Valve

MD5 caa040d38a6ceea5a84cb145f9f6d266
SHA1 c3f8ec1e479f5bb243474332711a2fc9ba2a6fe7
SHA256 a0a90920b7e76c874101d686ea8248b77771bed34f80fb8fbb9b2dafaf108a44
SHA512 d62781b92acfc67b23117d11d58696c8f641f3d54ce0eeccc2e167945704edfa06b04471f3a1d54bcb5cd55f62b10ca1e4a147ddd318f67703e709b886612d9e

C:\Users\Admin\AppData\Local\Temp\Pe

MD5 4c2d380c8787b61b246c34b8f0d03411
SHA1 3e1a9294e03118434d20422ae9069a0b263706e7
SHA256 7c7890d5aef212b91e58e4bed2b0fd4eb7236d1245d1692132060d3c8a0476ee
SHA512 9c1a85ad2cb889881b8a12a3e6954be4b189a4da52131accde081b1d76e9ab40477a100b92a426b89ba2d54da798b4db9ce672507e938862dae2ebd93c3bbcc9

C:\Users\Admin\AppData\Local\Temp\Disabled

MD5 e85f8d36e333475932c9aec51ccc6447
SHA1 9461354c1adbce519cd3008b410b8a98b160e867
SHA256 3d8e90062bbafa36304af6c5625af0fc0c2ddd4bed44b286c6992bf6b0b6053a
SHA512 cd098c26e975eb3067eb8060c7fc33428d581c4fafa7d40cc4d4ed914d4682f36f8dc772b6c7e70fbe4d67f1fd924860b999d379574c803324ce29838b3e5714

C:\Users\Admin\AppData\Local\Temp\Mx

MD5 0afaf2b8f17dc851db0ea48813bca372
SHA1 e4a21efe4db9ccffb54fe86042c5a5931b845da8
SHA256 0f411d161705a1cdd7cd0d9a9b344bb5f8f101a5c816581e65e2b547b1df178a
SHA512 b1447fc8e88463c3c175e1b3ca8b2caa2689d4519569c12c2d05ff3f08644cc20acafe99df93ce7c90921815306cb30a94cbd57e1c9f55e0dda1565e9e7219f8

C:\Users\Admin\AppData\Local\Temp\Stem

MD5 357266acb5102b7db46a6acfbdc68472
SHA1 ae894024e1181e842207b360e9eb34abb2b18e4d
SHA256 dcc12a54080adc7f95797e7d9e2309f44f4659b47579900ea39c93c249b6fa37
SHA512 b18dc6fe85315a71ee43f340cf2b47b797910f30a6d7849c1cf3808361b5006352c0bde7fdb4899525f09ba5668a6a07778b4624260fa43ed1e50b2d3e151cbd

C:\Users\Admin\AppData\Local\Temp\Ejaculation

MD5 5fddf876c0e37604ffd50ef89f0227e1
SHA1 d7455a9bb1d8d2ef07b0c84de5c2610b173ab801
SHA256 b452fa697df40e8f1a354492cf811a3f68493d6fca3ce4facb9ebfcb21fdbdcf
SHA512 a692dda5a5250a4e5e2d6d41e740652cb58831f7987f72889aeb4eaa0cba31db832b0a857da95b4b2c676c55a796bdcde9c407e29173b6aa80cc6ae45d2667b4

C:\Users\Admin\AppData\Local\Temp\S

MD5 d3672d40e34a99fdbb77e03415fdde0a
SHA1 f28a310bfb320cece9976462f818ea1dbc804073
SHA256 4cf3c8a01c1647d5957dace309efea82da3ac54b704f7edc398082b53071b7a8
SHA512 0a4a96df1a5cc4628300fb5820b13abb4d29edcda15e400db5879ac94971170a8eecd28a87315b0a6abe024b528aa02f6732c37bbf8dc308e335b99627fc62af

C:\Users\Admin\AppData\Local\Temp\Belt

MD5 ad6415a5da7c14dd6aaeba77185d4036
SHA1 9d41a8c15656e9b9b90b2e81d17ad33a57d19d47
SHA256 55c5b2679371cdc57befa0a6802af044f38d0e92a1942e394e6279f871ced2cb
SHA512 1626128528c9d7cc986697504b70a4130fac357010ab94316230dbe1c52f7bd22d36031bbf2e5a27ce21439fba93aba345fa2f00fada04c26dca5baa534e4513

C:\Users\Admin\AppData\Local\Temp\Mason

MD5 820066477d710e173616b3a00e5edb59
SHA1 2418926bc8e6da40abd0c9946e1ff0260ece4605
SHA256 da39c3263a54293819c81306a8a2ecf79b3451cb684bc10cc84f0f0747e63dab
SHA512 f1103ab07c455085e7a3bf0ce343b404ace54f66aa4465953dd9731bb127a469ed8c146b7cba3a5f5825d347b3d6f9efff5cae2fe151e3db863894ce35de58d8

C:\Users\Admin\AppData\Local\Temp\Oval

MD5 7565469bfdddc142192f30b401869f92
SHA1 0ad1a321f89708625c4ba6f6837bb4a17821d6aa
SHA256 f0ba3f5cf601f6192d9a5e578c0806acdc3cdf51aa8a1e781ddc09f74e75861a
SHA512 89f53f4c734122ca91dfe903a6a26700d6288ecc077f6c90ecbcdc989f256175da0756454331c95c92a6424f5e53d99b40821577a269667ad2eed045bf2a5265

C:\Users\Admin\AppData\Local\Temp\High

MD5 aecbe9e1ff8bdf70fadfdef6096ceef5
SHA1 0e718c7007043e2872fa84cb07758e6abdb8526d
SHA256 826784cf2e35faf75b7ae647b7bc70d2f6e9103adca586b7e368575b342309fb
SHA512 e7cbe981aca209ee3a259b24623a5360f07e0a304faeefac23d41c92e823f5ac1a2dc8213201e51da6b9c4ad3c1e0d1030b38969eb287c201d53ce854ca70e9c

C:\Users\Admin\AppData\Local\Temp\Fda

MD5 cce1292aea0d2b6e41467a677053bb06
SHA1 1e6b4f4d0650c0bd187c140bfbaad573059b1496
SHA256 5eee75f8d08e77312b9094516d2bf2af555d11f6e3e50475383dc7348767d27d
SHA512 58c83ecbd8453e27aa5e831a54861b7ba3e4f4b1750cfc4e99c073ee743d9a75e3590f7b80df6469e2efa45bc2c9d7bac0d4980327dcf80f402b8cd53d3f1023

C:\Users\Admin\AppData\Local\Temp\Powerseller

MD5 c109153fcddc0aff6ef2b02be3c31ed4
SHA1 d7209f9d74ccb669e18d7445a2b254d4f599b33e
SHA256 d4eb937c1e578d8f682050a869869c4e3d543780b0058c006db9d392c67b684d
SHA512 eaf2054dc9475ebdffa942a6b0466125ff1b459499c14586a96e3e6b26d0b1b532bfa6a1f75a4eaa3f4ce4f99383b6e1b7cc4d71ab3290148b99c88b4633d8d4

C:\Users\Admin\AppData\Local\Temp\Raising

MD5 490098bf9cb4dc370dd34d70fcc50c87
SHA1 209e000dd68e75bf04d496f99ad28cef604c18a0
SHA256 9c6e9724325a670c078ec32f2a29fbe93ebfc1a772b88946bebc896b37f3ce95
SHA512 2061b3596038f7274007fa9990530f15b2602980269eafb56ae81f3fa284c5bebd880690eeadca6c71597ee0d00bc04bee76659d58862893ea300615166eae8f

C:\Users\Admin\AppData\Local\Temp\Starring

MD5 4ffe89ba3278f7f8165034fedce952fc
SHA1 8fd2e51472a5c574b29e5f69c89a1b281f37bc2e
SHA256 cad7ee17918c24ecc85d5c9a8ce749f6a784f682857ac64fc90c6a847950afdb
SHA512 5164b75c125f77c9ad1691ae4294424e0e26db287ee94f8cab3eec89b420b214530e8280c8328fb2e11ff1ef0d8248b0492d6b58df5c708062fc074a66b4b69a

C:\Users\Admin\AppData\Local\Temp\Puerto

MD5 1a9c8241ea6718a1f791b7d0c90918b8
SHA1 59c2d89b7203cd6532f00c7d1dadbe9c5cf50936
SHA256 065fb7019c84b4fd9796e86f408288b0429456b41e45cb71117f83c3c4c5391b
SHA512 b286012207a0ea3d0bce682c596be830bba2f90915b16edd01577996ac5ca75e7d40b2e330e90f8c4694487cf9be827eb9bc683b6ece0b69a4302b90d60686b7

C:\Users\Admin\AppData\Local\Temp\Confirmation

MD5 ed63b261ac5ec4c2fd428b585fc6a633
SHA1 a19080d710bc9c00601f6e9ccf57d3841f5949f3
SHA256 e8d114d045c7ec424dacfba4076471cc2c3f83036d1ff99b63304759ec91b443
SHA512 78b691d4344e1405a904bb3220e84752954296f3bf03047e6d036929720bb82416ac6c917578ad56d68dd5b2975fa55888d8e160c217d3723244ea416b9fba06

C:\Users\Admin\AppData\Local\Temp\Individually

MD5 fef95b3ff12d1821b8965f5d8dd11068
SHA1 8e7a148a2b037f27c8ffb3bc709002c606c133cf
SHA256 5becbf1a2f5d0c0bdb752b9a3f6b5a949fafab35ad30c514a44a8b888901a21b
SHA512 ae440f5b19eb3b23ef3afc51d39e1a282b1153aa88e00c068c105a8ef094da28f8d69dffbc463654315d623ca216faac6fbad3e3cebc566d8e85fa645f76ff91

C:\Users\Admin\AppData\Local\Temp\Org

MD5 1962ec05ef55e0fb56ccee36f4019785
SHA1 7ddd023a2ab5e19c54714244344344cda084d794
SHA256 fa10d4522d9130a5002999ccfdbe96b71c5b0b28daf488046cafc9c262a59e73
SHA512 5f35145c28aaa05bb66345d1e22fb635925a6ce31b64738fa48d0170e4ec261d30b39b62eb389b727c0fb40f24a869e7ded34d66d738c829ea1caf12a9cc9adc

C:\Users\Admin\AppData\Local\Temp\Teachers

MD5 7f0d542e9fee29f25f122fcbd0ec515e
SHA1 e04026a484006dbcd5939cd6b9b836280bad00aa
SHA256 8b149afed6517eb2a8561d0f73189b3e67490dc4c755d5789178c34b1ec0c723
SHA512 9ea5c08412eb689ce7958987b9d04471a3434279ee21305aeaf1809e94ca52f50d5a621077ed7d9a35224ab877c68bb710be91a7198f485ea2bbf21afe46c72a

\Users\Admin\AppData\Local\Temp\807188\Segment.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\807188\Q

MD5 aee44d3760cc23691b96247814be7157
SHA1 586222219b28f7a9ebe5d492776e905fe7b97f05
SHA256 0aa8148123108e52de933b235562827fe62b883ae7fd1afaa009e85a2081716e
SHA512 20ec5dea80a26db6f0e13cad27cb65f46dc6536a1a4c3b0de976ebd06505a330a154c10870d78bb93d375dbb1238044470c2786eeca5abe47dc2f1e4efcb6a10

memory/572-89-0x0000000000710000-0x00000000008F1000-memory.dmp

memory/572-90-0x0000000000710000-0x00000000008F1000-memory.dmp

memory/572-92-0x0000000000710000-0x00000000008F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 08:55

Reported

2024-09-10 09:02

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

264s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\AdminKFIJJEGHDA.exe N/A
N/A N/A C:\Users\AdminBFBGDGIDBA.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9fa356fdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b9fa356fdf.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\794bbdaba1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\794bbdaba1.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RegionAnt C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe N/A
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
File opened for modification C:\Windows\SuggestUsc C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\ReducesWarranty C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\MakeupSocieties C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\DoingReleased C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\TerritoriesFundraising C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe N/A
File opened for modification C:\Windows\HackPhotography C:\Users\Admin\AppData\Local\Temp\File.exe N/A
File opened for modification C:\Windows\SplitCareer C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminKFIJJEGHDA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminBFBGDGIDBA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 3300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3320 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3320 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3320 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3320 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3320 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3320 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3648 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3648 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3648 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3648 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3648 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif
PID 3752 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
PID 3752 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
PID 3752 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe
PID 3752 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
PID 3752 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
PID 3752 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe
PID 3752 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
PID 3752 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
PID 3752 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe
PID 3752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
PID 3752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
PID 3752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe
PID 3752 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
PID 3752 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
PID 3752 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe
PID 3752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
PID 3752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
PID 3752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe
PID 3752 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
PID 3752 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
PID 3752 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe
PID 3752 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe
PID 3752 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe
PID 3752 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
PID 3752 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
PID 3752 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe
PID 3752 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe
PID 3752 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe
PID 3752 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 807188

C:\Windows\SysWOW64\findstr.exe

findstr /V "MaskBathroomCompositionInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Cry + ..\Analyses + ..\Discs + ..\Karaoke + ..\Louisville + ..\Literary + ..\Cat + ..\Duty + ..\Closer + ..\Bloggers + ..\Guinea + ..\Joyce + ..\Archived + ..\Complete + ..\Af + ..\Precise + ..\Valve + ..\Pe + ..\Disabled + ..\Mx + ..\Stem + ..\Ejaculation + ..\S + ..\Belt + ..\Mason + ..\Oval + ..\High + ..\Fda + ..\Powerseller + ..\Raising + ..\Starring + ..\Puerto + ..\Confirmation + ..\Individually + ..\Org + ..\Teachers Q

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

Segment.pif Q

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe

C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe

C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe

C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe

C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe

C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe

C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe

C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe

C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe

C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe

C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe

C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe

C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe

C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe

C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe

C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe

C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe

C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe

C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe

C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe

C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe

C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe

C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp" /SL5="$90054,3079827,56832,C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Notice Notice.bat & Notice.bat

C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe

"C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe

"C:\Users\Admin\AppData\Local\JackPot Cam\jackpotcam.exe" -i

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\794bbdaba1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFIJJEGHDA.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFBGDGIDBA.exe"

C:\Users\AdminKFIJJEGHDA.exe

"C:\Users\AdminKFIJJEGHDA.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0xd8,0x104,0x100,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Users\AdminBFBGDGIDBA.exe

"C:\Users\AdminBFBGDGIDBA.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7398545601516268299,9868563646000204953,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RRTELIGS"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1296

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "RRTELIGS"

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\ProgramData\KKKJEBAAEC.exe

"C:\ProgramData\KKKJEBAAEC.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\CAKFIJDHJE.exe

"C:\ProgramData\CAKFIJDHJE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGDHDHJEBGHJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3186273219197891806,13832714907488968864,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5456278957942703644,12659214221136234904,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1324,2966804576113074497,1833929505312385125,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1332,16390132193021089751,11275990692438435406,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1332,7042273899255775909,11248769122096677587,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,15615559060124666936,3080197563232617526,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1332 /prefetch:3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c5446f8,0x7fff3c544708,0x7fff3c544718

C:\Windows\SysWOW64\cmd.exe

cmd /c md 639278

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\findstr.exe

findstr /V "alcoholweekskeepsmercedes" Cyber

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Was + ..\Ll + ..\Rx + ..\Pursuant + ..\Competitions z

C:\Users\Admin\AppData\Local\Temp\639278\Assumptions.pif

Assumptions.pif z

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7237992729312017580,2765792171606543579,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff42f546f8,0x7fff42f54708,0x7fff42f54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8909801853536232900,6523914294423084185,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 aSrgKXZxBg.aSrgKXZxBg udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 45.91.200.135:80 45.91.200.135 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 135.200.91.45.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
NL 45.91.200.135:80 45.91.200.135 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 file-link-iota.vercel.app udp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 62.204.41.151:80 62.204.41.151 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 151.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 22.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 227.188.43.179.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 youtransfer.net udp
CA 158.69.225.124:443 youtransfer.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 45.91.200.135:80 45.91.200.135 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
DE 77.105.164.24:50505 tcp
NL 149.154.167.99:443 t.me tcp
FI 147.45.126.10:80 147.45.126.10 tcp
US 8.8.8.8:53 24.164.105.77.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 10.126.45.147.in-addr.arpa udp
NL 89.105.223.249:29986 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
US 8.8.8.8:53 249.223.105.89.in-addr.arpa udp
US 8.8.8.8:53 109.231.8.46.in-addr.arpa udp
NL 45.91.202.63:25415 tcp
US 8.8.8.8:53 63.202.91.45.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 tventyv20pn.top udp
RU 194.87.248.136:80 tventyv20pn.top tcp
US 8.8.8.8:53 136.248.87.194.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 ignoracndwko.shop udp
US 172.67.207.50:443 ignoracndwko.shop tcp
US 8.8.8.8:53 50.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 preachstrwnwjw.shop udp
US 172.67.147.51:443 preachstrwnwjw.shop tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 51.147.67.172.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
FI 147.45.126.10:80 147.45.126.10 tcp
US 8.8.8.8:53 complainnykso.shop udp
US 172.67.151.164:443 complainnykso.shop tcp
US 8.8.8.8:53 basedsymsotp.shop udp
US 172.67.221.198:443 basedsymsotp.shop tcp
US 8.8.8.8:53 164.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 charistmatwio.shop udp
GB 216.58.212.238:443 play.google.com tcp
US 172.67.193.197:443 charistmatwio.shop tcp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 198.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 197.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 grassemenwji.shop udp
US 172.67.154.82:443 grassemenwji.shop tcp
US 8.8.8.8:53 82.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 stitchmiscpaew.shop udp
US 104.21.26.150:443 stitchmiscpaew.shop tcp
US 8.8.8.8:53 commisionipwn.shop udp
US 104.21.38.33:443 commisionipwn.shop tcp
US 8.8.8.8:53 150.26.21.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 33.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 10.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
US 172.67.207.50:443 ignoracndwko.shop tcp
US 172.67.147.51:443 preachstrwnwjw.shop tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 gacan.zapto.org udp
US 172.67.151.164:443 complainnykso.shop tcp
US 172.67.221.198:443 basedsymsotp.shop tcp
US 172.67.193.197:443 charistmatwio.shop tcp
NL 149.154.167.99:443 t.me tcp
US 172.67.154.82:443 grassemenwji.shop tcp
FI 147.45.126.10:80 147.45.126.10 tcp
US 104.21.26.150:443 stitchmiscpaew.shop tcp
US 104.21.38.33:443 commisionipwn.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
FI 147.45.126.10:80 147.45.126.10 tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 eWEfoDGDuVljckZyMvxSQPAdL.eWEfoDGDuVljckZyMvxSQPAdL udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
RU 62.204.41.151:80 62.204.41.151 tcp
NL 142.250.102.84:443 accounts.google.com udp
HK 141.98.234.31:53 erdrlfb.ua udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
CH 185.196.8.214:80 erdrlfb.ua tcp
US 8.8.8.8:53 214.8.196.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 176b9a8eb5a7e3785f71c567867cf1cd
SHA1 9308f6a788600a5e12f046b80878e4efa53c7a00
SHA256 3769af4676ec43ac7031e390f6dc255785b3a0185679d6eee3eb05c26f8fc931
SHA512 4e313a3d9278f82ef0a180942484fc2224a3723fe17653696976d4b13d41e97d1dc81a3b86e2defea13e5e37c39400e503211e4dd795d6498661d4b9fa6465a2

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 f0e725addf4ec15a56aa0bde5bd8b2a7
SHA1 1f54a49195d3f7fd93c5fec06cc5904c57995147
SHA256 7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca
SHA512 00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

C:\Users\Admin\AppData\Local\Temp\Rick

MD5 e0d37e7b879f4b4e0dde5006da5009bd
SHA1 33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5
SHA256 27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77
SHA512 68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

C:\Users\Admin\AppData\Local\Temp\Cry

MD5 65d7a17dffbf3852a3c115c3ccac0430
SHA1 abe6099ef17b95ffe913b6f0942c125cb76a6337
SHA256 32d25c105acfeeefceab4f6319640187c48141358b1fc66453195343a81cbd1c
SHA512 9da8e6847e5c66300c28da9227710c93c9b83497c3fe190fc8f2841bfd7232148117d4e58b5b3f9a375857f53dc69067b8e414311514bf33b1b3b1500bbf3244

C:\Users\Admin\AppData\Local\Temp\Analyses

MD5 cf8638dc0454e04d2db4e8e515f332f8
SHA1 89b0fbbeebc1c69b43bc2c9c8a767c692d403531
SHA256 d45e461c3bf797e0986f88dfeec99a7266b2ed0ac526cbc5e9c60c0754e1c98d
SHA512 84313e8541044efe904dcb5be0ac436dc050e7282874975a405869634ddcf53d3f0d2f37edc91254d12754c906af207b2e27a48289f9481308b9efc438b5c515

C:\Users\Admin\AppData\Local\Temp\Discs

MD5 837271f2daebb75b19ccf82908e66c74
SHA1 91f2668bd1242e2214b326401faea65f1ad0c6d5
SHA256 e7f58b3426fc44e91e5f83ee9c85c0566bb74c9efee1a95bbc1a7534800adc68
SHA512 168682ab967f6dfe9fd9e88f946e253b483dc39cce564b4e976c1e5c4d1463b17547d2d6c54c3f24973ca524f8181e8cc77babf49b1b7454522838fe12eb6a80

C:\Users\Admin\AppData\Local\Temp\Karaoke

MD5 e3b66b4ed3a4b2556eba40a1d6825ff5
SHA1 666c0249df6d26ee365db6b419ccd9ab09da605f
SHA256 22d8e59e2bbb925961d2157b377c9c7377f7b0ce3ab479c63e6f0c60378ab506
SHA512 31ad8fbeb0a46290fcf10b26fd9c34f8cd5a599da4d4558431c16c65a7fc83949710a52b12e6b89104395770a16b0d409b6e19b1f1ed5d4b7b2cd7af5ce7ea63

C:\Users\Admin\AppData\Local\Temp\Louisville

MD5 7e197e556d6c8ea27fe3ecd22703374f
SHA1 6ac97052805ba243a9d0e46bcde9e175d7f7d041
SHA256 af5870dd58489c31691922c266d4b63260c58e2480fd23cf9ad1aee73ccefa55
SHA512 6e9c7467c7e9bf3530e549aa4f8266d52d04de4a263576a1e1c3d4701fa911f1d89ad23e7c95896698f0708bdebf3028f4b47c11eaa2c1f66cc21a1e5ae3304a

C:\Users\Admin\AppData\Local\Temp\Literary

MD5 77583ac20b1d5f2dc69e3479dca57633
SHA1 e0b3d0e063012b7edad32ea29f12e73a52628bbc
SHA256 7e19c99333229a597798864e6a40ca4f261a6a5df5efa77946a94bc5203a42c1
SHA512 236c0f7e843e728b5d0afd60e1d5a133bf29bcf6adf35a6b2493c9f3169e9d52d30e258a10f6fedfd1e0a06a8c9371690f9b230f0319fd0f856c7c637a63ee2c

C:\Users\Admin\AppData\Local\Temp\Cat

MD5 a00f3584018d6f843c7847b0e6e9e1e7
SHA1 843d7d07d731445770effd440e7ce82e384e54d7
SHA256 6dfa7f0c8062c8f18647c528fe6925d0a6c0622f0e9be1984107c43dd84543a0
SHA512 f31a4c293ad95ebb22d2c7535409d8c1e5de1658db9f752465089f5a25b5e430d13400f2fe300489ae936ea77df56ad7995e576ef04137ac276ff6214dd0d22c

C:\Users\Admin\AppData\Local\Temp\Duty

MD5 aeba4e35372e018312fc452961ae1b4b
SHA1 64a4731e00d6e230f96c9848484ffdac34a9503e
SHA256 9a504bb93766422f71511e34290251922f27fa990b721f35d904325fd07100b7
SHA512 5734ca56cdc0b948845a1f27df1d945048e4793d4e66f157910c5d9116d11f50726a867861321a16cc917d621b3fc69caa85f1a9a83e2aeff0a0afd4d090facb

C:\Users\Admin\AppData\Local\Temp\Closer

MD5 ac3f0aec1c46508a4126248ed4c5bfaa
SHA1 27848811669b59fa4bb59392d78e0ad5a57679a3
SHA256 c2aa764d2f3cb30c838ddda6e6cc1430405a1fd8f727be59ded6bc2af991054c
SHA512 8d501ce5671f64feec75b2e95ee2483965af1cf59b65265e5c76fc741fb1a0e00522726c150664a1f39ac14efa55ddd6f78539d4e0c1cdaaea1d85b612c94ce1

C:\Users\Admin\AppData\Local\Temp\Bloggers

MD5 72bf0f4140a82305fd1be3b0bf16490c
SHA1 3a3f10c99328d1fd9cecacc043edcd59c491838f
SHA256 3975ff441f861bb7cdc721cc419639cd149c09397c556750d8d096ef5a4b7ca0
SHA512 fd62fb9f43423f10b19485210268679b3efb1c778ddeaa2367bb91ce291a07f8881900388e7d7beb6a7b369f03a518c8a9a0a23cbae0a1eb528d9784965b0514

C:\Users\Admin\AppData\Local\Temp\Guinea

MD5 077cb0f1a95b777ab3a18108e8c8f33e
SHA1 28e3124f7c6b155facb26e4ceb3820ce2cb7c8a5
SHA256 d7b94bfbff4782c2ae4c10598a019f859894486e6b38eb4d2df1a58891a36dd5
SHA512 ce2b4ab82f5e558a50fb28382cb32a7856899a83a05c2f7ccf5a2f1ce49ce3f768bef29da001d6ee08ce35aea574ad8101c3f89d4223dd718d04288d6086dc5d

C:\Users\Admin\AppData\Local\Temp\Joyce

MD5 be207b4acdc615cb9e9fda47cb407103
SHA1 e0db032339f343b88c6726fc928288fb94066b74
SHA256 426f568d01db6512e7e0fcdfce1f03fad0beacf3f235981d60a9aa8fa726f6b9
SHA512 51b83a2ef394d973e5cae977e21599959b58100c7cf8d45f73c003b1691c3c5619d74eb09e1e46961f7de3ef34631cd50db43c31c633f31d9ed2f9cbbc7fa956

C:\Users\Admin\AppData\Local\Temp\Disabled

MD5 e85f8d36e333475932c9aec51ccc6447
SHA1 9461354c1adbce519cd3008b410b8a98b160e867
SHA256 3d8e90062bbafa36304af6c5625af0fc0c2ddd4bed44b286c6992bf6b0b6053a
SHA512 cd098c26e975eb3067eb8060c7fc33428d581c4fafa7d40cc4d4ed914d4682f36f8dc772b6c7e70fbe4d67f1fd924860b999d379574c803324ce29838b3e5714

C:\Users\Admin\AppData\Local\Temp\Mx

MD5 0afaf2b8f17dc851db0ea48813bca372
SHA1 e4a21efe4db9ccffb54fe86042c5a5931b845da8
SHA256 0f411d161705a1cdd7cd0d9a9b344bb5f8f101a5c816581e65e2b547b1df178a
SHA512 b1447fc8e88463c3c175e1b3ca8b2caa2689d4519569c12c2d05ff3f08644cc20acafe99df93ce7c90921815306cb30a94cbd57e1c9f55e0dda1565e9e7219f8

C:\Users\Admin\AppData\Local\Temp\Pe

MD5 4c2d380c8787b61b246c34b8f0d03411
SHA1 3e1a9294e03118434d20422ae9069a0b263706e7
SHA256 7c7890d5aef212b91e58e4bed2b0fd4eb7236d1245d1692132060d3c8a0476ee
SHA512 9c1a85ad2cb889881b8a12a3e6954be4b189a4da52131accde081b1d76e9ab40477a100b92a426b89ba2d54da798b4db9ce672507e938862dae2ebd93c3bbcc9

C:\Users\Admin\AppData\Local\Temp\Valve

MD5 caa040d38a6ceea5a84cb145f9f6d266
SHA1 c3f8ec1e479f5bb243474332711a2fc9ba2a6fe7
SHA256 a0a90920b7e76c874101d686ea8248b77771bed34f80fb8fbb9b2dafaf108a44
SHA512 d62781b92acfc67b23117d11d58696c8f641f3d54ce0eeccc2e167945704edfa06b04471f3a1d54bcb5cd55f62b10ca1e4a147ddd318f67703e709b886612d9e

C:\Users\Admin\AppData\Local\Temp\Precise

MD5 eecf81e1a1e4710851876a9c9d0c954e
SHA1 25cad3ae6628549841e1ebb213636297a9c9cd7e
SHA256 640e368eaab42d3b729dd4169b0c4c0fe48914da6d84a4d382096560c0b57450
SHA512 432a017c9c15c54fb3d40cc94ac26f18412751b1f1374d0d8c4dd2f41edd1ffcbcab35bdd03a1be782c8598fceb2aed72c85acefc43c088ebf0a5fb2cc358ee5

C:\Users\Admin\AppData\Local\Temp\Af

MD5 154dadfcb2e53e70f4335459955ac8b4
SHA1 3e4f796bdc8e88f65c93deb66496872ea9134c8e
SHA256 9098db9dd063b78ccaa0b4419cb69268e1faa30a7b1fafa25cb170c1cb41052d
SHA512 8c76df7b8fb2ce883f94a859e04015f4c2e0b22289fa531d7c4e7a1abb6e90073d29eeb39d4ec3219acd8af67aaae5aa1945797372e5874410b0a3ad998acbb8

C:\Users\Admin\AppData\Local\Temp\Complete

MD5 07e7b5e4495ed6a1776c3517353fc2f3
SHA1 b3d86a4c8d722b0e307c1060f52f518c4e88a634
SHA256 7514c1c24c8137681e991d56eae26feb3ed8e98e3aa94c7cacfc1009f3ea0776
SHA512 cc6984495a8680cb030adcf7162676355a1950698695952cc3347b90e89e2858b745e5903cea05bfa5e821007c30e626fc7d20f6e5455978780eb8da3f0bcc59

C:\Users\Admin\AppData\Local\Temp\Archived

MD5 6da6992c075cfa769210afd7f431035c
SHA1 93ccf63e9bead7d6138f8d3b23becf63a400413e
SHA256 0c2d193e0b52f4706ab96b4c0cce156fcf1baeb1417c16af7e84894c822e6c77
SHA512 ece9ecf48397b5c7d5ae0ba1e60097541a6ac1dbf1d6f33f01f0b2b9640cf985a3e7bbea08e56484c323e1e3c912356e8d975d0db184d16d4209b05809bb0a51

C:\Users\Admin\AppData\Local\Temp\Stem

MD5 357266acb5102b7db46a6acfbdc68472
SHA1 ae894024e1181e842207b360e9eb34abb2b18e4d
SHA256 dcc12a54080adc7f95797e7d9e2309f44f4659b47579900ea39c93c249b6fa37
SHA512 b18dc6fe85315a71ee43f340cf2b47b797910f30a6d7849c1cf3808361b5006352c0bde7fdb4899525f09ba5668a6a07778b4624260fa43ed1e50b2d3e151cbd

C:\Users\Admin\AppData\Local\Temp\Ejaculation

MD5 5fddf876c0e37604ffd50ef89f0227e1
SHA1 d7455a9bb1d8d2ef07b0c84de5c2610b173ab801
SHA256 b452fa697df40e8f1a354492cf811a3f68493d6fca3ce4facb9ebfcb21fdbdcf
SHA512 a692dda5a5250a4e5e2d6d41e740652cb58831f7987f72889aeb4eaa0cba31db832b0a857da95b4b2c676c55a796bdcde9c407e29173b6aa80cc6ae45d2667b4

C:\Users\Admin\AppData\Local\Temp\S

MD5 d3672d40e34a99fdbb77e03415fdde0a
SHA1 f28a310bfb320cece9976462f818ea1dbc804073
SHA256 4cf3c8a01c1647d5957dace309efea82da3ac54b704f7edc398082b53071b7a8
SHA512 0a4a96df1a5cc4628300fb5820b13abb4d29edcda15e400db5879ac94971170a8eecd28a87315b0a6abe024b528aa02f6732c37bbf8dc308e335b99627fc62af

C:\Users\Admin\AppData\Local\Temp\Belt

MD5 ad6415a5da7c14dd6aaeba77185d4036
SHA1 9d41a8c15656e9b9b90b2e81d17ad33a57d19d47
SHA256 55c5b2679371cdc57befa0a6802af044f38d0e92a1942e394e6279f871ced2cb
SHA512 1626128528c9d7cc986697504b70a4130fac357010ab94316230dbe1c52f7bd22d36031bbf2e5a27ce21439fba93aba345fa2f00fada04c26dca5baa534e4513

C:\Users\Admin\AppData\Local\Temp\Mason

MD5 820066477d710e173616b3a00e5edb59
SHA1 2418926bc8e6da40abd0c9946e1ff0260ece4605
SHA256 da39c3263a54293819c81306a8a2ecf79b3451cb684bc10cc84f0f0747e63dab
SHA512 f1103ab07c455085e7a3bf0ce343b404ace54f66aa4465953dd9731bb127a469ed8c146b7cba3a5f5825d347b3d6f9efff5cae2fe151e3db863894ce35de58d8

C:\Users\Admin\AppData\Local\Temp\Oval

MD5 7565469bfdddc142192f30b401869f92
SHA1 0ad1a321f89708625c4ba6f6837bb4a17821d6aa
SHA256 f0ba3f5cf601f6192d9a5e578c0806acdc3cdf51aa8a1e781ddc09f74e75861a
SHA512 89f53f4c734122ca91dfe903a6a26700d6288ecc077f6c90ecbcdc989f256175da0756454331c95c92a6424f5e53d99b40821577a269667ad2eed045bf2a5265

C:\Users\Admin\AppData\Local\Temp\High

MD5 aecbe9e1ff8bdf70fadfdef6096ceef5
SHA1 0e718c7007043e2872fa84cb07758e6abdb8526d
SHA256 826784cf2e35faf75b7ae647b7bc70d2f6e9103adca586b7e368575b342309fb
SHA512 e7cbe981aca209ee3a259b24623a5360f07e0a304faeefac23d41c92e823f5ac1a2dc8213201e51da6b9c4ad3c1e0d1030b38969eb287c201d53ce854ca70e9c

C:\Users\Admin\AppData\Local\Temp\Fda

MD5 cce1292aea0d2b6e41467a677053bb06
SHA1 1e6b4f4d0650c0bd187c140bfbaad573059b1496
SHA256 5eee75f8d08e77312b9094516d2bf2af555d11f6e3e50475383dc7348767d27d
SHA512 58c83ecbd8453e27aa5e831a54861b7ba3e4f4b1750cfc4e99c073ee743d9a75e3590f7b80df6469e2efa45bc2c9d7bac0d4980327dcf80f402b8cd53d3f1023

C:\Users\Admin\AppData\Local\Temp\Powerseller

MD5 c109153fcddc0aff6ef2b02be3c31ed4
SHA1 d7209f9d74ccb669e18d7445a2b254d4f599b33e
SHA256 d4eb937c1e578d8f682050a869869c4e3d543780b0058c006db9d392c67b684d
SHA512 eaf2054dc9475ebdffa942a6b0466125ff1b459499c14586a96e3e6b26d0b1b532bfa6a1f75a4eaa3f4ce4f99383b6e1b7cc4d71ab3290148b99c88b4633d8d4

C:\Users\Admin\AppData\Local\Temp\Raising

MD5 490098bf9cb4dc370dd34d70fcc50c87
SHA1 209e000dd68e75bf04d496f99ad28cef604c18a0
SHA256 9c6e9724325a670c078ec32f2a29fbe93ebfc1a772b88946bebc896b37f3ce95
SHA512 2061b3596038f7274007fa9990530f15b2602980269eafb56ae81f3fa284c5bebd880690eeadca6c71597ee0d00bc04bee76659d58862893ea300615166eae8f

C:\Users\Admin\AppData\Local\Temp\Starring

MD5 4ffe89ba3278f7f8165034fedce952fc
SHA1 8fd2e51472a5c574b29e5f69c89a1b281f37bc2e
SHA256 cad7ee17918c24ecc85d5c9a8ce749f6a784f682857ac64fc90c6a847950afdb
SHA512 5164b75c125f77c9ad1691ae4294424e0e26db287ee94f8cab3eec89b420b214530e8280c8328fb2e11ff1ef0d8248b0492d6b58df5c708062fc074a66b4b69a

C:\Users\Admin\AppData\Local\Temp\Puerto

MD5 1a9c8241ea6718a1f791b7d0c90918b8
SHA1 59c2d89b7203cd6532f00c7d1dadbe9c5cf50936
SHA256 065fb7019c84b4fd9796e86f408288b0429456b41e45cb71117f83c3c4c5391b
SHA512 b286012207a0ea3d0bce682c596be830bba2f90915b16edd01577996ac5ca75e7d40b2e330e90f8c4694487cf9be827eb9bc683b6ece0b69a4302b90d60686b7

C:\Users\Admin\AppData\Local\Temp\Confirmation

MD5 ed63b261ac5ec4c2fd428b585fc6a633
SHA1 a19080d710bc9c00601f6e9ccf57d3841f5949f3
SHA256 e8d114d045c7ec424dacfba4076471cc2c3f83036d1ff99b63304759ec91b443
SHA512 78b691d4344e1405a904bb3220e84752954296f3bf03047e6d036929720bb82416ac6c917578ad56d68dd5b2975fa55888d8e160c217d3723244ea416b9fba06

C:\Users\Admin\AppData\Local\Temp\Individually

MD5 fef95b3ff12d1821b8965f5d8dd11068
SHA1 8e7a148a2b037f27c8ffb3bc709002c606c133cf
SHA256 5becbf1a2f5d0c0bdb752b9a3f6b5a949fafab35ad30c514a44a8b888901a21b
SHA512 ae440f5b19eb3b23ef3afc51d39e1a282b1153aa88e00c068c105a8ef094da28f8d69dffbc463654315d623ca216faac6fbad3e3cebc566d8e85fa645f76ff91

C:\Users\Admin\AppData\Local\Temp\Org

MD5 1962ec05ef55e0fb56ccee36f4019785
SHA1 7ddd023a2ab5e19c54714244344344cda084d794
SHA256 fa10d4522d9130a5002999ccfdbe96b71c5b0b28daf488046cafc9c262a59e73
SHA512 5f35145c28aaa05bb66345d1e22fb635925a6ce31b64738fa48d0170e4ec261d30b39b62eb389b727c0fb40f24a869e7ded34d66d738c829ea1caf12a9cc9adc

C:\Users\Admin\AppData\Local\Temp\Teachers

MD5 7f0d542e9fee29f25f122fcbd0ec515e
SHA1 e04026a484006dbcd5939cd6b9b836280bad00aa
SHA256 8b149afed6517eb2a8561d0f73189b3e67490dc4c755d5789178c34b1ec0c723
SHA512 9ea5c08412eb689ce7958987b9d04471a3434279ee21305aeaf1809e94ca52f50d5a621077ed7d9a35224ab877c68bb710be91a7198f485ea2bbf21afe46c72a

C:\Users\Admin\AppData\Local\Temp\807188\Segment.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\807188\Q

MD5 aee44d3760cc23691b96247814be7157
SHA1 586222219b28f7a9ebe5d492776e905fe7b97f05
SHA256 0aa8148123108e52de933b235562827fe62b883ae7fd1afaa009e85a2081716e
SHA512 20ec5dea80a26db6f0e13cad27cb65f46dc6536a1a4c3b0de976ebd06505a330a154c10870d78bb93d375dbb1238044470c2786eeca5abe47dc2f1e4efcb6a10

memory/3752-86-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-87-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-89-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-93-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-96-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-102-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-101-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-100-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-99-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-98-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-95-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-94-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-91-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-97-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-92-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-90-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-106-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-111-0x0000000000BB0000-0x0000000000D91000-memory.dmp

C:\Users\Admin\Documents\iofolko5\kr6oOl5fnvdsHkqCRaP1fo2A.exe

MD5 66f4c467d6f87afe16daafb012f27e76
SHA1 5015e438c3413b43bd08051ecccefcb136f2080a
SHA256 d3b79435a3f7f45d17f4e21bffeacea894eb97bf3cda0e362d3a5ae11c736de1
SHA512 b601880669b6b406e304622eb0b5158561f4f450a87a9e6525b9ae532c6546110088dd8a564037ce9710233cae6b5d2cf9790f8008a5477d8d5ccb3ae281c4b3

C:\Users\Admin\Documents\iofolko5\wYNH1NawfqTQtzQo4kd1MIWJ.exe

MD5 2cb1c73af8654380163945a77f86896f
SHA1 22cbd618e82552811463acbaa949dbf7d607f866
SHA256 acfe88688eaabeca673714b9a3a4d7b5a2c7817440356c857cb868aea21e497d
SHA512 6c35d80e61bf783d1895c065ed9e7acbe10e718bf69c899272e1b188f2d70e89089043fe94e45530daeb6aa3a9585370f67658b0da4f5f7e312a09c0beb1a1ce

C:\Users\Admin\Documents\iofolko5\XnvEPdLqxBPmu3RgRqCfZNcY.exe

MD5 fb715bbfab832a6a7b4e05fc94a74b88
SHA1 b2f10e8bcd6e86d52d2e40d45fa79801e45cc4bc
SHA256 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377
SHA512 448ff097de5c6bb92ed9fa4e09f303408729f14b7156bcf4fcb2d6fa8b5859aa04cbbaeb8791e9cbad6ab437cb5e86e582b715a07a13142215341a8ce8c3f9d5

C:\Users\Admin\Documents\iofolko5\pACXIsRI85BC_ezSnWSfhREk.exe

MD5 b36f21ca653ea179246c98cda2373879
SHA1 e51277a723ca0cc7f48d8e99dbc471f42b57cb62
SHA256 ce083654b6506740c3a45c15e4fb24dcd05cd39e6509bdeeeedd330750a9511a
SHA512 9c4baec021ce15717366fa2e29af22b28673515e5e837b4a2441842d6eaa1fe4b29d2e9f24809a38b637e18f2ba43db7848708d0ad53552fe26dcd7daa107e80

C:\Users\Admin\Documents\iofolko5\fGtPqdBofzs3jBbRlgHebHfr.exe

MD5 079d166295bafa2ab44902c8bf5ff2a5
SHA1 46e728a035c3fd9618f823a5d0b525a9aa22e1c1
SHA256 dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8
SHA512 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

C:\Users\Admin\Documents\iofolko5\QStTmdiqINhqs2hs5S7azIqW.exe

MD5 84354d3c9965d9a0878596e347a34f39
SHA1 f8e6d9f00d72f6f023e8d793462b7bb90cc31583
SHA256 4e20a0aa3d323c0a1aa676c7eb3656cdd34cb69da614b4dc8aa946f5bcb2be39
SHA512 2356ba4867985b609e1727f2a4877649f6c1b415d089dcef22c695baa42d3051cb6fb799eb7056ca75301a1aba47e71354e5051868f5bda04a62932a3ef72ad3

C:\Users\Admin\Documents\iofolko5\61hlmzb5XwIueDSWu5c8ch68.exe

MD5 46a221059a8fae9bbbc96fdf1f794884
SHA1 8917f7e3f471c5eaa6fb8a026236fd229b4e3af3
SHA256 00c66edc8b41592e299f449a6b7a4e3ab949f7cca0c27bba9a279feacc6e5b6b
SHA512 b6914b29eebed8592c3c8974969b127ad07a0b147126d0656959ff9175a7da5e989a0cf2fdd4883c777aa98f8cae7382cc2247676526f975390693ee5342aa3b

C:\Users\Admin\Documents\iofolko5\KVp8xpLsYdCdeCYDJ_7iegd9.exe

MD5 64034db3a0ce29dcb4cfb658ab805226
SHA1 d4f1cc6d18b4bebcbc89459583e45d5a0456151d
SHA256 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d
SHA512 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f

C:\Users\Admin\Documents\iofolko5\nsR5SWidetBTIjzUzja4HCGX.exe

MD5 751e3d161454b4c4aa4cf9ff902ebe1c
SHA1 25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
SHA512 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435

C:\Users\Admin\Documents\iofolko5\D6EwRU_Uw2PIDPuI8AMn4Byy.exe

MD5 db1fbaf680dc245b486db86fa852f655
SHA1 355caa80363bc44607efcce4c64d3752a0edf286
SHA256 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32
SHA512 ec923d035cd6d608315c7a7dbd3ffd66afea22dace6f0854e7e97346ca758f6344c32a6a7336e9fd1506207bdee1e408f4a328b7671c7d9248a64e8a56c2e840

C:\Users\Admin\Documents\iofolko5\jRGNG6BAGNRMq1P_xUXSsvIL.exe

MD5 b5887a19fe50bfa32b524aaad0a453bc
SHA1 cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256 fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA512 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538

memory/3752-202-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-204-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/2396-230-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3752-226-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-224-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-222-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-220-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-218-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-216-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-214-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/3752-212-0x0000000000BB0000-0x0000000000D91000-memory.dmp

memory/1568-255-0x0000000000D20000-0x0000000000D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JVQQ6.tmp\wYNH1NawfqTQtzQo4kd1MIWJ.tmp

MD5 a2b6b3a5c9cc4ef83680b4cf5fe14f2b
SHA1 3f64365e8f9d8f0451f343c629245349a4f9b849
SHA256 cb18e81b7bf4748beefc4fe5b2ec925417cafbfe89cc03ed1c47fd8ab2f95116
SHA512 5ad7ba7f3b43770cb393fcbb07c3885228e05c4eeaf3da5ad6349c16262cc7b05588958533f6676f1a8b8ed76a60fadb2ddd6925f75f6484dbf174ff37d91dab

memory/2796-258-0x0000000000140000-0x0000000000982000-memory.dmp

memory/4648-254-0x0000000000450000-0x000000000049A000-memory.dmp

memory/2420-251-0x00000000008F0000-0x0000000000DBF000-memory.dmp

memory/2796-260-0x00000000052E0000-0x000000000537C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B8987.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2524-274-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2796-277-0x00000000054F0000-0x00000000056A0000-memory.dmp

memory/2524-272-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2524-269-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2796-278-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/4860-280-0x0000000000A30000-0x0000000000A84000-memory.dmp

memory/2796-281-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/2936-283-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2936-282-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4164-286-0x00000000000A0000-0x00000000000D8000-memory.dmp

memory/2416-293-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2440-291-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2936-284-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2584-279-0x00000000009F0000-0x0000000000A74000-memory.dmp

memory/2416-319-0x0000000005220000-0x00000000052B2000-memory.dmp

memory/2440-295-0x0000000000400000-0x0000000000643000-memory.dmp

C:\ProgramData\DH Diatonic Scale 9.10.45\DH Diatonic Scale 9.10.45.exe

MD5 2d468d33d16327a87ab729707f85926e
SHA1 785db1860d17c1df0cd2e91ed1823cfece31ab71
SHA256 3727014076c49533ef56ca04e8fa928a93e5d74a22444abd58b8f662e9629376
SHA512 c12a7577bdba93ec7ee75fb0eed11853191f495c06216df69bae238c13b2d2d9e620285cff6d42c72104a45e67c31cc9124d2ab8620c099faf377a901c16c21c

memory/4936-323-0x00007FFF60B90000-0x00007FFF60B92000-memory.dmp

memory/2416-328-0x00000000051D0000-0x00000000051DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpA55E.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2420-356-0x00000000008F0000-0x0000000000DBF000-memory.dmp

memory/1568-355-0x000000001BC20000-0x000000001BC32000-memory.dmp

memory/1568-357-0x000000001DDE0000-0x000000001DE1C000-memory.dmp

memory/1568-354-0x000000001DEB0000-0x000000001DFBA000-memory.dmp

memory/2416-352-0x0000000005DE0000-0x0000000005E56000-memory.dmp

memory/4244-351-0x0000000000BC0000-0x000000000108F000-memory.dmp

memory/2416-358-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/4936-324-0x0000000140000000-0x00000001419FB000-memory.dmp

memory/2416-365-0x0000000006680000-0x0000000006692000-memory.dmp

memory/2416-367-0x0000000006850000-0x000000000689C000-memory.dmp

memory/2416-366-0x00000000066E0000-0x000000000671C000-memory.dmp

memory/2416-364-0x0000000006740000-0x000000000684A000-memory.dmp

memory/2416-363-0x0000000006BF0000-0x0000000007208000-memory.dmp

memory/2348-322-0x0000000000400000-0x000000000068F000-memory.dmp

memory/2348-320-0x0000000000400000-0x000000000068F000-memory.dmp

memory/2440-368-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2524-402-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2524-412-0x0000000000400000-0x0000000000657000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a1b8c7a7d6.exe

MD5 f47cc7dc355ae01926f6065316c3bd68
SHA1 6b575930185f216e4fa5116fdcc8906eb9f53af9
SHA256 25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512 cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e

memory/1568-413-0x000000001E700000-0x000000001E776000-memory.dmp

memory/1568-428-0x000000001B9B0000-0x000000001B9CE000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1568-449-0x000000001F1E0000-0x000000001F3A2000-memory.dmp

memory/1568-458-0x000000001F8E0000-0x000000001FE08000-memory.dmp

memory/2524-466-0x0000000022710000-0x000000002296F000-memory.dmp

memory/2416-483-0x0000000006990000-0x00000000069F6000-memory.dmp

C:\ProgramData\CGDHDHJEBGHJ\JDBGHI

MD5 e228c51c082ab10d054c3ddc12f0d34c
SHA1 79b5574c9ce43d2195dcbfaf32015f473dfa4d2e
SHA256 02f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309
SHA512 233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822

C:\Users\Admin\AppData\Local\Temp\1000036001\b9fa356fdf.exe

MD5 38f98be80e6670f46efc8544d762cfd4
SHA1 fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256 fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA512 60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf

C:\ProgramData\CGDHDHJEBGHJ\EHJKKK

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/1540-550-0x0000000000930000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminBFBGDGIDBA.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 610f1bc45de64295c38660516bb4e0a3
SHA1 eacfa919fbe112716663e98029c7840abe31cb0e
SHA256 56ceab522f6cffdcf5f465c1e641e8870a89498a0b3e16480a76d6fb51c5919c
SHA512 dfc005d32faf63841380bcae7dbde9943862be3e327a8f5c91038b756d14fbb45b55c204a4a0d4a02c140bdc72ce81396ddf12d1a584529ce655ef77e84cc673

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 8bb6cb0cd26570e6340d9037e76cfbc1
SHA1 8e894c56e0e40f0f5e86ed7186634157d5221202
SHA256 8952d0c7c7ac10133b41a0cde764a0e213a5098f7f8ec67d4d218571b0821ddf
SHA512 c67cda3e21ee556af7a9cf543345fe85659ce52bd4d14a112be5bab60a32659f17e6761bb8a5e0d48125f6c2619f3dc18257f7628332f4d28bf0e267db75a279

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\nss3[1].dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\f74e9847-ed1f-481f-88eb-66c13dae70d7.tmp

MD5 e001aa8fb8a965daa588d8a61c743013
SHA1 952bca389ba2f3382e4197851745b9043740a773
SHA256 29922f7e98dbd2e61c40a9a9004faabf591490c1f283ebba0db6caea4b6d0ee4
SHA512 1a9479a631ab6eebf228a33958db4ed061e98bb9ac55238e83b0f32f45a3098c9e37d20c49d3839c1e514c67f58a5e901547c184a9ca080ebf8cd0901a30fc4e

C:\ProgramData\CGDHDHJEBGHJ\FIJKEH

MD5 94bbb7462484acfa9fc2107993b4eddd
SHA1 57d56dab69de80cc5ef794b3d6ef112ae207fd31
SHA256 bd82f4ad6922273d87d0c5871f8b2039bb6ade4fe4ec921467d1a425c00f610a
SHA512 64b415279d124e730e3a514e5970678a7bf5257a006afebd95d30c5fceede8a818ebed957efb8cc9b88e9e55271c23ebf537a3fdc0e8eade2b49ec8ac8242e87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

MD5 ddef384bbc1d1f39973d0fea90cf664f
SHA1 06aae0ea45bf39f22b36c11ad87a08812cd893fd
SHA256 60c0b345b1af7eff99e43bc378d1d3579a007ba1951f590f1065d3a9f212c400
SHA512 8652e1b523d34e136e2be453dfaa0d5da23e3458837a81f6a0f765a1ddd01ba4d9a87d05d7e8e3d6742c8fb0dbfdda3100a121e24e93616e5edd2df141a76bec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 94c8e05cab2408ea6f06a49a08166efd
SHA1 f5e19d951df5ae2498ab632962b6f781084ade5c
SHA256 38486fde97fb3c598fd1dd53b6a56f345ec393ca367f3ef89701f8a3690edb04
SHA512 1375a81f30de76dd5f0d79a3123686910611084842c12fef3f4e20a809125db001da2e711626c48848c0f733f54c87db6dfd2c01fe6b95bb9a253194675daa5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\2c3e8f2d-5333-43d5-96d3-65df8531bd4d.tmp

MD5 36250ec2fca99e89e308ecc2ffacb806
SHA1 f37b886b7053282d9f4b62a39d8d9f8862134b4c
SHA256 930018b1ca5500780b5dd26827f5050cc553537f97be40d2d57f7949904750e1
SHA512 5f6ac74a64bae833d55f0115976186f6c626bcfc50c9f6db6c6c771c49a6a5f70eae6d168f5cea0467da579767028ed4826ea9b3e44b8c65c18c420f612cec70

memory/2348-739-0x0000000000400000-0x000000000068F000-memory.dmp

memory/4244-742-0x0000000000BC0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G40JFEW9\66df1689df956_l[1].exe

MD5 e318c6ab13d30b93d2d43bf5d2c31fe5
SHA1 2096056b203ea938312af04ce137353eac6a03d3
SHA256 f43e034a2bee82ed71caf1f838be515abef3bd8bb562bdae3d5abb4f194c492d
SHA512 bc0bfbdf77a6da47f67201f6a1f049072ff0bb1c289eccc739c07b49c4eafe3b9053d31671f08ffdb833ee469dfcab95374ed199267fab86f38e9db7d7fbce75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 cfaf8bab3d8f9fea161b9d3d69a8a31b
SHA1 3a33de44f24e28553c7823e8111733f960a5a336
SHA256 ff70c0d3c32977be292ed1cb764128534b1f20800e1d964e83222175286836b0
SHA512 7bd04229ea0c5d29cdcbe3323d2ca9f63b097e5e6df7a4cb5a40fb11cb79bca18059a3299dedc56acc0657f9a82284e7e6f4a7e6f39c07c82de50d77a235be3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 1e0b22520a35aa1443a6a586f4b43d25
SHA1 c60453405a3c3af29b8fd4753c698eb60f03615c
SHA256 b218a9363843a2dc67d00d1cc4eac6c8471c7389dcc9ec14e410de742f447b2c
SHA512 62a14ff66b3eac7df3133b5e1f1af614d4163fe7b521860770e8edfc32e223f335b9704f5cf13ff9a84e5e411cc3f6308634d4f6965887a55c6ea7936036d2a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

MD5 4118f1bfbc622ec4aa1d0f282a7b2110
SHA1 201761c32ef7990f7588c9bf1dcff821648f9d63
SHA256 6613e299e91478b3b6d2e2110b91c484da91ceb8ad3648d43fef47bebb2ed0bc
SHA512 7fb09f6109362675f0123ea552da59bd615277fa3fb77e381127e1770c31734f19849483e954dfcc21e7fd0a0bc5ae50af59f1762eb704ee341e3d820a3c76b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe59fcb5.TMP

MD5 ee99aedfed0e9439771bc5c1c2dbe00c
SHA1 dbb39d6ef5a9b1275055a4f4fb49df582cd73c5e
SHA256 55f85d2c5df6973f90c5319bbaf758ec6883d2d4e3ae7478ea16278b979c8a28
SHA512 0ca1d78484b6b71653ae460decdf26f1011bdddd9125532204c4cbe6e21e04c466d61e18d8c431f94980361208ebb222aa292bf986efc7254063ae1391cdab65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 9af15df14380de316920d8f88f4f8084
SHA1 dbcc1362ff51c2849d39f24d00cdb3f2c6c049b9
SHA256 41a9c193ba345713c9522666c17479bc2eaf602feed92dcd3a83a1bc9306fdea
SHA512 88d395d3faaa1a004d16de5c41e28080a6717c6fd8dd1c17cfaa8ef67d8c7f23d12c89742f15381cdedf3d6c053eb7f498be3c73b591a7e3ae7998880bfe426a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\ProgramData\CBFBGCGIJKJJ\JKJECB

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\ProgramData\CBFBGCGIJKJJ\KJKKKJ

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\ProgramData\CBFBGCGIJKJJ\BAKKEG

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

memory/2416-953-0x0000000005490000-0x00000000054E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2HRIUAM0MFJOTNSPIN0W.temp

MD5 aa01c0ee2b1a6acc0a276373a6604af7
SHA1 5e3c0318e19e63252a482151ed1509caae5a33f3
SHA256 8f239349d545ff409d5c1ca8347cb4d4f92b2581e896bdaa729a582d73a00f9e
SHA512 825425aaebaa5bff339723770c17402f1dd069399112c8de83cf38e348898564c3bf22e3e962df1e14c70cc9d741ad8cb1748fb1b64a2014a4d8b30dd284410e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 97c95661da8e3c4c6531e4e775ce3489
SHA1 b84b46d26ca8735c1b6da5ffef8d505074789855
SHA256 76118464d4861a4912e3b7c5955ddf762e87256ef3ebf2639c428c80910db1b0
SHA512 8d7e0e97eaf60cd0363b54c1af68c88240e26b3e4613b4657680510b3cdee12380ff02339dcc9e1847ee974ddf7cddf7897b169c292ebc924c5b8e9eade63002

memory/2416-1029-0x0000000009320000-0x000000000984C000-memory.dmp

memory/2416-1028-0x0000000008C20000-0x0000000008DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 bcdfc7a3592479eb9854f8bc6e927561
SHA1 c0ec536d876cfb5141acb6f21e30865a605a0fd2
SHA256 68fc5787d5678e5f406ef88af1196af2c706381556690689554461b225a1d8ea
SHA512 daab83dddb2f11b085180bdae911a8ad209c1b8153891ceb48539702afdaf8099cbd1058792784282340f0c9873d116f66e8b4e52677d109caff9e1ed7485b3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 e172b474518f0c94f7b0ca9f72e10aed
SHA1 06fb60fb8fd137edcd95650563d11fdc5aca5bfa
SHA256 e5061776d73d9793885675ab7f2aea4db854882bc1236a356de68005c5f34fb2
SHA512 401819ce8ce0c055b4360c67d461ec6e85c82e4d3275a6eb6d2082352fca59656d9bfb8d01014e8e4e9ada4aedf74918f6fda211bba498b75a5069cc9e1dbfa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 a944a4960cd87ed05e6f615b469907d4
SHA1 0f8476437cc3cea6fcbf7b4389ec062aaea95d13
SHA256 5d72c864db27a815a37ecedd966633138a9ae0275b516573128cc74c60699c1e
SHA512 78d1684c486f7da0d14959364c99b9509211dc4ff472f5c7ea6b48b4dddac366d7f917cbddca141b65551ffcf4e90f446f1c14baafdba77d905eed07fec7a377

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 778c9ca06cadf7c71ee3ad85127a05d3
SHA1 ed031910e90d6371ac414c36b0018c536054a145
SHA256 dbdd5438f6d0fc5d14221eb90ebee8d294d5739bbb02a2d5f2e1fc981dddcfe9
SHA512 f538115a65ea9142a5716c719e915f5a656c6e4826fa074b88fbd6e86be0e2899ff25c0865f3faf24e0de454b486427c175c6a79d125b0d136f3fc9bb95ddfed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 17b4af859b2531dcba8263ec4f07d1bb
SHA1 4c5e9ed56eb1a2b07569bdd87bbc1540a2f6360e
SHA256 2eb1542f1ea9b358401e9a0a5fb2296a1d2efffe99e4ba1e8049f60998cfdfe3
SHA512 dda430adcb3991c13b56b4ed157d00f55f519170757f7dcce868b5c05d8e6a309ffe957f6d945c616c45d6910b6fbeefc7d7b2db00c7795ee94de6b2d60e0c92

memory/3368-1192-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 a588247943bdbd98678aad31cd2826c2
SHA1 9502ad34b03e6c470bd01a94eee04a7cb8c4ffd9
SHA256 badb78f7d2b9fba35601a3860961b55df54850492a949b52187cb049036ca9fa
SHA512 c23d44e832ba53eba7e5b75e50830dfdc39d05f7d180277edf7d2382a35a04fc2cd1793778cbb031693952f6e38383e3df9af36a760b4e4eaa932271dc46bd20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 2eeaadcb6482b9b8de4f3ed52cc5d20d
SHA1 de7c7d65b3398852bcb4fa3103c2cae04d4829ea
SHA256 d10122065101c04f015c1c280b59f05945f7715433db5ad7eaa2bb714feb2763
SHA512 e37172ab1714ac2cf8cbd9bf50fbe74fa0c0c20ca40ed6a0354cda8bf5b6eb6e02a28926b1291b47eaf325e119761d5998966d928640d4cccc92842b0bf8993e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 2286a7129f21feb7bb54b5cc4550d6ab
SHA1 62cdafd08dcb527634cc7a5d64ead5cb05d6b970
SHA256 dba3169bf251fae1db19251c87371f5af5ccaff265740d4814239b0294462834
SHA512 241a048eab713c339a8b134fe94a6de7a4246110f3b28e4446e79d9d54aed46b6395f96794fd3e4c5cef35952f690d65bc9d9915743b6626a23e835fa4acc3e1

memory/3368-1240-0x0000000007F00000-0x0000000007F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\04af3c4a-d6e4-4a69-8567-b2604d332df4.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 35d5a6939e646089207eb441d911be1d
SHA1 9e332e64cd10bc686b7b5b7b7766fbeb86fcc317
SHA256 d8db9e00b4c04ee1ac754a03f9732830baba40be8a61d1dccf8315f078a8cc44
SHA512 41e76c2e43615422df576e7819efd1ffec1e917d5fbf8a01779722b2cfa9b5a7cff4c57d5b47c7a429fc4f6562b180abe7c9629782fbd4466d05a015266c9dd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 d2ea458ab787e60ac5f01c33920872a6
SHA1 e5a55b3cfa4540589fa3083127ddec2c3faf4925
SHA256 0db771b3fc78192cf633be72fbe5a553dbfb36afb65016a235db25833a49de49
SHA512 17fb6e7deedb784541262e6487c4df1e7d1f7755ea2faf614417aed7cc4cdb3f61235ae2d25ba94ef09a9f906845532969f378b4947075beb25e0332094a8ddc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 fedd054a77818b94c3294cee003f79b6
SHA1 de235980f95156a85b6032ebd2aba43044532723
SHA256 0b642db1582f97bf0560e8b7b2aa456745c30ca34c30ee1e9c036a8ca42b007a
SHA512 f5c4ff7da7dd9a0358e29a367d1c3d3ec002dcab075a954a0a3cddbae40c936a449081e99e2eac95b6329cf2e01bf936c3568d7f42d2e7ed1c8fc9c2b8692855