Analysis Overview
Threat Level: Known bad
The file https://gitea.com/ImMoonDev/pysilon-upload was found to be: Known bad.
Malicious Activity Summary
BadRabbit
Badrabbit family
Dharma family
Dharma
Enumerates VirtualBox DLL files
Renames multiple (676) files with added filename extension
Deletes shadow copies
Sets file to hidden
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Modifies WinLogon
UPX packed file
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Enumerates system info in registry
Modifies registry class
Views/modifies file attributes
Uses Volume Shadow Copy service COM API
Uses Volume Shadow Copy WMI provider
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-28 18:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-28 18:54
Reported
2025-02-28 19:06
Platform
win10ltsc2021-20250217-de
Max time kernel
680s
Max time network
681s
Command Line
Signatures
BadRabbit
Badrabbit family
Dharma
Dharma family
Deletes shadow copies
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe | N/A |
Renames multiple (676) files with added filename extension
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HD Realtek Audio Player = "C:\\Users\\Admin\\HD Realtek Audio Player\\HD Realtek Audio Player.exe" | C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\Downloads\000.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\Downloads\000.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Windows\System32\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\Downloads\000.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_ug.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fa.pak | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1 | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge.dll.sig.DATA.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ProtectionManagement.mof | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mi.pak | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gu.pak.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1 | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Analytics.DATA.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ja.txt.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado26.tlb | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons2x.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.id-56974F64.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BA31.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Downloads\BadRabbit.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Downloads\BadRabbit.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\BadRabbit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\BadRabbit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "185" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1786400979-876203093-3022739302-1000\{D6ADBA07-F6AF-44C0-86B6-C1D02D8FACCD} | C:\Users\Admin\Downloads\000.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gitea.com/ImMoonDev/pysilon-upload
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fffe56746f8,0x7fffe5674708,0x7fffe5674718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=2052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=3488 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\compressed\" -spe -an -ai#7zMap20849:78:7zEvent4987
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\compressed\discord\" -spe -an -ai#7zMap21657:94:7zEvent26406
C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe
"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"
C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe
"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x510
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\HD Realtek Audio Player\""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\HD Realtek Audio Player\activate.bat""
C:\Windows\system32\attrib.exe
attrib +s +h .
C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe
"HD Realtek Audio Player.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "source_prepared.exe"
C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe
"HD Realtek Audio Player.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\HD Realtek Audio Player\""
C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe
"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"
C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe
"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6856 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1220684662 && exit"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:22:00
C:\Windows\BA31.tmp
"C:\Windows\BA31.tmp" \\.\pipe\{C0F348EA-E118-45AB-832D-6CDBB4D2B888}
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1220684662 && exit"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:22:00
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\209b0d4dbdb64b3e932894c3b0b336d7 /t 18076 /p 18060
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3989855 /state1:0x41c64e6d
C:\Windows\SysWOW64\cmd.exe
/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN drogon
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gitea.com | udp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | plausible.io | udp |
| GB | 79.127.237.132:443 | plausible.io | tcp |
| GB | 79.127.237.132:443 | plausible.io | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| BE | 74.125.206.154:443 | stats.g.doubleclick.net | tcp |
| GB | 142.250.180.3:443 | www.google.co.uk | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | plausible.io | udp |
| US | 8.8.8.8:53 | gitea.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| GB | 142.250.180.3:443 | www.google.co.uk | udp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:56853 | tcp | |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.133.234:443 | gateway.discord.gg | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| FR | 2.18.143.11:80 | sf.symcd.com | tcp |
| US | 8.8.8.8:53 | sf.symcb.com | udp |
| FR | 2.18.143.11:80 | sf.symcb.com | tcp |
| US | 8.8.8.8:53 | rb.symcd.com | udp |
| FR | 2.18.143.11:80 | rb.symcd.com | tcp |
| US | 8.8.8.8:53 | rb.symcb.com | udp |
| FR | 2.18.143.11:80 | rb.symcb.com | tcp |
| US | 185.199.111.133:445 | raw.githubusercontent.com | tcp |
| GB | 2.18.27.76:445 | r.bing.com | tcp |
| NL | 40.126.32.133:445 | login.microsoftonline.com | tcp |
| GB | 20.26.156.210:445 | api.github.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| US | 185.199.108.154:445 | github.githubassets.com | tcp |
| GB | 2.18.27.76:139 | r.bing.com | tcp |
| US | 185.199.111.133:139 | raw.githubusercontent.com | tcp |
| NL | 40.126.32.133:139 | login.microsoftonline.com | tcp |
| GB | 20.26.156.210:139 | api.github.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| US | 185.199.108.154:139 | github.githubassets.com | tcp |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.0:139 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| NL | 20.190.160.17:445 | login.microsoftonline.com | tcp |
| GB | 20.26.156.215:445 | github.com | tcp |
| FR | 2.18.143.11:445 | rb.symcb.com | tcp |
| US | 140.82.113.22:445 | collector.github.com | tcp |
| US | 13.107.21.237:445 | www2.bing.com | tcp |
| N/A | 10.127.0.5:139 | tcp | |
| US | 13.107.21.237:139 | www2.bing.com | tcp |
| NL | 20.190.160.17:139 | login.microsoftonline.com | tcp |
| GB | 20.26.156.215:139 | github.com | tcp |
| US | 140.82.113.22:139 | collector.github.com | tcp |
| FR | 2.18.143.11:139 | rb.symcb.com | tcp |
| N/A | 10.127.0.6:445 | tcp | |
| IE | 20.190.159.64:445 | login.live.com | tcp |
| IE | 20.190.159.64:139 | login.live.com | tcp |
| N/A | 10.127.0.6:139 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.8:139 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.11:139 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.12:139 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.13:139 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.14:139 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.15:139 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.16:139 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.17:139 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.18:139 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.19:139 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.20:139 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.21:139 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.22:139 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.23:139 | tcp | |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.24:139 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.25:139 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.26:139 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.27:139 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.28:139 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.29:139 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.30:139 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.31:139 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.32:139 | tcp | |
| N/A | 10.127.0.33:445 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9091da214c5c97c04dfbd4afc733ec2f |
| SHA1 | 680c48d5c7cdf8b85d12d76e5b5af7d9ccf452b7 |
| SHA256 | 565c816ea4b9387afdda41c0fc27e21ff9ae434cdca28af87483a29408d85f68 |
| SHA512 | 5a561d5ebba54af22f33471f622ece68d4d9ba7e7a4f5b6848122aeb9ce07e51e9a56c1357165a5a7daabd03ecd8244b5759b893660958fe5d9264f7cbca0bee |
\??\pipe\LOCAL\crashpad_4976_MUBUACVXDHZDGLBV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e0f8efec07fb31b849ca1b169e8a4c52 |
| SHA1 | e51b825b48afd351ff355ac6cbfe6b84e8f7c928 |
| SHA256 | 58e8a4a2a1a85bcf676972eff47b79b54133a4a9186a52af99f89f13cb49d86d |
| SHA512 | 4697ed592d60ecaa368fc10b4fbe001da1bfea8972c2d62031b75931009ffbdc5546dce310cf67a230b2da4ddba035a224897b92f491193a6d59df4287b544a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e13ae87082737b36a13b9e506892a908 |
| SHA1 | efadfec582b43b9fa07406ccc9af87d5515fbf17 |
| SHA256 | 3d037e985ee665e546ef380cda53fc8eab5c2e2aed1a339122cbee29d4edd82b |
| SHA512 | fbdbd928912d66fad576550ad3c264cbdff940ccd3ce097b14aba28021428a69989bbc210c0416edd84e4587c0125b45d638b2fbdecba453dc473c652090e288 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3e745c6284b8ee21c971a8f1f443bbd1 |
| SHA1 | 0791aa045dfc446b2961d3df3fe1054150c289bb |
| SHA256 | 0151c5df5166da0780650df15799762467a53b56a71dd59bcdbd0205addff9cd |
| SHA512 | a6d8a26bd298a05e58c954ff5160303a45d23ff394ce4beaa3f704f9985e918b5bc15ad3e62bb969727e0cfdd647b214467f2f595758e14c80a05333293cbc52 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 33319e4acadea81a7ef96df62e26443b |
| SHA1 | e355374082d41fceb2627ea19a6cdd344fb47a0b |
| SHA256 | da75c796eee5a12e4da2cbdf0823af618a8b25a69f5148c0c2785c5a2f663c7f |
| SHA512 | 7b8a51fce81a3d2e885845c2f525f25e4901a01a6b95de74c22f653b0149ae5cfa4ede698012871876c7c867bd38b210276fdd8db2b1100ede07eb90e1a73ea3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ba9580674e0c02ab3b8fbdd02f70c63b |
| SHA1 | 7f13054333d260ec5d7094bbb47946f3a1264d02 |
| SHA256 | dbcb233df8e6b3b10e3c35144d39c166a4b9d14b956d925aa8fe058d5491c908 |
| SHA512 | ac3ad9b5a09c557adaaa3b1d58f961d7444920196d546f4126425377d587040bf7272e10c42073ad302f70293e2d9597f10a69044ce6b3431164edf84f244b76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 942728d2e23b1c4da072ad3dfcaa6ecb |
| SHA1 | 703df0bfb6ff76de4f10ba9c0767ba7dc13e2033 |
| SHA256 | d815dd00ffb67538e32d8a54f10e66773d3c552897e408d6ff7aff8cf64be3fd |
| SHA512 | c39e5e93457a25d909898e049ae3b5530ffdad5f3954a4dc45b8c1a6f7e0ed4d5a77506e87ab170d6ef838e3878cb9dce42a9a4434ad1e2ec6e47492569f5abb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | a56e4975da82e4ee5e47f42ed076f09b |
| SHA1 | 0581ede528773744e9310758c7a414b473c3fdf8 |
| SHA256 | 194a8fcfe886a7ecb7750000f8be4916e7b2fc7cc41c1d7bc9340e66b6c8abdd |
| SHA512 | cc08ac1ec938bd3e589aa37acbde402fe370c3b8f3d3ff3e8faa5231b9a61d0d9bdcb5bd4da9d7bd6500905d158e95df8e1314b6063b029eee162ccd4a310392 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | bd56abe7209a50c0f8c009466c5fd617 |
| SHA1 | a2e76ea77c093017720ffe8cbc7719c7155ccdcc |
| SHA256 | f047c93da7c93c1562c9c435ea8b70c08447b0e9a290c4bdaef811d5bc491676 |
| SHA512 | 517af004152f110342a3a2218a14925236427e069cb53a9139dd8e0393074ea846858b80e3b99a57a6072ade5a96079f95d955848c3c4b919fdac255f1df1a8e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 25000d476e94080088a03caccf199453 |
| SHA1 | 42d1ff25119582c1d145f392283a104227175b6c |
| SHA256 | 63abe5db5774bfe5792abc6727de7aee58bd6be25fd340ef079ae28184e1a19b |
| SHA512 | 70211ad821665ae9c7fc15745962fb99233aaa59f48e32ab2b7fd5e561df35e5130ec2830d3c21f5a05639708071f16f2831f0aa23ff72f3be325df3e6cc2577 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 87e8230a9ca3f0c5ccfa56f70276e2f2 |
| SHA1 | eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7 |
| SHA256 | e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9 |
| SHA512 | 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 79d078cdc9011c0920e869794ca0624d |
| SHA1 | 679b94db31e4b6fa7f7c802df9c416366d64f04f |
| SHA256 | dbfff3d3ce31786993d39b229ac4bbb4320f13b5a8d2f266dd18a0ac481c3895 |
| SHA512 | d838454cc3330ea9d93bc5498fa1433d30ddf14e97e65590870686829a85dff090b98dab6be88078599ff6aea3e4d661d7429d48a698f8e3e8a2daae299df818 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a843d6991105d60c94d67c62589b2e3d |
| SHA1 | 51b20cd76a6c651c0076b10731cbe0011036e282 |
| SHA256 | 05586328ed83784c908b7d5d1771bb8ecec75e9a22ab064ba7546f25d0f815dc |
| SHA512 | 4e7d78f4ca4d6170249dbb31ac27556c1a047e60e8f47eb9dfb295410b51c261fdfb67567555adfa7cc7d88c9dddd8394368f4a6f485da01b1d156a4df3c2eb1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8f1bca1e277e7d4a59fbfedf1c31d272 |
| SHA1 | 857710d3def601a5dc9373df628310c7b1c847be |
| SHA256 | 9decfe791d26f41309c8c22310c972217f8a47075fe28267de6547394082f7af |
| SHA512 | 83d1844598f96c9629c22325f21668a8c58c4bb6153a09228deb878f51f2ae2ee3999395b99d3a3268353fcfcd22ad5b96cf1c80f8e55db14b4a050e32e93cab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 08ee637cc42775f5900735126ca09ef7 |
| SHA1 | 1626887b0d654b50ee83a1fa7513bd6adf5f44b8 |
| SHA256 | 478ef925837e53dc4bdc10a729add35273530248b475c0d3501e7bef43779999 |
| SHA512 | 7f1b845edf74e93717c2bf6d8748ec411ee82942c6f5f7d71e22cdc29c8e465bd241689ff42082f9e0172000c8923074dca8671a20764b27d2937d18f9c88cdb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 661ebd927df5e9cdab94a5a68f07b91c |
| SHA1 | fe9b6c842892dce71573bc1750628d7757b3f15f |
| SHA256 | 29924e9fba80a0a72f49a7a12064b8e4d24b190d361a967e8e124f93b86341e8 |
| SHA512 | 0f6f3db5d26913088c7439494d2cb6e036c7bd0ff4484359e8989148fe9f20e09db8ea5b57727c28ef59de45b1172f5f6e1d96f2ebda80edfe8e8ff5399be5c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 337f4ae4287180f1bfb12eba27c937e3 |
| SHA1 | f057c77a5d7f7efc39064c14b7555dc8aefadf6e |
| SHA256 | 30f14d5774a495d1f9a0cd2ca3050a2242024ac904cac328fc2bfd242e9d09b1 |
| SHA512 | bc70568a79bf6f1ce54b56b1e0ca7611163cefeedb4ea599b3930aa863a79289f766baea461ec7c93a3d82cacea9c91a742587a53a1e7db7e594292e2c89b74c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8b04f27950834152e9fca58691713f34 |
| SHA1 | a7dd3970e4ab9d59d2372e5aa30a16122617c9eb |
| SHA256 | 1964a4dd6c2e7a427034304a8345672fd4c74efaa6b99a3cb3a2094cf2ba0722 |
| SHA512 | 0249b513214b1c0f1ff6e18afcf0370ed59e548dda6edb41cfccc44f398a8ee203114037e4ff2d9e3d1d5d4e122163f57601e2ff70630ae3dc22f306f6a95edc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6721273e37f6d2ce13fb6a2a426efc2b |
| SHA1 | 06f88e825825bb4a1081a626e0ddc852ef01693a |
| SHA256 | 58cd0838d7d3df15cc63fb8de223f7dc7f8a805a747b1bb6f8744490b0de9a5f |
| SHA512 | 3578003e99b0addd804da52f42497f5bb152a91617748ce464f50097069e7ad37229816bbff263e8f39bce3c9a131263bef9eef5e90b92787547b684ef038f39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e8ff.TMP
| MD5 | 6a74d0deb7e99067a7eedcf348a9424e |
| SHA1 | 9bb20fe135357af23306821ccad74961397459c5 |
| SHA256 | bbb40f1ad9790a7265f3d260a49f83eed5989843b3aca0f5eac60ea4873c99dd |
| SHA512 | 707015fd94ae629b034a257ec75263bc28fc5e903a893865f68e7744a8eef3c1225279686707d1d9162066003c0de61ee7a31e058a0a1cece3dc91e62dd1db63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9a001145d5be2d1fd4ef78e91fe1464e |
| SHA1 | 73dcb58c640ca5fa5715a8c6f97343fc5a868b10 |
| SHA256 | 9acc3b4cfedd4b90326ad4d523f98ac772ee9941d89b9c0c5846c60a003af36f |
| SHA512 | 5f888a0f0b2b44b7ec16f9cd4f5a4aee460b54e0130182ed8fa3025f43015015a790d41535b53fbf8e5207f966ca7cd6bc758390552911afb281ac02db8c44bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eca3fc1dd64fb70d6154ea46f4536086 |
| SHA1 | 15cf7fa40871be7d813fb007ee77c41ff914707a |
| SHA256 | 98cf1bf991397da8b074a28fd3891133fb302bcf57a3f56f1b2871b3efd1ae7d |
| SHA512 | bb203c901e575b3c2143d1d2d191ecb2e5d7c1dc23197b46c7e1abaf73079e3c46ab74498720ce0f5b83984adec1932be9007e60c6703797e11f846d4c7c0900 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a21dcb53a1ecde2c95e9ea7e498e5987 |
| SHA1 | d7a3173330864d6e4cec2f609ae8b3be373c5437 |
| SHA256 | f7b6a4352b12d6a3d381d17bc9cb2c480e5f58e85fe2f9002435526a8a525dce |
| SHA512 | 3d7eb8b336701664541b61d1a939bfe6c79041cc198f7d223880b5ea7293a7cd4150c540fed74c72b1fb75efd632e547bf0b56b1a1ffb9e3c2bbea7e82965d9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 71040f58ae1c25b2175c2156b212b538 |
| SHA1 | 6df4fd98873b17fc17fb17df51b7c144afe3f4e8 |
| SHA256 | 990a3fb2a015a8de6aad381a3f774948ad9e3d2a6f5535d8768ac8b3ae760cc1 |
| SHA512 | ddafaee63d081877d9f06b5970d3b1d049c50ff1897c2c33941c28c954e5f15e9222e59a37473d3a21b1fbf09c92c03c234fb3cefc76a0700770ff167e284c57 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ba312451e2c08a286eacbdb8a987d2d2 |
| SHA1 | 6174a9e172305f6df53c53d61418dd583af9a0be |
| SHA256 | aa19d0d392c5d7fd837054f8265a63cd3dfb5a85d358f242abc4d37f6d0c8281 |
| SHA512 | 72d38d44fdbb70d71615027e824d7f1aaa28d8edd72dace7135d4bf468fd01deb3cee03b388267875830ad693b60200eee1931c83ebdf3158893d0650273aec6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
| MD5 | 2e2e2aa2f8a2342f28069a05e8048ffb |
| SHA1 | 8c3c5aa3b42b4cb7763cf6b51964aa2cb04b7ecf |
| SHA256 | 7f39736ae679681a159e01b987a9d5fd60172adf154ed266d555419ce221abc2 |
| SHA512 | 8d8fc9537f5af3ec5f7f4948637c0bf48001fd147e1b4fc342677623e3c4f1a4fbc198293edb8f3418ea6c78925e56cf065268b59c97bd6c4d9f7ebf14e710e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0d3f9ed2af4e88f5ba302472a034f7c6 |
| SHA1 | 11834928acf75827f30e52d066aacb832c3cd564 |
| SHA256 | d4bdc6c14c631c5244c807ad4b4d8d05b19aaee31dc78fb601308624b7ca0205 |
| SHA512 | 7b3b0e5c4a1074ca5d3a421415b45f3928c3cb72a776ef73766951dc6b73cae9c721bec9515d6cea97d5e57a6da502960d8a3c022142c3e0efd942311462a70d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | adf2df4a8072227a229a3f8cf81dc9df |
| SHA1 | 48b588df27e0a83fa3c56d97d68700170a58bd36 |
| SHA256 | 2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c |
| SHA512 | d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
| MD5 | d2610a5d8eb0910f15b4d0ba1db62ad1 |
| SHA1 | a48324d4034a4aede07736a1e1236edc09f82109 |
| SHA256 | 30cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6 |
| SHA512 | 06c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
| MD5 | 8e01662903be9168b6c368070e422741 |
| SHA1 | 52d65becbc262c5599e90c3b50d5a0d0ce5de848 |
| SHA256 | ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a |
| SHA512 | 42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
| MD5 | 58795165fd616e7533d2fee408040605 |
| SHA1 | 577e9fb5de2152fec8f871064351a45c5333f10e |
| SHA256 | e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e |
| SHA512 | b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 41906d9d09116eb9d2f77f177d276bbb |
| SHA1 | 662dfffb47326fda0bd1983328399c2f22812188 |
| SHA256 | 82abd71e77921d688e8e1f09337e261f1a39369ac0d62ba6c6e28a236397ed01 |
| SHA512 | 48baad7d87c0f064fe78239def41dba34e87baa7ffdeac3a27a2b9f92cae135db67de2b7232797f2b106205aadf0b00402811cfab2c9e28036e1ac1b4e6fbabb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 78f2fb7ad1ad7df696bd86b849164a0a |
| SHA1 | ca792bcd76589ce5eb8fd6ea8740e450d30c51c6 |
| SHA256 | 00d6d66a79d81feded342ca7ae75dbb2486024ec57378411533927bb8fb2e251 |
| SHA512 | 7113aa8102104682634ebe928eea6584bae80d5f48e59fff01d9df62fceb9d59ab5f6701065a6abff009322eff4212d06e10b3386663cbf3e9ae5df5a580600d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ce94610b43403081ef370b88b484c5bd |
| SHA1 | ce4400abfe7a0c844664f79a96d1e48e8dc0594f |
| SHA256 | 0e57426b697b88140559e47d0bb9d472b7864c2a2195253ef512b1cfe8f90f50 |
| SHA512 | c989ce2eca093da67c321035cfdcdf870fd84792397189993aef767133b9d03501bacca05a351fd7a4d10b9c5557cbebe927f959fb2bed8410708ccce332f9fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 653bfac797eac666c6abd730fe236ce8 |
| SHA1 | 896b61a775098db72e7c3b05b959459975fd5dca |
| SHA256 | 756de3cf62545a6ae5b20e39394fcc81581efd66ac53103c65e19f25ccf83f37 |
| SHA512 | b08b9d11978793e078e3cb8adf319e3e8663721da5f2471bea573100f9c995ce871eed7cc44d63b205c9fe090d4f10daa613a3393e234e9d921ac39d89d83b5a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 43b7c5bd2f637f73ec920efded49b894 |
| SHA1 | de2f01a8e02f845024db24f632dd4c8db0db1954 |
| SHA256 | d3cb2904462b3783ae6ac0df073b2ed7da61ffdefdf2b922f49de887401def7c |
| SHA512 | 9b7a7bc2b88bade6e19a38aac7b86dc299ad571c1ab3c9fb5b3753738ab1e8c02ed9ec1669b73b9e228a36f675122d0bc52e67ad54bef2436eff9b4d094db196 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2d3ee5b4ad46c84e93a4b89ce510c7af |
| SHA1 | e2e9daf61733f4578e154fe0f8312686c2d189f8 |
| SHA256 | 54e41d8423e9681549adb95c93c4a693f6b90db16b63827ce320a140e6b009eb |
| SHA512 | d5adc0e89175932a3a5a6c6e31b9c6bb016a3e17fe9b7b18bd8438dc311a166ee2a1b37c518b7fcc6a47615e698cfb3763681adf93f5ee837ff9531430a30374 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f22f0cef6820bbd6814b98cc9d9cf411 |
| SHA1 | 90d6c650df098b415352262d50373d02bace4ba2 |
| SHA256 | 112573f6e3ea8e5fc79bf2792033e5564a252c923114ddbb102756cbd4c93227 |
| SHA512 | f205fa06e01d34c78ca65256a0bd93bb6de7bf43e4d4be823300b099940d014356eb384a6f42abb9fb74b4daf3a9e4a3a47de63c44cb363e68d4d1b996fb2ad9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a6a28cc96630a340601b62431684cbaa |
| SHA1 | 4b4ce189185d3e2445b19200f7209473ba9fd061 |
| SHA256 | ee2426f84caa401c267864b60c66be271737101593bf75b0ce1432157e905188 |
| SHA512 | 892525f24bd9441f52ef6f5e64d830f2322713ed5e1aae3b08bc12f69dd0fb2a9479c9f871746a4076998e3b200f227ce4dbc094096be48f826c46884886512d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0948cc9b840299e806e9b1923fb69d73 |
| SHA1 | ae5ffc8b7c14670420859d1ca54b07dbc14a6b6f |
| SHA256 | f2cb192c9009880a5254c5b9a79c64e963fffcff97251679739aafb388fde933 |
| SHA512 | 161aca2b0bc2589d275f47adfca469f013be168c209ba8ec646b8b7820064e8ffef0a1bcea83f2db6484e8b3b6bf96bee9c56458278771a5a1a3d74d0db09eb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5b2bc637d5595fc3c1d978c984d4f962 |
| SHA1 | 5f439a8388ec0226d871de67c59dfa09d7a67b2f |
| SHA256 | 4d3be3786ed29fb1ab296baede9c8a7ca962a224a92b659c37494b4b4934c3ab |
| SHA512 | 0a0c67c5b364554f4c113e544f9bf491dece6b2f83b06d6040ed5f1563b9cd104c13b7622b9ce6256bcc27984cd1b0ab9ef68226eedbdd2653652dfcb3867330 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2508f9f774dff5a_0
| MD5 | 17a70915ce5154a56fd051db974a1c63 |
| SHA1 | ea2c7dc94a609cd358a8bdeb1ad9416cc4c40d2d |
| SHA256 | 53f6bb59a23134c63c8b9d214cf04a1e5e4f16267b24823c166fe3ae04e6a57e |
| SHA512 | 702364498967f3aa8bb5d728cdef64995b0d55db6c2d655ca0f973113e444055154a76e1cd7fba422bd53c8fac2054419785a047b4c274059b0ba8f2b5a0f5c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a69226eb7e1fcb4a_0
| MD5 | 6292af3f8493022d942a0dfa71c15833 |
| SHA1 | 3102f037b9312f00ffab17bda6de50e3cf10a98b |
| SHA256 | aca9ed7aec32bbea99f293e6cdeffe7b833675b28453fbe77a7a52227328445c |
| SHA512 | 128e1aeecb56a7be28b6c6d2f6a10e584536ed08763a837c91af0b5ed37e2e50c9aa907720c9bbac9e9dc2a1f2587581d0b25d9d644ca47085849745682be08e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\19152b7f8e8efcb9_0
| MD5 | 004f06fd095b209ce2d50cbd4bf8b0e1 |
| SHA1 | 7ec364e9ed76bef60b0c8afc953450f7b95a67ae |
| SHA256 | 35f665dc65fe4fef55bcc06eb16e0b741b9e894d819ef85911a422e3170bddc9 |
| SHA512 | 482685b5676f8866778187ce0f7fc5b242033512092a80fe4a7ac8b21d23c2c19ac683f67298afa31571dd8e89d5f346643da2fb1e8e82fb3eaa014c26428ca8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee08c28427b16c56_0
| MD5 | 52ddeea50f5ebf9aee445f58702cc734 |
| SHA1 | 9cadb6763f97e1c4e02132425ea2eee4af778691 |
| SHA256 | 908d925683c7bb0d51a571d73e9e2db56b4c887e39a2e1f313f62ea7b324e537 |
| SHA512 | 700334eba909d7da3c05320431c46530c53745d6f949302701e5341f8a6617930c296f4494583b8706803705e93dd860e2cd659833384e9701beb5657a237ad0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12e2c4b18dbb728d_0
| MD5 | 6caf13d28ba03f4e1ee09b41f0ae2a4b |
| SHA1 | 9a371a0b0c39f4191354cdefec603f1a843f4586 |
| SHA256 | 12b379185b84e10136688751e77f050a81c4c0b093100ae1f1709e3910a90a8f |
| SHA512 | bc979758be0c59612cf89e42bb83878c11976040e1d2f96e2d9fd8f14a64ca2b604fc145dd3e3645277a78cc06a00277056b2267e6209546482da877837135bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f0572c9ab2f19dd1_0
| MD5 | 1ae2bf833b71f53e3d1b182dcc58e85c |
| SHA1 | aa59abcafaf832dee10bc7b2a9b3180521bbcb08 |
| SHA256 | 88d47a90080d380895724a5c83be18fa9b89d816320acd32b666a6edbbd4bf55 |
| SHA512 | d7c622a17560ae5f0e80f11f1c6695de162a29fd5d7c79b3ecb48cf8b93a8f3c9ff9d90715ac23a225abc0e144c387a468aaedd23d7f0cd0c94939b37e23d9c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\038bd4733c27c8ac_0
| MD5 | f51490f1ba2f3bcb90bd42072118a6e0 |
| SHA1 | d28222d334c4e965d7153223dc795463e79d39a4 |
| SHA256 | 6afe4c06ceec1c6108ac1b8792d713d951f455af10f9a6a126775150f21e046e |
| SHA512 | f35b5a89cd10af2c2a75512a407be3720e4ad60d07779532a5f8a39c8ced68a7a51894a52bec677929d3bedaa5502970a7f194da3edce63627412feeaa4b415e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\154000feacda5f15_0
| MD5 | b13b5487342b737d6e565e83b706d0fc |
| SHA1 | 9a17f67b77539d7e8b54ff12815d89d83c88ac21 |
| SHA256 | 1cdbd1eca7c386836b6e7bf0107116603bf7dee9a68960dbc696f4d688005fe1 |
| SHA512 | 887ae9d6a528845c9ea72e2eb728da0952dcb611f22fdf2202ded7611adbf9ddfce2852e248e431f57ea2681c28c921531487e733e3b7e91d278d276d8392ec8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89db893576032902_0
| MD5 | 58cc4456373dfb52e9a4a80a28745b67 |
| SHA1 | d873644478719d70d5b9dd2200424de48f69e469 |
| SHA256 | 79149d1943a711a1978e9391bac1b119a0f22e928b79410d83c92b58a0bbf870 |
| SHA512 | d1fd62070f9bc37a5c5a66888dd44c3826cac94f0e39164842b6303522b4831c6d003ee5d4b672160c57ff96e601b960fcb1005ed753d501b42d48cc9303af99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44d5079ad5841b25_0
| MD5 | 93c1bbaa166395fbfac4fe235ba56c0c |
| SHA1 | 3e64d7b6a0dc48883a307accac7b62d1ee68e7fe |
| SHA256 | f2ac1ac5d403c802c60c56a1eecae260da652818546cc45b7e82be08c398f0ca |
| SHA512 | 9ee325594480ea0aa97ce49fe858f18dbbe6fef69afc6a7870869bdb1b5473f88d902f82f7b333ed689e9a06378487be7ef6cb9cf6f8dee9dfc07f5621352e64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eab6493a0dbfe79f_0
| MD5 | 6acd9f91994dccbf8c4f1966c00f2406 |
| SHA1 | e65b84a700bb5f3107ef5e9c6d1db440e305e4b8 |
| SHA256 | eee8e47185ef1aa1fc2dbe931db1ce5b47e6a2ec0e218aab9685d8412bf8b79a |
| SHA512 | 89539a20f05cf990d18c1e643b1db7412bac2bc89dcdffaa28cd467ea3e6f331b13313e65d08ca5b7047352cfe6f7217fbc7f5ef63ed6dcb8354c1a6ad3bcf3a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d0b78a7984afdac_0
| MD5 | faaa7318d2a1c746d23f74291473d64f |
| SHA1 | 06d51c732a5932f5994dd9d5d4eb7b671a60be00 |
| SHA256 | 6fd01ac30797c10c6aed2c14063e9689dd5d7eaed6464282974c191dd79b7e01 |
| SHA512 | eaf64e2bb71ce5ea6c61d588c9a4e5e7bb575f6f32f99610b1c4300e95cfa4fefaf626182c81647de34e558427e434a388734a3e3ff9ec532d540d2eb445e66d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\172b237bc017862d_0
| MD5 | eb7ecd0520633f23cc90e217e0e476cb |
| SHA1 | d7593791298d48a570682930f3639d457c17b247 |
| SHA256 | 4f73184fe15e73fc4b1e6a7faf3eb6d6e16c25b0b44009e1e866882c2acdcf17 |
| SHA512 | 6903b3b8f7919c008725da5574d20d3c36258e78dea2e007af76a8087fcf9c8b4d5bc44191d6e0a61d68f7c1e97d2c1a32e8f2eb563d2f8baae970ffc0c774c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25d24c50d6908129_0
| MD5 | 87b0f4deed81f56c949c0c6a4022667f |
| SHA1 | a869edea50718de89cff6e47ce44ad723dd461ff |
| SHA256 | d496a84bf2290ad6b86a118234daf12e55e1da560c99b05a080cca88f4139691 |
| SHA512 | 552c5b9dd38a6c0127392162ddf13cc7a76480e07a7332edb7bf5bbd48958bf4d6d79eea2a22636920cb514018b069a707c603b98e57f4c9584687166a29827a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb73c6570251aa2d_0
| MD5 | f2173bf63451fb321d926629a29281e4 |
| SHA1 | 12792332d1db6b7b9e99d5c536e05995d8a577a0 |
| SHA256 | 84db1a9eaa0cc26434a1d50eccbdd01a2f5a0a9ff2260ffec22dc193ad43c61f |
| SHA512 | 4ed66a9ddd832b09f67987b9566303590a93d4f1e8b96e3617d7926e53cf70c9a35d63bd4500c8929b0aefe9d612304440a07a0945a62750823d3dcbe6a6091a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f26997b60d0dff29fcbdc7f4115b5584 |
| SHA1 | 3e8c817475636ee396c692674604b341a0e9f878 |
| SHA256 | 8ccf49aa15c82df17928de91f6a99acf8f47de6dd27cef8b4079ab799f6c19eb |
| SHA512 | 9dfde8da63fb1816537e0d75fcf54cda60a5bda8c48973284f32f1c5b204fb380d6ca1cc7ee9f96d6b121a111fd4c98517b00891171ec67d8969355a6647b636 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7ae572d29309104739f994321ed29fdf |
| SHA1 | 074760cf9f489730907d4f5781bff07aca0daab1 |
| SHA256 | 90ed57e53144eeb86528778f5eb55ebfed4b823d4598c7e5f4b8423afbe4d4f3 |
| SHA512 | 808e5c385d8fd2a6d1dc1d269a5444e3242507907e3d9d2707dbf9b6bdb199a84ce205d1e9b58bb491f07d512221dafebd21e631873d76c99b059eabd55eb802 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | cdb2a02ad5c0ac7d498fdf0113ce0568 |
| SHA1 | 9c54ea6274d592adc7aa9ff0933a3616dd71bdca |
| SHA256 | c56082daabfa59b6c2157a1e2923d42eaf41434130d95d3bdda961fb316afb07 |
| SHA512 | 4f35880ef03dd780bcd37614f6572266d0a4011bbdc78f8ba58a0c616b30f64018853db060117624abf7061115e10fedbd10280a0d5d981717a81877fadab617 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 247d93fb472846e46f4c89df0313a2b4 |
| SHA1 | abff50bca298d67b36b905c9643b48da7735cf4b |
| SHA256 | d21303dd9eebfdfab070366db5c3a171a29e084cccbbc0f1af0347aefc907025 |
| SHA512 | 90a405439a081a6fc2f1aebf40ffb573f72dd53a87e3b054d967e8f2448e6b0a675ded71b29ab85cf71e003471ec8dafd7536e7aa4ed049dc5049bc2d53325cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 25814edacb2ef9606d1696c52a178d49 |
| SHA1 | f86b61f1594a477d1182efa5c604f949a6529cbc |
| SHA256 | 1b91518ddf2085d568e1c8d14ed3f65d2f9e5c472757a95302a352e7f9ec96ea |
| SHA512 | 1717e53a51e979fc97ea196e380f47787762991ff9b53bc6c63f95562988cb8db6fee54d00fdc6b344781709eedbe82a3fd05dbc61890fef315676790b83e06e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1a010cec32fe2a0b82c6fdd2b14c1cae |
| SHA1 | 768db80b8c9cee1767174b87af95c908848f1e27 |
| SHA256 | fa1e97147c0f2a60fa2bb1f0f1d7cd2eda8eab3847235e90af0c0020c419874c |
| SHA512 | b3e1cdad6a8829e48e96f99de582b029267fa51e2b8b3d34ae47fc54f7dfc27b4e0808b062d084b72465ce7ab3684bc0f6966d83bfdcf3d53de1636cf6acd13a |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\python310.dll
| MD5 | b805cebb0242b3bbfe810a19c2b44e3d |
| SHA1 | 62d71b686b64e6efd58852a5e59f4b00cec18f30 |
| SHA256 | 2d2d5746d6a066fcc3e7b8c041ffb7c7722c14b148aed923387dbacc951d732b |
| SHA512 | d46a5b3274aed182d30647d461d1dc7bd2599a43b1914d5a5e882c4298ecf4f11c64272db351257f836806ae55d5f1a0c1369f4159df09c8d7aea9a52d2e1acd |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/2728-2300-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43682\base_library.zip
| MD5 | 9a0182a94b86ea6347bf32487259489f |
| SHA1 | cfaa770f04073a6d2bf63708e8095869c8caed97 |
| SHA256 | 46b77375dd8e1604171dabb79b4ffc3bd70e3e6e2235d1b65ef5174a9b37c73c |
| SHA512 | b02e148521f7bfd2068859654ef0bb5e17f81e4877c510c7200e9354f1fd160aa0763f65be84cdccfa4f65e37faac97c8b2c709eba3c2b9701fa41ae133bc4ad |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\python3.dll
| MD5 | fd4a39e7c1f7f07cf635145a2af0dc3a |
| SHA1 | 05292ba14acc978bb195818499a294028ab644bd |
| SHA256 | dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9 |
| SHA512 | 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_ctypes.pyd
| MD5 | 3df3965a4861ad800bb2a59fae6d1ac0 |
| SHA1 | 16bac0309f2e1cdfa7a68aa758fcd665086cf2cc |
| SHA256 | 2978cbba8e8605467392c3e08cf6b857910d51d661c01224774e9dc8fd759a5e |
| SHA512 | 9f8f8ff6002be45439bf892fc8b2087060947408060163eab7706fd825f1db9e07ff6edf5a3f19ab36e7e3a7e7cb57d262db2b6050d3cb1a0fdd165150029451 |
memory/2728-2309-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp
memory/2728-2310-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libffi-7.dll
| MD5 | 36b9af930baedaf9100630b96f241c6c |
| SHA1 | b1d8416250717ed6b928b4632f2259492a1d64a4 |
| SHA256 | d2159e1d1c9853558b192c75d64033e09e7de2da2b3f1bf26745124ed33fbf86 |
| SHA512 | 5984b32a63a4440a13ebd2f5ca0b22f1391e63ac15fe67a94d4a579d58b8bb0628980a2be484ac65ad3a215bbe44bd14fe33ec7b3581c6ab521f530395847dd5 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_bz2.pyd
| MD5 | 8be644c64a05f3fa54cda06ca3342fa1 |
| SHA1 | 6ce140b2f709a77087c497d49425583fd285f9e2 |
| SHA256 | 5a33ca97cd32e517d9f80fceaa8322a17255bff555bd7e29c8b29b126d493dd4 |
| SHA512 | ec614aec09e09c0fbff82cb4f318fa41adc992507287ee9559164e223bafbfdc13082ce558ca2b019d0f275b51b95d7a74f5aaef0e2c9a26b05e6212e0231ab6 |
memory/2728-2313-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_lzma.pyd
| MD5 | 81534509a5816e2807f758a484482851 |
| SHA1 | debaf2d93852c0a8103411290c76f38b511dc86d |
| SHA256 | 83d0e0c2763074671605b62f64513dc9e4ff61e010b30e3d740b430b797edace |
| SHA512 | 21f00c5f7fb8c7560563a32aab3a2c30a7c2803bfa2647e83fc5d9e5016e359dfda28af128ec4671b763085d301685f904ae111120dc3ca9452b41eec323165f |
memory/2728-2316-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 5988556d3aa9170627d75daeecf3cee7 |
| SHA1 | ad7fa07b5ed0918b98cd35d74c601c9e10749137 |
| SHA256 | 90fdea940467e80faa5d4f921c1a5c65a6e918f6d939747227b0cfaf7bfe149e |
| SHA512 | 49471bba4703902eca73055d3ed008eb002ce5f448ad870db3a7de89cf064d604ee6c0b87cca82cd9e36d21c86b6f21245102862643f4455bd230c9e488448b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_asyncio.pyd
| MD5 | e70260b36b01adec2d4ea149c51d5ae7 |
| SHA1 | 36127c697e77258bee84ec0dc543e211a2856853 |
| SHA256 | af589fc66a197c187b283bbc311c8a9251f6a8c45f400cd65d841239ec905286 |
| SHA512 | 34fb0a1e4cfc7e0d5f52ee0e2d7dba1930c8e4f94f365515453e24c5f5771486447d70a8826e281f1af2cab2010ae9f4588b9acfae7c2d506a87309095de5fd5 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\zlib1.dll
| MD5 | ee06185c239216ad4c70f74e7c011aa6 |
| SHA1 | 40e66b92ff38c9b1216511d5b1119fe9da6c2703 |
| SHA256 | 0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466 |
| SHA512 | baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\unicodedata.pyd
| MD5 | 57f99474530a6c9c1d187d18bd5463ce |
| SHA1 | 4454a66d48adc2806260f4fff00a6009be869fac |
| SHA256 | 195930c1b330eafacd7c408087cd9ce967e06f301974d7a64e21c4b531b2e091 |
| SHA512 | fb70b4c486125c010bdd3f5214e2d2c207b43e20ce70a4452ef58813af7a6019a8a3de463141b58939de11ce90c592232e70df73ad55c591b7cb06f0ebe9e77e |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\tk86t.dll
| MD5 | 19adc6ec8b32110665dffe46c828c09f |
| SHA1 | 964eca5250e728ea2a0d57dda95b0626f5b7bf09 |
| SHA256 | 6d134200c9955497c5829860f7373d99eec8cbe4936c8e777b996da5c3546ba7 |
| SHA512 | 4baa632c45a97dc2ca0f0b52fd3882d083b9d83a88e0fa2f29b269e16ad7387029423839756ee052348589b216509a85f5d6ee05a1e8a1850ce5d673ae859c27 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\tcl86t.dll
| MD5 | 2ac611c106c5271a3789c043bf36bf76 |
| SHA1 | 1f549bff37baf84c458fc798a8152cc147aadf6e |
| SHA256 | 7410e4e74a3f5941bb161fc6fc8675227de2ad28a1cec9b627631faa0ed330e6 |
| SHA512 | 3763a63f45fc48f0c76874704911bcefe0ace8d034f9af3ea1401e60aa993fda6174ae61b951188bec009a14d7d33070b064e1293020b6fd4748bee5c35bbd08 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\sqlite3.dll
| MD5 | 3ba6e7250b30b61aa13fab9a70a6735a |
| SHA1 | a0609137a1659a8ed0e565443ed92827c6c2b3d8 |
| SHA256 | 90ac063f58ae3030d9400b904b46a49126171e7e8202cb093c13d045adb52b9d |
| SHA512 | 4d4e8fb67e4a7d71ce81cb40e0ec553d2380827ab4947c25c437366645c94b6bd27108134836299c74cf2481264fad4e849b5fd523dfb494f1dee4907e000778 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\select.pyd
| MD5 | e51cbc710092a9510a2e87ddb288a2c8 |
| SHA1 | 083faa71d120d291e74afb0543ec3923b3a7c05a |
| SHA256 | c781971a01bef8e8bb8816daef7dc9bbd6c12369245012a75e1aedb0e4114741 |
| SHA512 | be8ba3ff18fb06bfbcffe9cf3755687bb99b6fd24f263ad74de70adee9213b6935a592d33aa5190674b466227060c6047f8b12a3371347a3cfb0abf472c7af29 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_ttf.dll
| MD5 | eb0ce62f775f8bd6209bde245a8d0b93 |
| SHA1 | 5a5d039e0c2a9d763bb65082e09f64c8f3696a71 |
| SHA256 | 74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a |
| SHA512 | 34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_mixer.dll
| MD5 | b7b45f61e3bb00ccd4ca92b2a003e3a3 |
| SHA1 | 5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc |
| SHA256 | 1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095 |
| SHA512 | d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_image.dll
| MD5 | 25e2a737dcda9b99666da75e945227ea |
| SHA1 | d38e086a6a0bacbce095db79411c50739f3acea4 |
| SHA256 | 22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c |
| SHA512 | 63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2.dll
| MD5 | ec3c1d17b379968a4890be9eaab73548 |
| SHA1 | 7dbc6acee3b9860b46c0290a9b94a344d1927578 |
| SHA256 | aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f |
| SHA512 | 06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\pyexpat.pyd
| MD5 | f94a88c380d6dd7adead8b0b199b13e9 |
| SHA1 | 45aa9c8b4a320218bb4a201be5bb21468d57cea0 |
| SHA256 | 8b2ad9632805eb0706308a05cc12d408c8218f2f288e3ac0228157854b09f342 |
| SHA512 | bd6bdbc53ccc250b1280193cabbc1292354fda7a81d24e4e85274b2c5fc045bfed9d30e220ac6816a3db040869eed2b784a7db484908c34290548710172f870f |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\portmidi.dll
| MD5 | 0df0699727e9d2179f7fd85a61c58bdf |
| SHA1 | 82397ee85472c355725955257c0da207fa19bf59 |
| SHA256 | 97a53e8de3f1b2512f0295b5de98fa7a23023a0e4c4008ae534acdba54110c61 |
| SHA512 | 196e41a34a60de83cb24caa5fc95820fd36371719487350bc2768354edf39eeb6c7860ff3fd9ecf570abb4288523d7ab934e86e85202b9753b135d07180678cd |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libwebp-7.dll
| MD5 | b0dd211ec05b441767ea7f65a6f87235 |
| SHA1 | 280f45a676c40bd85ed5541ceb4bafc94d7895f3 |
| SHA256 | fc06b8f92e86b848a17eaf7ed93464f54ed1f129a869868a74a75105ff8ce56e |
| SHA512 | eaeb83e46c8ca261e79b3432ec2199f163c44f180eb483d66a71ad530ba488eb4cdbd911633e34696a4ccc035e238bc250a8247f318aa2f0cd9759cad4f90fff |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libtiff-5.dll
| MD5 | ebad1fa14342d14a6b30e01ebc6d23c1 |
| SHA1 | 9c4718e98e90f176c57648fa4ed5476f438b80a7 |
| SHA256 | 4f50820827ac76042752809479c357063fe5653188654a6ba4df639da2fbf3ca |
| SHA512 | 91872eaa1f3f45232ab2d753585e650ded24c6cc8cc1d2a476fa98a61210177bd83570c52594b5ad562fc27cb76e034122f16a922c6910e4ed486da1d3c45c24 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libssl-1_1.dll
| MD5 | d8b6d2da0374b0ea1ee4c84fba94a073 |
| SHA1 | 3a00d6af23d54ec54ab1d09b6a9dc422aa9b0658 |
| SHA256 | 4a27997d7de463b1fb7bbb7b18508bdbb173248e0f985fdc040cedd15c79e8d9 |
| SHA512 | c47809eb65f8f949d8328bbbaf523e42533d132d06e890cc02cb24273872b5867fa5e35de7d8cd12c8d3c707729b2448ebe32edbe0fee66f8daa8cea56fa838c |
memory/2728-2344-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libpng16-16.dll
| MD5 | 55009dd953f500022c102cfb3f6a8a6c |
| SHA1 | 07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb |
| SHA256 | 20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2 |
| SHA512 | 4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopusfile-0.dll
| MD5 | 2d5274bea7ef82f6158716d392b1be52 |
| SHA1 | ce2ff6e211450352eec7417a195b74fbd736eb24 |
| SHA256 | 6dea07c27c0cc5763347357e10c3b17af318268f0f17c7b165325ce524a0e8d5 |
| SHA512 | 9973d68b23396b3aa09d2079d18f2c463e807c9c1fdf4b1a5f29d561e8d5e62153e0c7be23b63975ad179b9599ff6b0cf08ebdbe843d194483e7ec3e7aeb232a |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopus-0.x64.dll
| MD5 | e56f1b8c782d39fd19b5c9ade735b51b |
| SHA1 | 3d1dc7e70a655ba9058958a17efabe76953a00b4 |
| SHA256 | fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732 |
| SHA512 | b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopus-0.dll
| MD5 | 3fb9d9e8daa2326aad43a5fc5ddab689 |
| SHA1 | 55523c665414233863356d14452146a760747165 |
| SHA256 | fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491 |
| SHA512 | f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libogg-0.dll
| MD5 | 0d65168162287df89af79bb9be79f65b |
| SHA1 | 3e5af700b8c3e1a558105284ecd21b73b765a6dc |
| SHA256 | 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24 |
| SHA512 | 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libmodplug-1.dll
| MD5 | 2bb2e7fa60884113f23dcb4fd266c4a6 |
| SHA1 | 36bbd1e8f7ee1747c7007a3c297d429500183d73 |
| SHA256 | 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b |
| SHA512 | 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libjpeg-9.dll
| MD5 | c22b781bb21bffbea478b76ad6ed1a28 |
| SHA1 | 66cc6495ba5e531b0fe22731875250c720262db1 |
| SHA256 | 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd |
| SHA512 | 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libcrypto-1_1.dll
| MD5 | dcd4e9410cd8612a111de1f21956bd03 |
| SHA1 | c8ac617549d23e2f1d8978be072d56120b41db2e |
| SHA256 | 32e71ee0a601dd330b1224f92af42bc2343327ebd345a2f82991102c61aaff51 |
| SHA512 | 7a96a53a567a446bcdf123a86c3a3c8934445e619fbf08b95fea4cbccf2f41151b992233993255cdd0335ac685b4dae7abb96b7f371fd3d630a9edded78e5236 |
C:\Users\Admin\AppData\Local\Temp\_MEI43682\freetype.dll
| MD5 | 04a9825dc286549ee3fa29e2b06ca944 |
| SHA1 | 5bed779bf591752bb7aa9428189ec7f3c1137461 |
| SHA256 | 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde |
| SHA512 | 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec |
memory/2728-2345-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp
memory/2728-2346-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp
memory/2728-2347-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp
memory/2728-2348-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp
memory/2728-2349-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp
memory/2728-2350-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp
memory/2728-2352-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp
memory/2728-2351-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp
memory/2728-2353-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp
memory/2728-2355-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp
memory/2728-2354-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp
memory/2728-2357-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp
memory/2728-2356-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp
memory/2728-2359-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp
memory/2728-2358-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp
memory/2728-2366-0x00007FFFE3BF0000-0x00007FFFE3BFC000-memory.dmp
memory/2728-2365-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp
memory/2728-2364-0x00007FFFE5260000-0x00007FFFE526B000-memory.dmp
memory/2728-2363-0x00007FFFE46A0000-0x00007FFFE46AB000-memory.dmp
memory/2728-2362-0x00007FFFE50E0000-0x00007FFFE50EC000-memory.dmp
memory/2728-2361-0x00007FFFE6140000-0x00007FFFE614B000-memory.dmp
memory/2728-2360-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp
memory/2728-2374-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp
memory/2728-2373-0x00007FFFDC910000-0x00007FFFDC91B000-memory.dmp
memory/2728-2377-0x00007FFFD4AA0000-0x00007FFFD4AAC000-memory.dmp
memory/2728-2376-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp
memory/2728-2375-0x00007FFFDC900000-0x00007FFFDC90B000-memory.dmp
memory/2728-2372-0x00007FFFDCE60000-0x00007FFFDCE6C000-memory.dmp
memory/2728-2371-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp
memory/2728-2370-0x00007FFFDCE70000-0x00007FFFDCE7E000-memory.dmp
memory/2728-2369-0x00007FFFDF640000-0x00007FFFDF64D000-memory.dmp
memory/2728-2368-0x00007FFFE1D50000-0x00007FFFE1D5C000-memory.dmp
memory/2728-2367-0x00007FFFE2240000-0x00007FFFE224B000-memory.dmp
memory/2728-2378-0x00007FFFD4A90000-0x00007FFFD4A9B000-memory.dmp
memory/2728-2379-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp
memory/2728-2383-0x00007FFFD4A50000-0x00007FFFD4A5C000-memory.dmp
memory/2728-2382-0x00007FFFD4A60000-0x00007FFFD4A72000-memory.dmp
memory/2728-2381-0x00007FFFD4A80000-0x00007FFFD4A8D000-memory.dmp
memory/2728-2380-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp
memory/2728-2386-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp
memory/2728-2389-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp
memory/2728-2388-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp
memory/2728-2387-0x00007FFFD4490000-0x00007FFFD44A4000-memory.dmp
memory/2728-2385-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp
memory/2728-2384-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp
memory/2728-2390-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp
memory/2728-2391-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp
memory/2728-2392-0x00007FFFD3EC0000-0x00007FFFD3ED1000-memory.dmp
memory/2728-2393-0x00007FFFD3E80000-0x00007FFFD3EB2000-memory.dmp
memory/2728-2394-0x00007FFFD3E50000-0x00007FFFD3E6E000-memory.dmp
memory/2728-2396-0x00007FFFD3AD0000-0x00007FFFD3B2D000-memory.dmp
memory/2728-2395-0x00007FFFD4A50000-0x00007FFFD4A5C000-memory.dmp
memory/2728-2398-0x00007FFFD3BF0000-0x00007FFFD3C19000-memory.dmp
memory/2728-2400-0x00007FFFD3AA0000-0x00007FFFD3ACE000-memory.dmp
memory/2728-2399-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp
memory/2728-2397-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp
memory/2728-2402-0x00007FFFD3BD0000-0x00007FFFD3BEF000-memory.dmp
memory/2728-2401-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp
memory/2728-2404-0x00007FFFD3920000-0x00007FFFD3A9A000-memory.dmp
memory/2728-2403-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp
memory/2728-2406-0x00007FFFD3900000-0x00007FFFD3918000-memory.dmp
memory/2728-2405-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp
memory/2728-2408-0x00007FFFD3E30000-0x00007FFFD3E3B000-memory.dmp
memory/2728-2407-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp
memory/2728-2409-0x00007FFFD38F0000-0x00007FFFD38FB000-memory.dmp
memory/2728-2411-0x00007FFFD38E0000-0x00007FFFD38EC000-memory.dmp
memory/2728-2410-0x00007FFFD3E80000-0x00007FFFD3EB2000-memory.dmp
memory/2728-2412-0x00007FFFD38D0000-0x00007FFFD38DB000-memory.dmp
memory/2728-2416-0x00007FFFD38B0000-0x00007FFFD38BB000-memory.dmp
memory/2728-2415-0x00007FFFD38C0000-0x00007FFFD38CC000-memory.dmp
memory/2728-2414-0x00007FFFD3BF0000-0x00007FFFD3C19000-memory.dmp
memory/2728-2413-0x00007FFFD3AD0000-0x00007FFFD3B2D000-memory.dmp
memory/2728-2417-0x00007FFFD3AA0000-0x00007FFFD3ACE000-memory.dmp
memory/2728-2418-0x00007FFFD38A0000-0x00007FFFD38AC000-memory.dmp
memory/2728-2428-0x00007FFFD2AB0000-0x00007FFFD2ABB000-memory.dmp
memory/2728-2427-0x00007FFFD3900000-0x00007FFFD3918000-memory.dmp
memory/2728-2426-0x00007FFFD2AC0000-0x00007FFFD2ACC000-memory.dmp
memory/2728-2432-0x00007FFFD38F0000-0x00007FFFD38FB000-memory.dmp
memory/2728-2431-0x00007FFFD2A70000-0x00007FFFD2A7C000-memory.dmp
memory/2728-2430-0x00007FFFD2A80000-0x00007FFFD2A92000-memory.dmp
memory/2728-2429-0x00007FFFD2AA0000-0x00007FFFD2AAD000-memory.dmp
memory/2728-2425-0x00007FFFD3870000-0x00007FFFD387C000-memory.dmp
memory/2728-2424-0x00007FFFD3880000-0x00007FFFD388E000-memory.dmp
memory/2728-2423-0x00007FFFD3850000-0x00007FFFD385B000-memory.dmp
memory/2728-2422-0x00007FFFD3860000-0x00007FFFD386B000-memory.dmp
memory/2728-2421-0x00007FFFD3890000-0x00007FFFD389D000-memory.dmp
memory/2728-2420-0x00007FFFD3920000-0x00007FFFD3A9A000-memory.dmp
memory/2728-2419-0x00007FFFD3BD0000-0x00007FFFD3BEF000-memory.dmp
memory/2728-2433-0x00007FFFD2A30000-0x00007FFFD2A65000-memory.dmp
memory/2728-2434-0x00007FFFD2970000-0x00007FFFD2A2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_to12mvdc.0sm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2728-2492-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp
memory/2728-2508-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp
memory/2728-2509-0x000001F54CB90000-0x000001F54D38C000-memory.dmp
memory/2728-2510-0x00007FFFCF1D0000-0x00007FFFCF245000-memory.dmp
memory/2728-2507-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp
memory/2728-2506-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp
memory/2728-2505-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp
memory/2728-2504-0x00007FFFD4490000-0x00007FFFD44A4000-memory.dmp
memory/2728-2503-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp
memory/2728-2502-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp
memory/2728-2501-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp
memory/2728-2500-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp
memory/2728-2499-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp
memory/2728-2498-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp
memory/2728-2497-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp
memory/2728-2496-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp
memory/2728-2495-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp
memory/2728-2494-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp
memory/2728-2493-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp
memory/2728-2491-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp
memory/2728-2490-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp
memory/2728-2489-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp
memory/2728-2488-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp
memory/2728-2487-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp
memory/2728-2486-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI12842\cryptography-44.0.1.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/5480-4916-0x00007FFFE50E0000-0x00007FFFE50EC000-memory.dmp
memory/5480-4936-0x00007FFFD39F0000-0x00007FFFD3A08000-memory.dmp
memory/5480-4935-0x00007FFFD3BD0000-0x00007FFFD3BEB000-memory.dmp
memory/5480-4934-0x00007FFFD3BF0000-0x00007FFFD3C12000-memory.dmp
memory/5480-4933-0x00007FFFD3E40000-0x00007FFFD3E54000-memory.dmp
memory/5480-4932-0x00007FFFD4450000-0x00007FFFD4460000-memory.dmp
memory/5480-4931-0x00007FFFD4460000-0x00007FFFD4474000-memory.dmp
memory/5480-4930-0x00007FFFD4480000-0x00007FFFD448C000-memory.dmp
memory/5480-4929-0x00007FFFD4490000-0x00007FFFD44A2000-memory.dmp
memory/5480-4928-0x00007FFFD44B0000-0x00007FFFD44BD000-memory.dmp
memory/5480-4927-0x00007FFFD44C0000-0x00007FFFD44CB000-memory.dmp
memory/5480-4926-0x00007FFFD4A40000-0x00007FFFD4A4C000-memory.dmp
memory/5480-4925-0x00007FFFDC900000-0x00007FFFDC90B000-memory.dmp
memory/5480-4924-0x00007FFFDC910000-0x00007FFFDC91B000-memory.dmp
memory/5480-4923-0x00007FFFDCE60000-0x00007FFFDCE6C000-memory.dmp
memory/5480-4922-0x00007FFFDCE70000-0x00007FFFDCE7E000-memory.dmp
memory/5480-4921-0x00007FFFDF640000-0x00007FFFDF64D000-memory.dmp
memory/5480-4920-0x00007FFFE1D50000-0x00007FFFE1D5C000-memory.dmp
memory/5480-4919-0x00007FFFE2240000-0x00007FFFE224B000-memory.dmp
memory/5480-4918-0x00007FFFE3BF0000-0x00007FFFE3BFC000-memory.dmp
memory/5480-4917-0x00007FFFE46A0000-0x00007FFFE46AB000-memory.dmp
memory/5480-4913-0x00007FFFD4A50000-0x00007FFFD4A87000-memory.dmp
memory/5480-4914-0x00007FFFE6140000-0x00007FFFE614B000-memory.dmp
memory/5480-4908-0x00007FFFD4AC0000-0x00007FFFD4B78000-memory.dmp
memory/5480-4912-0x00007FFFD3A10000-0x00007FFFD3B28000-memory.dmp
memory/5480-4911-0x00007FFFD4A90000-0x00007FFFD4AB7000-memory.dmp
memory/5480-4910-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp
memory/5480-4909-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp
memory/5480-4907-0x00007FFFD4B80000-0x00007FFFD4BAE000-memory.dmp
memory/5480-4905-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp
memory/5480-4902-0x00007FFFD4BB0000-0x00007FFFD4BDC000-memory.dmp
memory/5480-4901-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp
memory/5480-4898-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp
memory/5480-4899-0x00007FFFD4BE0000-0x00007FFFD4C04000-memory.dmp
memory/5480-4915-0x00007FFFE5260000-0x00007FFFE526B000-memory.dmp
memory/5480-4904-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp
memory/5480-4906-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp
memory/5480-4903-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp
memory/5480-4900-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_tcl_data\encoding\euc-cn.enc
| MD5 | c5aa0d11439e0f7682dae39445f5dab4 |
| SHA1 | 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c |
| SHA256 | 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00 |
| SHA512 | eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b47ffe20da84460d478fdfec047f43ab |
| SHA1 | 4e223b65b1e7eb4a9c101fcf3f53427ffa50946e |
| SHA256 | c262230730c75b52b53777a3f863f04635ff6dc7bcb5c888dec293283d60703d |
| SHA512 | 9ff26178542ffb489a4a9c218cd419405cb8597acc4d0153ca2b607e2f31fe0e26f3d32013038be51afe5d8509afe9143eaea29a684a430520fd4eb0dd0a40ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ae2fe6ba1d696445789930adc7cf2b29 |
| SHA1 | 073e4130ecea1b7f981cbe43a75cf813c76269d0 |
| SHA256 | df635a5cffb201b971938566e4fb78f944384a8bd4a6eccd1149e21c3af2e66c |
| SHA512 | dcce8d3c9622bc1408bdc7c228b2a90eb940b4d2d41f711121ecc7d7bf7869e1b3415b369347d3abd9dfe19102f4631d021a2bab337d2f6c8c4fabe2be27e1c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5adffde8c752a862051180e603ca4e9e |
| SHA1 | a6ac600632b7029ae956cc194558621224b19828 |
| SHA256 | 2fb8f809a7957e61ddf50bded9af471466daece7ac5ed7c66d207554fad14f2b |
| SHA512 | eb840bd89e9d40a9a85eb8d159a6a9e2d682e71f5d7c10c69996e2d8263ef227867e27b56b86ec8c717513da909dc853d75414fcc131993d3eb59e35f809b032 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5f4ba70d785cdbf1671932f1bdb5f633 |
| SHA1 | 9cee09b82f167c573e86dfe4035abaf05cf2fa45 |
| SHA256 | 75342c5ba8b4e6c94dfbf7ae865801313eff260d0f5ba9a6868805df5a833f42 |
| SHA512 | 894f5ade49acb48e7ef91c24ea9a8426fdb85e5b2e5b69df7e3585094c4ea261d5a3b34a5d3a72c44eb964bd892e3308f41afbc79675a3f785bf325a3b282ebc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7ebb080c885844aa13a4a06b1067d46d |
| SHA1 | c23e9d3fcdb0719d6c6729533e95d1898e7fa7b5 |
| SHA256 | 88fcf63727fd30fe6ee3f230cc24867bc7e3e5ea6522508e3b9247ced5ba6460 |
| SHA512 | aa96a70a9cb035a3114b2e37a86b59b25358314c2736967dbd8e7aa49ea032d8e5aa819e3a1d0e5c6956f900926f070b534f7367f0a135bd9659769951955e3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 56a64fb026834f2e9c4306f41102203c |
| SHA1 | 6b1f1b81e35963769e0a48bdf944923e2ef69144 |
| SHA256 | 0db72ee6be68f64a477179302013692538467420aab25b9fd6e6a5038e5fba55 |
| SHA512 | d55c013878acae18e36e6d9cad4396faf52941d85d0f17fd7d0e4647358eec79b3b3eaaadd6504aa96e628a518c164b575866baccfd9de0219aa1eb0dc46f5cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 56f735ada68fbd85cc8b546b009f9771 |
| SHA1 | 4420f0c799d35866d231fb2a45f86c5549d6cd96 |
| SHA256 | a064190bf85f49bdb72582381d7bbc7f863dfdb69114b118722e936ee506c1a2 |
| SHA512 | 588016614f02ccd9ca3610addba6beeda5ed1a7e1422e5795626c3971921aafafd31888d7c85c4fb08136b8dd60dc4d54278c23c25f8ac93c1791601d0efcebf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ffabeb5ac4076a81bc5f63b6100625f7 |
| SHA1 | 6262b01606e6d720b55d734660ab5d0c73fe3b57 |
| SHA256 | 162f8d2d82c3822629a764bc7cd1d63e364bfab6f4e44a398592c049d2c77517 |
| SHA512 | 21cdf7b617048121cb7555486fdbc2ab3c0e9bf822bbd76636b180546f24b06498f0f311523018703ae006904de0bbc9b276d8dc21e23dd95aeb9a5e6eea28a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 61e8cae8fad86bd9161fdf1d174e7e67 |
| SHA1 | 234987a331ab8ca220a2db4cd9f3b48882a5b881 |
| SHA256 | 1341b38d54fcdd6ca6d77126ec6a6700083b4ff4af2e343d0162784a7ff884d4 |
| SHA512 | 36413366e84a02fb37133b139647eaf43a79f9c23bafd9031a741fd9e5953ac1154e8f21c58ed5c8fbadd8a1afde39ca6b2a84d8b6ed5b3c4c758a7afc02a8e6 |
C:\Users\Admin\Downloads\Nicht bestÃĪtigt 130743.crdownload
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0ad8d3ae13c657f5e6e11f9734c59ba9 |
| SHA1 | f0ecff3c0b85d3cd462a57a7a930035aba58fc70 |
| SHA256 | a382123bcac576844ff4a9e12d97b62942dff539d0ebc51a4ebc630565b244a3 |
| SHA512 | 8fb8d8363540435615b4091d7c0ba49e67151465fe937c45ef743ac356e635ba22b7f4e51c5bc0e5b26083aa8445c901e0d4f967bdcafe0633bc7fb0d2bd5d03 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5836b219472db8eba6d2e0927a17f1da |
| SHA1 | 4a5a030ccddf94b9694912a4aa16de2cedb9802c |
| SHA256 | 6e98347d755b45db16b9f1f25e750ceb709d72102fd85b20875b13c2c46114c6 |
| SHA512 | 92a71851afd8066535347afbce07c29f6e9c102899bf107d451ee767d07d5db20aad9cce75882fa057c5bb26a011a52aa67e3c5db1a1cc8d29eca28f864ac530 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-56974F64.[[email protected]].ncov
| MD5 | 4f963da044a93a9ab6e8c6b2a1726234 |
| SHA1 | 82933864db85328b30536b20b7d9f12a91dcf65c |
| SHA256 | 798e27cf62c8bf90d4cf64491932d65b3a5ca368e0efe5b32a129ee4d9e94658 |
| SHA512 | f3a9e8e5e8a60b241adf4129589698eac7e7a1e04c7a7715fdf2ea92f2d0e81e8b09d15c85915b0f19de524153bf6e4540c927c63e77f94d8db678839668a0ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ac33a1cfedbceb2c2a3bee5f60656b65 |
| SHA1 | b8dda94849e51b5f3167aa7f180abd1cb89a4fde |
| SHA256 | a93d2876b33b3f3720447864182b1cabde783e5f14b5dfd3525cb607303ee9be |
| SHA512 | 3828d0c1c6fd34523c5048e4cc2453bd4bc8596be40d996fb365be55fa17fefefbce2052a3127df24465100db6616f0a9be49ef6c2d5c9a4601fe8a5cbd863f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe60f699.TMP
| MD5 | 36af9ff57e1f62d29211d13e0837a874 |
| SHA1 | e930eb49a5f075dedf6b3c033c57fc05650963b3 |
| SHA256 | 85480be0d62121b89e5cc114d6da1399ded490134d61b780d90d8166b04219a7 |
| SHA512 | aeebcd78bd66e9b32c173808fb9621d2f38c641646f1fbd10327ead9e5b0be5c8e04dc84c55da34a52ce44ff1fbb9bc8dd695e8d966bd46fc3abc21a5525352b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b
| MD5 | f2b7074e1543720a9a98fda660e02688 |
| SHA1 | 1029492c1a12789d8af78d54adcb921e24b9e5ca |
| SHA256 | 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966 |
| SHA512 | 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b7a8956651551a1cb59852727ee26427 |
| SHA1 | 8d5920a05a4dc4b663436e461107e1b14da24481 |
| SHA256 | c20bf97f0d810fa8d60d43bab278f9d591613e0f4105f8af4c1a1b6b77441a0f |
| SHA512 | d0b3fb414ccefc0e19875e7d913f5c814988447ea3548c2a1aea4255ae168e9da6a2ff25acc3b52106e1f4ef6d6f4381cc5a62ac20edd9e23a8e95f47e5e8363 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 38fdc39fa66898ef8be31a30d559a261 |
| SHA1 | 55f1aaeff039c5dc4144aa9efbd8634b45d3a9e1 |
| SHA256 | 5056a7cdd34bac64b045abd553f1e780685c5e43c16cd3515c4bdb54cea34994 |
| SHA512 | 019c180126674543d2175156ea9e25d98065b0f1db8ab1ce0ef9516d416909ded69cec7e8724310ddbad6abc48db8f6c76db5bbf7516deb3cd348c71adf30eb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe615a45.TMP
| MD5 | 9867d80e8457a642c105b9cee5255d2c |
| SHA1 | 9ca4983d7ec247b1b88a0bb6b1faa4a385a7a4b4 |
| SHA256 | a015f926049d1cc9771a59e254ecda259d1b0f1bf7b8c9265e17e06efb6c8dd4 |
| SHA512 | 5cb373563b7ba18988b2a5694fea8c5117330cb4b8d1c736432eb349b3986fed77ba6242c1e4ba0c60bd849474fb4d67067dac3565a97bbefb3a405e4a3fdec1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e6ed99d98236ffa9106bb84cf70e2d1c |
| SHA1 | aee32a06c9e4554b5564e567e04fabb5a2bd0dd8 |
| SHA256 | cab12f387337a7c9e5dab6d2094dec689713bad09581a705a165905eae3acfe8 |
| SHA512 | d8c5f5f64fe9bafdfbed0728f81bd0938f69a4d36a0fe7124cf6c5c0bcd07a50d6fa0dc4dd8b5b5c90e72231d7f9132e93675792fc5aef213070e0b02665b535 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 4ddd05bde00eb3ec20c2c85feea81fa2 |
| SHA1 | 94eb4cc907215bb704d6c93a325ae5e6354d95fa |
| SHA256 | b94644f1de4077247c127ad0f4d33e742fd1a2509a9909061eaf7ad71e66623f |
| SHA512 | 17b1ecc0aeab275f13b7ed78009de4e97bc428513935f568bebe66f06a30c4fb4857bb3ce2c19661eaf618020f53f1b6e6a9184971db39b31bdaa74fcee5c522 |