Malware Analysis Report

2025-03-14 23:59

Sample ID 250228-xkl36atya1
Target https://gitea.com/ImMoonDev/pysilon-upload
Tags
badrabbit dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://gitea.com/ImMoonDev/pysilon-upload was found to be: Known bad.

Malicious Activity Summary

badrabbit dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer upx

BadRabbit

Badrabbit family

Dharma family

Dharma

Enumerates VirtualBox DLL files

Renames multiple (676) files with added filename extension

Deletes shadow copies

Sets file to hidden

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Modifies WinLogon

UPX packed file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Enumerates system info in registry

Modifies registry class

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-28 18:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 18:54

Reported

2025-02-28 19:06

Platform

win10ltsc2021-20250217-de

Max time kernel

680s

Max time network

681s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gitea.com/ImMoonDev/pysilon-upload

Signatures

BadRabbit

ransomware badrabbit

Badrabbit family

badrabbit

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
File opened (read-only) C:\windows\system32\vboxmrxnp.dll C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
File opened (read-only) C:\windows\system32\vboxhook.dll C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A

Renames multiple (676) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

defense_evasion

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HD Realtek Audio Player = "C:\\Users\\Admin\\HD Realtek Audio Player\\HD Realtek Audio Player.exe" C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\000.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\Downloads\000.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\Downloads\000.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_ug.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fa.pak C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge.dll.sig.DATA.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Windows Defender\ProtectionManagement.mof C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mi.pak C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gu.pak.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Analytics.DATA.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons2x.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.id-56974F64.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\BA31.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\infpub.dat C:\Users\Admin\Downloads\BadRabbit.exe N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\infpub.dat C:\Users\Admin\Downloads\BadRabbit.exe N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\BadRabbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\BadRabbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "185" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\Downloads\000.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1786400979-876203093-3022739302-1000\{D6ADBA07-F6AF-44C0-86B6-C1D02D8FACCD} C:\Users\Admin\Downloads\000.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Windows\BA31.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BA31.tmp N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe N/A
N/A N/A C:\Users\Admin\Downloads\000.exe N/A
N/A N/A C:\Users\Admin\Downloads\000.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gitea.com/ImMoonDev/pysilon-upload

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fffe56746f8,0x7fffe5674708,0x7fffe5674718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=2052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=3488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\compressed\" -spe -an -ai#7zMap20849:78:7zEvent4987

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\compressed\discord\" -spe -an -ai#7zMap21657:94:7zEvent26406

C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe

"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"

C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe

"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x51c 0x510

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\HD Realtek Audio Player\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\HD Realtek Audio Player\activate.bat""

C:\Windows\system32\attrib.exe

attrib +s +h .

C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe

"HD Realtek Audio Player.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "source_prepared.exe"

C:\Users\Admin\HD Realtek Audio Player\HD Realtek Audio Player.exe

"HD Realtek Audio Player.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\HD Realtek Audio Player\""

C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe

"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"

C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe

"C:\Users\Admin\Desktop\compressed\discord\source_prepared.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8

C:\Users\Admin\Downloads\BadRabbit.exe

"C:\Users\Admin\Downloads\BadRabbit.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1220684662 && exit"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:22:00

C:\Windows\BA31.tmp

"C:\Windows\BA31.tmp" \\.\pipe\{C0F348EA-E118-45AB-832D-6CDBB4D2B888}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1220684662 && exit"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:22:00

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\Downloads\BadRabbit.exe

"C:\Users\Admin\Downloads\BadRabbit.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\209b0d4dbdb64b3e932894c3b0b336d7 /t 18076 /p 18060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11041695033682229600,7808029691481585847,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8

C:\Users\Admin\Downloads\000.exe

"C:\Users\Admin\Downloads\000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3989855 /state1:0x41c64e6d

C:\Windows\SysWOW64\cmd.exe

/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN drogon

Network

Country Destination Domain Proto
US 8.8.8.8:53 gitea.com udp
US 34.217.253.146:443 gitea.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 34.217.253.146:443 gitea.com tcp
US 34.217.253.146:443 gitea.com tcp
US 34.217.253.146:443 gitea.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 plausible.io udp
GB 79.127.237.132:443 plausible.io tcp
GB 79.127.237.132:443 plausible.io tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
BE 74.125.206.154:443 stats.g.doubleclick.net tcp
GB 142.250.180.3:443 www.google.co.uk tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
N/A 224.0.0.251:5353 udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 plausible.io udp
US 8.8.8.8:53 gitea.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
GB 142.250.180.3:443 www.google.co.uk udp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 13.87.96.169:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
N/A 127.0.0.1:56853 tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.133.234:443 gateway.discord.gg tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
FR 2.18.143.11:80 sf.symcd.com tcp
US 8.8.8.8:53 sf.symcb.com udp
FR 2.18.143.11:80 sf.symcb.com tcp
US 8.8.8.8:53 rb.symcd.com udp
FR 2.18.143.11:80 rb.symcd.com tcp
US 8.8.8.8:53 rb.symcb.com udp
FR 2.18.143.11:80 rb.symcb.com tcp
US 185.199.111.133:445 raw.githubusercontent.com tcp
GB 2.18.27.76:445 r.bing.com tcp
NL 40.126.32.133:445 login.microsoftonline.com tcp
GB 20.26.156.210:445 api.github.com tcp
N/A 10.127.0.1:445 tcp
US 185.199.108.154:445 github.githubassets.com tcp
GB 2.18.27.76:139 r.bing.com tcp
US 185.199.111.133:139 raw.githubusercontent.com tcp
NL 40.126.32.133:139 login.microsoftonline.com tcp
GB 20.26.156.210:139 api.github.com tcp
N/A 10.127.0.1:139 tcp
US 185.199.108.154:139 github.githubassets.com tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
NL 20.190.160.17:445 login.microsoftonline.com tcp
GB 20.26.156.215:445 github.com tcp
FR 2.18.143.11:445 rb.symcb.com tcp
US 140.82.113.22:445 collector.github.com tcp
US 13.107.21.237:445 www2.bing.com tcp
N/A 10.127.0.5:139 tcp
US 13.107.21.237:139 www2.bing.com tcp
NL 20.190.160.17:139 login.microsoftonline.com tcp
GB 20.26.156.215:139 github.com tcp
US 140.82.113.22:139 collector.github.com tcp
FR 2.18.143.11:139 rb.symcb.com tcp
N/A 10.127.0.6:445 tcp
IE 20.190.159.64:445 login.live.com tcp
IE 20.190.159.64:139 login.live.com tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav.smartscreen.microsoft.com tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9091da214c5c97c04dfbd4afc733ec2f
SHA1 680c48d5c7cdf8b85d12d76e5b5af7d9ccf452b7
SHA256 565c816ea4b9387afdda41c0fc27e21ff9ae434cdca28af87483a29408d85f68
SHA512 5a561d5ebba54af22f33471f622ece68d4d9ba7e7a4f5b6848122aeb9ce07e51e9a56c1357165a5a7daabd03ecd8244b5759b893660958fe5d9264f7cbca0bee

\??\pipe\LOCAL\crashpad_4976_MUBUACVXDHZDGLBV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e0f8efec07fb31b849ca1b169e8a4c52
SHA1 e51b825b48afd351ff355ac6cbfe6b84e8f7c928
SHA256 58e8a4a2a1a85bcf676972eff47b79b54133a4a9186a52af99f89f13cb49d86d
SHA512 4697ed592d60ecaa368fc10b4fbe001da1bfea8972c2d62031b75931009ffbdc5546dce310cf67a230b2da4ddba035a224897b92f491193a6d59df4287b544a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e13ae87082737b36a13b9e506892a908
SHA1 efadfec582b43b9fa07406ccc9af87d5515fbf17
SHA256 3d037e985ee665e546ef380cda53fc8eab5c2e2aed1a339122cbee29d4edd82b
SHA512 fbdbd928912d66fad576550ad3c264cbdff940ccd3ce097b14aba28021428a69989bbc210c0416edd84e4587c0125b45d638b2fbdecba453dc473c652090e288

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e745c6284b8ee21c971a8f1f443bbd1
SHA1 0791aa045dfc446b2961d3df3fe1054150c289bb
SHA256 0151c5df5166da0780650df15799762467a53b56a71dd59bcdbd0205addff9cd
SHA512 a6d8a26bd298a05e58c954ff5160303a45d23ff394ce4beaa3f704f9985e918b5bc15ad3e62bb969727e0cfdd647b214467f2f595758e14c80a05333293cbc52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 33319e4acadea81a7ef96df62e26443b
SHA1 e355374082d41fceb2627ea19a6cdd344fb47a0b
SHA256 da75c796eee5a12e4da2cbdf0823af618a8b25a69f5148c0c2785c5a2f663c7f
SHA512 7b8a51fce81a3d2e885845c2f525f25e4901a01a6b95de74c22f653b0149ae5cfa4ede698012871876c7c867bd38b210276fdd8db2b1100ede07eb90e1a73ea3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ba9580674e0c02ab3b8fbdd02f70c63b
SHA1 7f13054333d260ec5d7094bbb47946f3a1264d02
SHA256 dbcb233df8e6b3b10e3c35144d39c166a4b9d14b956d925aa8fe058d5491c908
SHA512 ac3ad9b5a09c557adaaa3b1d58f961d7444920196d546f4126425377d587040bf7272e10c42073ad302f70293e2d9597f10a69044ce6b3431164edf84f244b76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 942728d2e23b1c4da072ad3dfcaa6ecb
SHA1 703df0bfb6ff76de4f10ba9c0767ba7dc13e2033
SHA256 d815dd00ffb67538e32d8a54f10e66773d3c552897e408d6ff7aff8cf64be3fd
SHA512 c39e5e93457a25d909898e049ae3b5530ffdad5f3954a4dc45b8c1a6f7e0ed4d5a77506e87ab170d6ef838e3878cb9dce42a9a4434ad1e2ec6e47492569f5abb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 a56e4975da82e4ee5e47f42ed076f09b
SHA1 0581ede528773744e9310758c7a414b473c3fdf8
SHA256 194a8fcfe886a7ecb7750000f8be4916e7b2fc7cc41c1d7bc9340e66b6c8abdd
SHA512 cc08ac1ec938bd3e589aa37acbde402fe370c3b8f3d3ff3e8faa5231b9a61d0d9bdcb5bd4da9d7bd6500905d158e95df8e1314b6063b029eee162ccd4a310392

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 bd56abe7209a50c0f8c009466c5fd617
SHA1 a2e76ea77c093017720ffe8cbc7719c7155ccdcc
SHA256 f047c93da7c93c1562c9c435ea8b70c08447b0e9a290c4bdaef811d5bc491676
SHA512 517af004152f110342a3a2218a14925236427e069cb53a9139dd8e0393074ea846858b80e3b99a57a6072ade5a96079f95d955848c3c4b919fdac255f1df1a8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 25000d476e94080088a03caccf199453
SHA1 42d1ff25119582c1d145f392283a104227175b6c
SHA256 63abe5db5774bfe5792abc6727de7aee58bd6be25fd340ef079ae28184e1a19b
SHA512 70211ad821665ae9c7fc15745962fb99233aaa59f48e32ab2b7fd5e561df35e5130ec2830d3c21f5a05639708071f16f2831f0aa23ff72f3be325df3e6cc2577

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 79d078cdc9011c0920e869794ca0624d
SHA1 679b94db31e4b6fa7f7c802df9c416366d64f04f
SHA256 dbfff3d3ce31786993d39b229ac4bbb4320f13b5a8d2f266dd18a0ac481c3895
SHA512 d838454cc3330ea9d93bc5498fa1433d30ddf14e97e65590870686829a85dff090b98dab6be88078599ff6aea3e4d661d7429d48a698f8e3e8a2daae299df818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a843d6991105d60c94d67c62589b2e3d
SHA1 51b20cd76a6c651c0076b10731cbe0011036e282
SHA256 05586328ed83784c908b7d5d1771bb8ecec75e9a22ab064ba7546f25d0f815dc
SHA512 4e7d78f4ca4d6170249dbb31ac27556c1a047e60e8f47eb9dfb295410b51c261fdfb67567555adfa7cc7d88c9dddd8394368f4a6f485da01b1d156a4df3c2eb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8f1bca1e277e7d4a59fbfedf1c31d272
SHA1 857710d3def601a5dc9373df628310c7b1c847be
SHA256 9decfe791d26f41309c8c22310c972217f8a47075fe28267de6547394082f7af
SHA512 83d1844598f96c9629c22325f21668a8c58c4bb6153a09228deb878f51f2ae2ee3999395b99d3a3268353fcfcd22ad5b96cf1c80f8e55db14b4a050e32e93cab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 08ee637cc42775f5900735126ca09ef7
SHA1 1626887b0d654b50ee83a1fa7513bd6adf5f44b8
SHA256 478ef925837e53dc4bdc10a729add35273530248b475c0d3501e7bef43779999
SHA512 7f1b845edf74e93717c2bf6d8748ec411ee82942c6f5f7d71e22cdc29c8e465bd241689ff42082f9e0172000c8923074dca8671a20764b27d2937d18f9c88cdb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 661ebd927df5e9cdab94a5a68f07b91c
SHA1 fe9b6c842892dce71573bc1750628d7757b3f15f
SHA256 29924e9fba80a0a72f49a7a12064b8e4d24b190d361a967e8e124f93b86341e8
SHA512 0f6f3db5d26913088c7439494d2cb6e036c7bd0ff4484359e8989148fe9f20e09db8ea5b57727c28ef59de45b1172f5f6e1d96f2ebda80edfe8e8ff5399be5c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 337f4ae4287180f1bfb12eba27c937e3
SHA1 f057c77a5d7f7efc39064c14b7555dc8aefadf6e
SHA256 30f14d5774a495d1f9a0cd2ca3050a2242024ac904cac328fc2bfd242e9d09b1
SHA512 bc70568a79bf6f1ce54b56b1e0ca7611163cefeedb4ea599b3930aa863a79289f766baea461ec7c93a3d82cacea9c91a742587a53a1e7db7e594292e2c89b74c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8b04f27950834152e9fca58691713f34
SHA1 a7dd3970e4ab9d59d2372e5aa30a16122617c9eb
SHA256 1964a4dd6c2e7a427034304a8345672fd4c74efaa6b99a3cb3a2094cf2ba0722
SHA512 0249b513214b1c0f1ff6e18afcf0370ed59e548dda6edb41cfccc44f398a8ee203114037e4ff2d9e3d1d5d4e122163f57601e2ff70630ae3dc22f306f6a95edc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6721273e37f6d2ce13fb6a2a426efc2b
SHA1 06f88e825825bb4a1081a626e0ddc852ef01693a
SHA256 58cd0838d7d3df15cc63fb8de223f7dc7f8a805a747b1bb6f8744490b0de9a5f
SHA512 3578003e99b0addd804da52f42497f5bb152a91617748ce464f50097069e7ad37229816bbff263e8f39bce3c9a131263bef9eef5e90b92787547b684ef038f39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e8ff.TMP

MD5 6a74d0deb7e99067a7eedcf348a9424e
SHA1 9bb20fe135357af23306821ccad74961397459c5
SHA256 bbb40f1ad9790a7265f3d260a49f83eed5989843b3aca0f5eac60ea4873c99dd
SHA512 707015fd94ae629b034a257ec75263bc28fc5e903a893865f68e7744a8eef3c1225279686707d1d9162066003c0de61ee7a31e058a0a1cece3dc91e62dd1db63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a001145d5be2d1fd4ef78e91fe1464e
SHA1 73dcb58c640ca5fa5715a8c6f97343fc5a868b10
SHA256 9acc3b4cfedd4b90326ad4d523f98ac772ee9941d89b9c0c5846c60a003af36f
SHA512 5f888a0f0b2b44b7ec16f9cd4f5a4aee460b54e0130182ed8fa3025f43015015a790d41535b53fbf8e5207f966ca7cd6bc758390552911afb281ac02db8c44bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 eca3fc1dd64fb70d6154ea46f4536086
SHA1 15cf7fa40871be7d813fb007ee77c41ff914707a
SHA256 98cf1bf991397da8b074a28fd3891133fb302bcf57a3f56f1b2871b3efd1ae7d
SHA512 bb203c901e575b3c2143d1d2d191ecb2e5d7c1dc23197b46c7e1abaf73079e3c46ab74498720ce0f5b83984adec1932be9007e60c6703797e11f846d4c7c0900

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a21dcb53a1ecde2c95e9ea7e498e5987
SHA1 d7a3173330864d6e4cec2f609ae8b3be373c5437
SHA256 f7b6a4352b12d6a3d381d17bc9cb2c480e5f58e85fe2f9002435526a8a525dce
SHA512 3d7eb8b336701664541b61d1a939bfe6c79041cc198f7d223880b5ea7293a7cd4150c540fed74c72b1fb75efd632e547bf0b56b1a1ffb9e3c2bbea7e82965d9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 71040f58ae1c25b2175c2156b212b538
SHA1 6df4fd98873b17fc17fb17df51b7c144afe3f4e8
SHA256 990a3fb2a015a8de6aad381a3f774948ad9e3d2a6f5535d8768ac8b3ae760cc1
SHA512 ddafaee63d081877d9f06b5970d3b1d049c50ff1897c2c33941c28c954e5f15e9222e59a37473d3a21b1fbf09c92c03c234fb3cefc76a0700770ff167e284c57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ba312451e2c08a286eacbdb8a987d2d2
SHA1 6174a9e172305f6df53c53d61418dd583af9a0be
SHA256 aa19d0d392c5d7fd837054f8265a63cd3dfb5a85d358f242abc4d37f6d0c8281
SHA512 72d38d44fdbb70d71615027e824d7f1aaa28d8edd72dace7135d4bf468fd01deb3cee03b388267875830ad693b60200eee1931c83ebdf3158893d0650273aec6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 2e2e2aa2f8a2342f28069a05e8048ffb
SHA1 8c3c5aa3b42b4cb7763cf6b51964aa2cb04b7ecf
SHA256 7f39736ae679681a159e01b987a9d5fd60172adf154ed266d555419ce221abc2
SHA512 8d8fc9537f5af3ec5f7f4948637c0bf48001fd147e1b4fc342677623e3c4f1a4fbc198293edb8f3418ea6c78925e56cf065268b59c97bd6c4d9f7ebf14e710e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0d3f9ed2af4e88f5ba302472a034f7c6
SHA1 11834928acf75827f30e52d066aacb832c3cd564
SHA256 d4bdc6c14c631c5244c807ad4b4d8d05b19aaee31dc78fb601308624b7ca0205
SHA512 7b3b0e5c4a1074ca5d3a421415b45f3928c3cb72a776ef73766951dc6b73cae9c721bec9515d6cea97d5e57a6da502960d8a3c022142c3e0efd942311462a70d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 adf2df4a8072227a229a3f8cf81dc9df
SHA1 48b588df27e0a83fa3c56d97d68700170a58bd36
SHA256 2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c
SHA512 d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 d2610a5d8eb0910f15b4d0ba1db62ad1
SHA1 a48324d4034a4aede07736a1e1236edc09f82109
SHA256 30cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6
SHA512 06c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 8e01662903be9168b6c368070e422741
SHA1 52d65becbc262c5599e90c3b50d5a0d0ce5de848
SHA256 ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a
SHA512 42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

MD5 58795165fd616e7533d2fee408040605
SHA1 577e9fb5de2152fec8f871064351a45c5333f10e
SHA256 e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e
SHA512 b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 41906d9d09116eb9d2f77f177d276bbb
SHA1 662dfffb47326fda0bd1983328399c2f22812188
SHA256 82abd71e77921d688e8e1f09337e261f1a39369ac0d62ba6c6e28a236397ed01
SHA512 48baad7d87c0f064fe78239def41dba34e87baa7ffdeac3a27a2b9f92cae135db67de2b7232797f2b106205aadf0b00402811cfab2c9e28036e1ac1b4e6fbabb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 78f2fb7ad1ad7df696bd86b849164a0a
SHA1 ca792bcd76589ce5eb8fd6ea8740e450d30c51c6
SHA256 00d6d66a79d81feded342ca7ae75dbb2486024ec57378411533927bb8fb2e251
SHA512 7113aa8102104682634ebe928eea6584bae80d5f48e59fff01d9df62fceb9d59ab5f6701065a6abff009322eff4212d06e10b3386663cbf3e9ae5df5a580600d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce94610b43403081ef370b88b484c5bd
SHA1 ce4400abfe7a0c844664f79a96d1e48e8dc0594f
SHA256 0e57426b697b88140559e47d0bb9d472b7864c2a2195253ef512b1cfe8f90f50
SHA512 c989ce2eca093da67c321035cfdcdf870fd84792397189993aef767133b9d03501bacca05a351fd7a4d10b9c5557cbebe927f959fb2bed8410708ccce332f9fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 653bfac797eac666c6abd730fe236ce8
SHA1 896b61a775098db72e7c3b05b959459975fd5dca
SHA256 756de3cf62545a6ae5b20e39394fcc81581efd66ac53103c65e19f25ccf83f37
SHA512 b08b9d11978793e078e3cb8adf319e3e8663721da5f2471bea573100f9c995ce871eed7cc44d63b205c9fe090d4f10daa613a3393e234e9d921ac39d89d83b5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 43b7c5bd2f637f73ec920efded49b894
SHA1 de2f01a8e02f845024db24f632dd4c8db0db1954
SHA256 d3cb2904462b3783ae6ac0df073b2ed7da61ffdefdf2b922f49de887401def7c
SHA512 9b7a7bc2b88bade6e19a38aac7b86dc299ad571c1ab3c9fb5b3753738ab1e8c02ed9ec1669b73b9e228a36f675122d0bc52e67ad54bef2436eff9b4d094db196

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2d3ee5b4ad46c84e93a4b89ce510c7af
SHA1 e2e9daf61733f4578e154fe0f8312686c2d189f8
SHA256 54e41d8423e9681549adb95c93c4a693f6b90db16b63827ce320a140e6b009eb
SHA512 d5adc0e89175932a3a5a6c6e31b9c6bb016a3e17fe9b7b18bd8438dc311a166ee2a1b37c518b7fcc6a47615e698cfb3763681adf93f5ee837ff9531430a30374

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f22f0cef6820bbd6814b98cc9d9cf411
SHA1 90d6c650df098b415352262d50373d02bace4ba2
SHA256 112573f6e3ea8e5fc79bf2792033e5564a252c923114ddbb102756cbd4c93227
SHA512 f205fa06e01d34c78ca65256a0bd93bb6de7bf43e4d4be823300b099940d014356eb384a6f42abb9fb74b4daf3a9e4a3a47de63c44cb363e68d4d1b996fb2ad9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a6a28cc96630a340601b62431684cbaa
SHA1 4b4ce189185d3e2445b19200f7209473ba9fd061
SHA256 ee2426f84caa401c267864b60c66be271737101593bf75b0ce1432157e905188
SHA512 892525f24bd9441f52ef6f5e64d830f2322713ed5e1aae3b08bc12f69dd0fb2a9479c9f871746a4076998e3b200f227ce4dbc094096be48f826c46884886512d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0948cc9b840299e806e9b1923fb69d73
SHA1 ae5ffc8b7c14670420859d1ca54b07dbc14a6b6f
SHA256 f2cb192c9009880a5254c5b9a79c64e963fffcff97251679739aafb388fde933
SHA512 161aca2b0bc2589d275f47adfca469f013be168c209ba8ec646b8b7820064e8ffef0a1bcea83f2db6484e8b3b6bf96bee9c56458278771a5a1a3d74d0db09eb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5b2bc637d5595fc3c1d978c984d4f962
SHA1 5f439a8388ec0226d871de67c59dfa09d7a67b2f
SHA256 4d3be3786ed29fb1ab296baede9c8a7ca962a224a92b659c37494b4b4934c3ab
SHA512 0a0c67c5b364554f4c113e544f9bf491dece6b2f83b06d6040ed5f1563b9cd104c13b7622b9ce6256bcc27984cd1b0ab9ef68226eedbdd2653652dfcb3867330

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2508f9f774dff5a_0

MD5 17a70915ce5154a56fd051db974a1c63
SHA1 ea2c7dc94a609cd358a8bdeb1ad9416cc4c40d2d
SHA256 53f6bb59a23134c63c8b9d214cf04a1e5e4f16267b24823c166fe3ae04e6a57e
SHA512 702364498967f3aa8bb5d728cdef64995b0d55db6c2d655ca0f973113e444055154a76e1cd7fba422bd53c8fac2054419785a047b4c274059b0ba8f2b5a0f5c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a69226eb7e1fcb4a_0

MD5 6292af3f8493022d942a0dfa71c15833
SHA1 3102f037b9312f00ffab17bda6de50e3cf10a98b
SHA256 aca9ed7aec32bbea99f293e6cdeffe7b833675b28453fbe77a7a52227328445c
SHA512 128e1aeecb56a7be28b6c6d2f6a10e584536ed08763a837c91af0b5ed37e2e50c9aa907720c9bbac9e9dc2a1f2587581d0b25d9d644ca47085849745682be08e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\19152b7f8e8efcb9_0

MD5 004f06fd095b209ce2d50cbd4bf8b0e1
SHA1 7ec364e9ed76bef60b0c8afc953450f7b95a67ae
SHA256 35f665dc65fe4fef55bcc06eb16e0b741b9e894d819ef85911a422e3170bddc9
SHA512 482685b5676f8866778187ce0f7fc5b242033512092a80fe4a7ac8b21d23c2c19ac683f67298afa31571dd8e89d5f346643da2fb1e8e82fb3eaa014c26428ca8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee08c28427b16c56_0

MD5 52ddeea50f5ebf9aee445f58702cc734
SHA1 9cadb6763f97e1c4e02132425ea2eee4af778691
SHA256 908d925683c7bb0d51a571d73e9e2db56b4c887e39a2e1f313f62ea7b324e537
SHA512 700334eba909d7da3c05320431c46530c53745d6f949302701e5341f8a6617930c296f4494583b8706803705e93dd860e2cd659833384e9701beb5657a237ad0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12e2c4b18dbb728d_0

MD5 6caf13d28ba03f4e1ee09b41f0ae2a4b
SHA1 9a371a0b0c39f4191354cdefec603f1a843f4586
SHA256 12b379185b84e10136688751e77f050a81c4c0b093100ae1f1709e3910a90a8f
SHA512 bc979758be0c59612cf89e42bb83878c11976040e1d2f96e2d9fd8f14a64ca2b604fc145dd3e3645277a78cc06a00277056b2267e6209546482da877837135bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f0572c9ab2f19dd1_0

MD5 1ae2bf833b71f53e3d1b182dcc58e85c
SHA1 aa59abcafaf832dee10bc7b2a9b3180521bbcb08
SHA256 88d47a90080d380895724a5c83be18fa9b89d816320acd32b666a6edbbd4bf55
SHA512 d7c622a17560ae5f0e80f11f1c6695de162a29fd5d7c79b3ecb48cf8b93a8f3c9ff9d90715ac23a225abc0e144c387a468aaedd23d7f0cd0c94939b37e23d9c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\038bd4733c27c8ac_0

MD5 f51490f1ba2f3bcb90bd42072118a6e0
SHA1 d28222d334c4e965d7153223dc795463e79d39a4
SHA256 6afe4c06ceec1c6108ac1b8792d713d951f455af10f9a6a126775150f21e046e
SHA512 f35b5a89cd10af2c2a75512a407be3720e4ad60d07779532a5f8a39c8ced68a7a51894a52bec677929d3bedaa5502970a7f194da3edce63627412feeaa4b415e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\154000feacda5f15_0

MD5 b13b5487342b737d6e565e83b706d0fc
SHA1 9a17f67b77539d7e8b54ff12815d89d83c88ac21
SHA256 1cdbd1eca7c386836b6e7bf0107116603bf7dee9a68960dbc696f4d688005fe1
SHA512 887ae9d6a528845c9ea72e2eb728da0952dcb611f22fdf2202ded7611adbf9ddfce2852e248e431f57ea2681c28c921531487e733e3b7e91d278d276d8392ec8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89db893576032902_0

MD5 58cc4456373dfb52e9a4a80a28745b67
SHA1 d873644478719d70d5b9dd2200424de48f69e469
SHA256 79149d1943a711a1978e9391bac1b119a0f22e928b79410d83c92b58a0bbf870
SHA512 d1fd62070f9bc37a5c5a66888dd44c3826cac94f0e39164842b6303522b4831c6d003ee5d4b672160c57ff96e601b960fcb1005ed753d501b42d48cc9303af99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44d5079ad5841b25_0

MD5 93c1bbaa166395fbfac4fe235ba56c0c
SHA1 3e64d7b6a0dc48883a307accac7b62d1ee68e7fe
SHA256 f2ac1ac5d403c802c60c56a1eecae260da652818546cc45b7e82be08c398f0ca
SHA512 9ee325594480ea0aa97ce49fe858f18dbbe6fef69afc6a7870869bdb1b5473f88d902f82f7b333ed689e9a06378487be7ef6cb9cf6f8dee9dfc07f5621352e64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eab6493a0dbfe79f_0

MD5 6acd9f91994dccbf8c4f1966c00f2406
SHA1 e65b84a700bb5f3107ef5e9c6d1db440e305e4b8
SHA256 eee8e47185ef1aa1fc2dbe931db1ce5b47e6a2ec0e218aab9685d8412bf8b79a
SHA512 89539a20f05cf990d18c1e643b1db7412bac2bc89dcdffaa28cd467ea3e6f331b13313e65d08ca5b7047352cfe6f7217fbc7f5ef63ed6dcb8354c1a6ad3bcf3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d0b78a7984afdac_0

MD5 faaa7318d2a1c746d23f74291473d64f
SHA1 06d51c732a5932f5994dd9d5d4eb7b671a60be00
SHA256 6fd01ac30797c10c6aed2c14063e9689dd5d7eaed6464282974c191dd79b7e01
SHA512 eaf64e2bb71ce5ea6c61d588c9a4e5e7bb575f6f32f99610b1c4300e95cfa4fefaf626182c81647de34e558427e434a388734a3e3ff9ec532d540d2eb445e66d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\172b237bc017862d_0

MD5 eb7ecd0520633f23cc90e217e0e476cb
SHA1 d7593791298d48a570682930f3639d457c17b247
SHA256 4f73184fe15e73fc4b1e6a7faf3eb6d6e16c25b0b44009e1e866882c2acdcf17
SHA512 6903b3b8f7919c008725da5574d20d3c36258e78dea2e007af76a8087fcf9c8b4d5bc44191d6e0a61d68f7c1e97d2c1a32e8f2eb563d2f8baae970ffc0c774c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25d24c50d6908129_0

MD5 87b0f4deed81f56c949c0c6a4022667f
SHA1 a869edea50718de89cff6e47ce44ad723dd461ff
SHA256 d496a84bf2290ad6b86a118234daf12e55e1da560c99b05a080cca88f4139691
SHA512 552c5b9dd38a6c0127392162ddf13cc7a76480e07a7332edb7bf5bbd48958bf4d6d79eea2a22636920cb514018b069a707c603b98e57f4c9584687166a29827a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb73c6570251aa2d_0

MD5 f2173bf63451fb321d926629a29281e4
SHA1 12792332d1db6b7b9e99d5c536e05995d8a577a0
SHA256 84db1a9eaa0cc26434a1d50eccbdd01a2f5a0a9ff2260ffec22dc193ad43c61f
SHA512 4ed66a9ddd832b09f67987b9566303590a93d4f1e8b96e3617d7926e53cf70c9a35d63bd4500c8929b0aefe9d612304440a07a0945a62750823d3dcbe6a6091a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f26997b60d0dff29fcbdc7f4115b5584
SHA1 3e8c817475636ee396c692674604b341a0e9f878
SHA256 8ccf49aa15c82df17928de91f6a99acf8f47de6dd27cef8b4079ab799f6c19eb
SHA512 9dfde8da63fb1816537e0d75fcf54cda60a5bda8c48973284f32f1c5b204fb380d6ca1cc7ee9f96d6b121a111fd4c98517b00891171ec67d8969355a6647b636

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ae572d29309104739f994321ed29fdf
SHA1 074760cf9f489730907d4f5781bff07aca0daab1
SHA256 90ed57e53144eeb86528778f5eb55ebfed4b823d4598c7e5f4b8423afbe4d4f3
SHA512 808e5c385d8fd2a6d1dc1d269a5444e3242507907e3d9d2707dbf9b6bdb199a84ce205d1e9b58bb491f07d512221dafebd21e631873d76c99b059eabd55eb802

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cdb2a02ad5c0ac7d498fdf0113ce0568
SHA1 9c54ea6274d592adc7aa9ff0933a3616dd71bdca
SHA256 c56082daabfa59b6c2157a1e2923d42eaf41434130d95d3bdda961fb316afb07
SHA512 4f35880ef03dd780bcd37614f6572266d0a4011bbdc78f8ba58a0c616b30f64018853db060117624abf7061115e10fedbd10280a0d5d981717a81877fadab617

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 247d93fb472846e46f4c89df0313a2b4
SHA1 abff50bca298d67b36b905c9643b48da7735cf4b
SHA256 d21303dd9eebfdfab070366db5c3a171a29e084cccbbc0f1af0347aefc907025
SHA512 90a405439a081a6fc2f1aebf40ffb573f72dd53a87e3b054d967e8f2448e6b0a675ded71b29ab85cf71e003471ec8dafd7536e7aa4ed049dc5049bc2d53325cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25814edacb2ef9606d1696c52a178d49
SHA1 f86b61f1594a477d1182efa5c604f949a6529cbc
SHA256 1b91518ddf2085d568e1c8d14ed3f65d2f9e5c472757a95302a352e7f9ec96ea
SHA512 1717e53a51e979fc97ea196e380f47787762991ff9b53bc6c63f95562988cb8db6fee54d00fdc6b344781709eedbe82a3fd05dbc61890fef315676790b83e06e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1a010cec32fe2a0b82c6fdd2b14c1cae
SHA1 768db80b8c9cee1767174b87af95c908848f1e27
SHA256 fa1e97147c0f2a60fa2bb1f0f1d7cd2eda8eab3847235e90af0c0020c419874c
SHA512 b3e1cdad6a8829e48e96f99de582b029267fa51e2b8b3d34ae47fc54f7dfc27b4e0808b062d084b72465ce7ab3684bc0f6966d83bfdcf3d53de1636cf6acd13a

C:\Users\Admin\AppData\Local\Temp\_MEI43682\python310.dll

MD5 b805cebb0242b3bbfe810a19c2b44e3d
SHA1 62d71b686b64e6efd58852a5e59f4b00cec18f30
SHA256 2d2d5746d6a066fcc3e7b8c041ffb7c7722c14b148aed923387dbacc951d732b
SHA512 d46a5b3274aed182d30647d461d1dc7bd2599a43b1914d5a5e882c4298ecf4f11c64272db351257f836806ae55d5f1a0c1369f4159df09c8d7aea9a52d2e1acd

C:\Users\Admin\AppData\Local\Temp\_MEI43682\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/2728-2300-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43682\base_library.zip

MD5 9a0182a94b86ea6347bf32487259489f
SHA1 cfaa770f04073a6d2bf63708e8095869c8caed97
SHA256 46b77375dd8e1604171dabb79b4ffc3bd70e3e6e2235d1b65ef5174a9b37c73c
SHA512 b02e148521f7bfd2068859654ef0bb5e17f81e4877c510c7200e9354f1fd160aa0763f65be84cdccfa4f65e37faac97c8b2c709eba3c2b9701fa41ae133bc4ad

C:\Users\Admin\AppData\Local\Temp\_MEI43682\python3.dll

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI43682\_ctypes.pyd

MD5 3df3965a4861ad800bb2a59fae6d1ac0
SHA1 16bac0309f2e1cdfa7a68aa758fcd665086cf2cc
SHA256 2978cbba8e8605467392c3e08cf6b857910d51d661c01224774e9dc8fd759a5e
SHA512 9f8f8ff6002be45439bf892fc8b2087060947408060163eab7706fd825f1db9e07ff6edf5a3f19ab36e7e3a7e7cb57d262db2b6050d3cb1a0fdd165150029451

memory/2728-2309-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp

memory/2728-2310-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libffi-7.dll

MD5 36b9af930baedaf9100630b96f241c6c
SHA1 b1d8416250717ed6b928b4632f2259492a1d64a4
SHA256 d2159e1d1c9853558b192c75d64033e09e7de2da2b3f1bf26745124ed33fbf86
SHA512 5984b32a63a4440a13ebd2f5ca0b22f1391e63ac15fe67a94d4a579d58b8bb0628980a2be484ac65ad3a215bbe44bd14fe33ec7b3581c6ab521f530395847dd5

C:\Users\Admin\AppData\Local\Temp\_MEI43682\_bz2.pyd

MD5 8be644c64a05f3fa54cda06ca3342fa1
SHA1 6ce140b2f709a77087c497d49425583fd285f9e2
SHA256 5a33ca97cd32e517d9f80fceaa8322a17255bff555bd7e29c8b29b126d493dd4
SHA512 ec614aec09e09c0fbff82cb4f318fa41adc992507287ee9559164e223bafbfdc13082ce558ca2b019d0f275b51b95d7a74f5aaef0e2c9a26b05e6212e0231ab6

memory/2728-2313-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43682\_lzma.pyd

MD5 81534509a5816e2807f758a484482851
SHA1 debaf2d93852c0a8103411290c76f38b511dc86d
SHA256 83d0e0c2763074671605b62f64513dc9e4ff61e010b30e3d740b430b797edace
SHA512 21f00c5f7fb8c7560563a32aab3a2c30a7c2803bfa2647e83fc5d9e5016e359dfda28af128ec4671b763085d301685f904ae111120dc3ca9452b41eec323165f

memory/2728-2316-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43682\_cffi_backend.cp310-win_amd64.pyd

MD5 5988556d3aa9170627d75daeecf3cee7
SHA1 ad7fa07b5ed0918b98cd35d74c601c9e10749137
SHA256 90fdea940467e80faa5d4f921c1a5c65a6e918f6d939747227b0cfaf7bfe149e
SHA512 49471bba4703902eca73055d3ed008eb002ce5f448ad870db3a7de89cf064d604ee6c0b87cca82cd9e36d21c86b6f21245102862643f4455bd230c9e488448b4

C:\Users\Admin\AppData\Local\Temp\_MEI43682\_asyncio.pyd

MD5 e70260b36b01adec2d4ea149c51d5ae7
SHA1 36127c697e77258bee84ec0dc543e211a2856853
SHA256 af589fc66a197c187b283bbc311c8a9251f6a8c45f400cd65d841239ec905286
SHA512 34fb0a1e4cfc7e0d5f52ee0e2d7dba1930c8e4f94f365515453e24c5f5771486447d70a8826e281f1af2cab2010ae9f4588b9acfae7c2d506a87309095de5fd5

C:\Users\Admin\AppData\Local\Temp\_MEI43682\zlib1.dll

MD5 ee06185c239216ad4c70f74e7c011aa6
SHA1 40e66b92ff38c9b1216511d5b1119fe9da6c2703
SHA256 0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466
SHA512 baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

C:\Users\Admin\AppData\Local\Temp\_MEI43682\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI43682\unicodedata.pyd

MD5 57f99474530a6c9c1d187d18bd5463ce
SHA1 4454a66d48adc2806260f4fff00a6009be869fac
SHA256 195930c1b330eafacd7c408087cd9ce967e06f301974d7a64e21c4b531b2e091
SHA512 fb70b4c486125c010bdd3f5214e2d2c207b43e20ce70a4452ef58813af7a6019a8a3de463141b58939de11ce90c592232e70df73ad55c591b7cb06f0ebe9e77e

C:\Users\Admin\AppData\Local\Temp\_MEI43682\tk86t.dll

MD5 19adc6ec8b32110665dffe46c828c09f
SHA1 964eca5250e728ea2a0d57dda95b0626f5b7bf09
SHA256 6d134200c9955497c5829860f7373d99eec8cbe4936c8e777b996da5c3546ba7
SHA512 4baa632c45a97dc2ca0f0b52fd3882d083b9d83a88e0fa2f29b269e16ad7387029423839756ee052348589b216509a85f5d6ee05a1e8a1850ce5d673ae859c27

C:\Users\Admin\AppData\Local\Temp\_MEI43682\tcl86t.dll

MD5 2ac611c106c5271a3789c043bf36bf76
SHA1 1f549bff37baf84c458fc798a8152cc147aadf6e
SHA256 7410e4e74a3f5941bb161fc6fc8675227de2ad28a1cec9b627631faa0ed330e6
SHA512 3763a63f45fc48f0c76874704911bcefe0ace8d034f9af3ea1401e60aa993fda6174ae61b951188bec009a14d7d33070b064e1293020b6fd4748bee5c35bbd08

C:\Users\Admin\AppData\Local\Temp\_MEI43682\sqlite3.dll

MD5 3ba6e7250b30b61aa13fab9a70a6735a
SHA1 a0609137a1659a8ed0e565443ed92827c6c2b3d8
SHA256 90ac063f58ae3030d9400b904b46a49126171e7e8202cb093c13d045adb52b9d
SHA512 4d4e8fb67e4a7d71ce81cb40e0ec553d2380827ab4947c25c437366645c94b6bd27108134836299c74cf2481264fad4e849b5fd523dfb494f1dee4907e000778

C:\Users\Admin\AppData\Local\Temp\_MEI43682\select.pyd

MD5 e51cbc710092a9510a2e87ddb288a2c8
SHA1 083faa71d120d291e74afb0543ec3923b3a7c05a
SHA256 c781971a01bef8e8bb8816daef7dc9bbd6c12369245012a75e1aedb0e4114741
SHA512 be8ba3ff18fb06bfbcffe9cf3755687bb99b6fd24f263ad74de70adee9213b6935a592d33aa5190674b466227060c6047f8b12a3371347a3cfb0abf472c7af29

C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_ttf.dll

MD5 eb0ce62f775f8bd6209bde245a8d0b93
SHA1 5a5d039e0c2a9d763bb65082e09f64c8f3696a71
SHA256 74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a
SHA512 34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_mixer.dll

MD5 b7b45f61e3bb00ccd4ca92b2a003e3a3
SHA1 5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc
SHA256 1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095
SHA512 d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2_image.dll

MD5 25e2a737dcda9b99666da75e945227ea
SHA1 d38e086a6a0bacbce095db79411c50739f3acea4
SHA256 22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c
SHA512 63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

C:\Users\Admin\AppData\Local\Temp\_MEI43682\SDL2.dll

MD5 ec3c1d17b379968a4890be9eaab73548
SHA1 7dbc6acee3b9860b46c0290a9b94a344d1927578
SHA256 aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f
SHA512 06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

C:\Users\Admin\AppData\Local\Temp\_MEI43682\pyexpat.pyd

MD5 f94a88c380d6dd7adead8b0b199b13e9
SHA1 45aa9c8b4a320218bb4a201be5bb21468d57cea0
SHA256 8b2ad9632805eb0706308a05cc12d408c8218f2f288e3ac0228157854b09f342
SHA512 bd6bdbc53ccc250b1280193cabbc1292354fda7a81d24e4e85274b2c5fc045bfed9d30e220ac6816a3db040869eed2b784a7db484908c34290548710172f870f

C:\Users\Admin\AppData\Local\Temp\_MEI43682\portmidi.dll

MD5 0df0699727e9d2179f7fd85a61c58bdf
SHA1 82397ee85472c355725955257c0da207fa19bf59
SHA256 97a53e8de3f1b2512f0295b5de98fa7a23023a0e4c4008ae534acdba54110c61
SHA512 196e41a34a60de83cb24caa5fc95820fd36371719487350bc2768354edf39eeb6c7860ff3fd9ecf570abb4288523d7ab934e86e85202b9753b135d07180678cd

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libwebp-7.dll

MD5 b0dd211ec05b441767ea7f65a6f87235
SHA1 280f45a676c40bd85ed5541ceb4bafc94d7895f3
SHA256 fc06b8f92e86b848a17eaf7ed93464f54ed1f129a869868a74a75105ff8ce56e
SHA512 eaeb83e46c8ca261e79b3432ec2199f163c44f180eb483d66a71ad530ba488eb4cdbd911633e34696a4ccc035e238bc250a8247f318aa2f0cd9759cad4f90fff

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libtiff-5.dll

MD5 ebad1fa14342d14a6b30e01ebc6d23c1
SHA1 9c4718e98e90f176c57648fa4ed5476f438b80a7
SHA256 4f50820827ac76042752809479c357063fe5653188654a6ba4df639da2fbf3ca
SHA512 91872eaa1f3f45232ab2d753585e650ded24c6cc8cc1d2a476fa98a61210177bd83570c52594b5ad562fc27cb76e034122f16a922c6910e4ed486da1d3c45c24

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libssl-1_1.dll

MD5 d8b6d2da0374b0ea1ee4c84fba94a073
SHA1 3a00d6af23d54ec54ab1d09b6a9dc422aa9b0658
SHA256 4a27997d7de463b1fb7bbb7b18508bdbb173248e0f985fdc040cedd15c79e8d9
SHA512 c47809eb65f8f949d8328bbbaf523e42533d132d06e890cc02cb24273872b5867fa5e35de7d8cd12c8d3c707729b2448ebe32edbe0fee66f8daa8cea56fa838c

memory/2728-2344-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libpng16-16.dll

MD5 55009dd953f500022c102cfb3f6a8a6c
SHA1 07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb
SHA256 20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2
SHA512 4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopusfile-0.dll

MD5 2d5274bea7ef82f6158716d392b1be52
SHA1 ce2ff6e211450352eec7417a195b74fbd736eb24
SHA256 6dea07c27c0cc5763347357e10c3b17af318268f0f17c7b165325ce524a0e8d5
SHA512 9973d68b23396b3aa09d2079d18f2c463e807c9c1fdf4b1a5f29d561e8d5e62153e0c7be23b63975ad179b9599ff6b0cf08ebdbe843d194483e7ec3e7aeb232a

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopus-0.x64.dll

MD5 e56f1b8c782d39fd19b5c9ade735b51b
SHA1 3d1dc7e70a655ba9058958a17efabe76953a00b4
SHA256 fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732
SHA512 b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libopus-0.dll

MD5 3fb9d9e8daa2326aad43a5fc5ddab689
SHA1 55523c665414233863356d14452146a760747165
SHA256 fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491
SHA512 f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libogg-0.dll

MD5 0d65168162287df89af79bb9be79f65b
SHA1 3e5af700b8c3e1a558105284ecd21b73b765a6dc
SHA256 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24
SHA512 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libmodplug-1.dll

MD5 2bb2e7fa60884113f23dcb4fd266c4a6
SHA1 36bbd1e8f7ee1747c7007a3c297d429500183d73
SHA256 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b
SHA512 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libjpeg-9.dll

MD5 c22b781bb21bffbea478b76ad6ed1a28
SHA1 66cc6495ba5e531b0fe22731875250c720262db1
SHA256 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd
SHA512 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

C:\Users\Admin\AppData\Local\Temp\_MEI43682\libcrypto-1_1.dll

MD5 dcd4e9410cd8612a111de1f21956bd03
SHA1 c8ac617549d23e2f1d8978be072d56120b41db2e
SHA256 32e71ee0a601dd330b1224f92af42bc2343327ebd345a2f82991102c61aaff51
SHA512 7a96a53a567a446bcdf123a86c3a3c8934445e619fbf08b95fea4cbccf2f41151b992233993255cdd0335ac685b4dae7abb96b7f371fd3d630a9edded78e5236

C:\Users\Admin\AppData\Local\Temp\_MEI43682\freetype.dll

MD5 04a9825dc286549ee3fa29e2b06ca944
SHA1 5bed779bf591752bb7aa9428189ec7f3c1137461
SHA256 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde
SHA512 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

memory/2728-2345-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp

memory/2728-2346-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp

memory/2728-2347-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp

memory/2728-2348-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp

memory/2728-2349-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp

memory/2728-2350-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp

memory/2728-2352-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp

memory/2728-2351-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp

memory/2728-2353-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp

memory/2728-2355-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp

memory/2728-2354-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp

memory/2728-2357-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp

memory/2728-2356-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp

memory/2728-2359-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp

memory/2728-2358-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp

memory/2728-2366-0x00007FFFE3BF0000-0x00007FFFE3BFC000-memory.dmp

memory/2728-2365-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp

memory/2728-2364-0x00007FFFE5260000-0x00007FFFE526B000-memory.dmp

memory/2728-2363-0x00007FFFE46A0000-0x00007FFFE46AB000-memory.dmp

memory/2728-2362-0x00007FFFE50E0000-0x00007FFFE50EC000-memory.dmp

memory/2728-2361-0x00007FFFE6140000-0x00007FFFE614B000-memory.dmp

memory/2728-2360-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp

memory/2728-2374-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp

memory/2728-2373-0x00007FFFDC910000-0x00007FFFDC91B000-memory.dmp

memory/2728-2377-0x00007FFFD4AA0000-0x00007FFFD4AAC000-memory.dmp

memory/2728-2376-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp

memory/2728-2375-0x00007FFFDC900000-0x00007FFFDC90B000-memory.dmp

memory/2728-2372-0x00007FFFDCE60000-0x00007FFFDCE6C000-memory.dmp

memory/2728-2371-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp

memory/2728-2370-0x00007FFFDCE70000-0x00007FFFDCE7E000-memory.dmp

memory/2728-2369-0x00007FFFDF640000-0x00007FFFDF64D000-memory.dmp

memory/2728-2368-0x00007FFFE1D50000-0x00007FFFE1D5C000-memory.dmp

memory/2728-2367-0x00007FFFE2240000-0x00007FFFE224B000-memory.dmp

memory/2728-2378-0x00007FFFD4A90000-0x00007FFFD4A9B000-memory.dmp

memory/2728-2379-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp

memory/2728-2383-0x00007FFFD4A50000-0x00007FFFD4A5C000-memory.dmp

memory/2728-2382-0x00007FFFD4A60000-0x00007FFFD4A72000-memory.dmp

memory/2728-2381-0x00007FFFD4A80000-0x00007FFFD4A8D000-memory.dmp

memory/2728-2380-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp

memory/2728-2386-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp

memory/2728-2389-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp

memory/2728-2388-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp

memory/2728-2387-0x00007FFFD4490000-0x00007FFFD44A4000-memory.dmp

memory/2728-2385-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp

memory/2728-2384-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp

memory/2728-2390-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp

memory/2728-2391-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp

memory/2728-2392-0x00007FFFD3EC0000-0x00007FFFD3ED1000-memory.dmp

memory/2728-2393-0x00007FFFD3E80000-0x00007FFFD3EB2000-memory.dmp

memory/2728-2394-0x00007FFFD3E50000-0x00007FFFD3E6E000-memory.dmp

memory/2728-2396-0x00007FFFD3AD0000-0x00007FFFD3B2D000-memory.dmp

memory/2728-2395-0x00007FFFD4A50000-0x00007FFFD4A5C000-memory.dmp

memory/2728-2398-0x00007FFFD3BF0000-0x00007FFFD3C19000-memory.dmp

memory/2728-2400-0x00007FFFD3AA0000-0x00007FFFD3ACE000-memory.dmp

memory/2728-2399-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp

memory/2728-2397-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp

memory/2728-2402-0x00007FFFD3BD0000-0x00007FFFD3BEF000-memory.dmp

memory/2728-2401-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp

memory/2728-2404-0x00007FFFD3920000-0x00007FFFD3A9A000-memory.dmp

memory/2728-2403-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp

memory/2728-2406-0x00007FFFD3900000-0x00007FFFD3918000-memory.dmp

memory/2728-2405-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp

memory/2728-2408-0x00007FFFD3E30000-0x00007FFFD3E3B000-memory.dmp

memory/2728-2407-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp

memory/2728-2409-0x00007FFFD38F0000-0x00007FFFD38FB000-memory.dmp

memory/2728-2411-0x00007FFFD38E0000-0x00007FFFD38EC000-memory.dmp

memory/2728-2410-0x00007FFFD3E80000-0x00007FFFD3EB2000-memory.dmp

memory/2728-2412-0x00007FFFD38D0000-0x00007FFFD38DB000-memory.dmp

memory/2728-2416-0x00007FFFD38B0000-0x00007FFFD38BB000-memory.dmp

memory/2728-2415-0x00007FFFD38C0000-0x00007FFFD38CC000-memory.dmp

memory/2728-2414-0x00007FFFD3BF0000-0x00007FFFD3C19000-memory.dmp

memory/2728-2413-0x00007FFFD3AD0000-0x00007FFFD3B2D000-memory.dmp

memory/2728-2417-0x00007FFFD3AA0000-0x00007FFFD3ACE000-memory.dmp

memory/2728-2418-0x00007FFFD38A0000-0x00007FFFD38AC000-memory.dmp

memory/2728-2428-0x00007FFFD2AB0000-0x00007FFFD2ABB000-memory.dmp

memory/2728-2427-0x00007FFFD3900000-0x00007FFFD3918000-memory.dmp

memory/2728-2426-0x00007FFFD2AC0000-0x00007FFFD2ACC000-memory.dmp

memory/2728-2432-0x00007FFFD38F0000-0x00007FFFD38FB000-memory.dmp

memory/2728-2431-0x00007FFFD2A70000-0x00007FFFD2A7C000-memory.dmp

memory/2728-2430-0x00007FFFD2A80000-0x00007FFFD2A92000-memory.dmp

memory/2728-2429-0x00007FFFD2AA0000-0x00007FFFD2AAD000-memory.dmp

memory/2728-2425-0x00007FFFD3870000-0x00007FFFD387C000-memory.dmp

memory/2728-2424-0x00007FFFD3880000-0x00007FFFD388E000-memory.dmp

memory/2728-2423-0x00007FFFD3850000-0x00007FFFD385B000-memory.dmp

memory/2728-2422-0x00007FFFD3860000-0x00007FFFD386B000-memory.dmp

memory/2728-2421-0x00007FFFD3890000-0x00007FFFD389D000-memory.dmp

memory/2728-2420-0x00007FFFD3920000-0x00007FFFD3A9A000-memory.dmp

memory/2728-2419-0x00007FFFD3BD0000-0x00007FFFD3BEF000-memory.dmp

memory/2728-2433-0x00007FFFD2A30000-0x00007FFFD2A65000-memory.dmp

memory/2728-2434-0x00007FFFD2970000-0x00007FFFD2A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_to12mvdc.0sm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2728-2492-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp

memory/2728-2508-0x00007FFFD3EE0000-0x00007FFFD3F2D000-memory.dmp

memory/2728-2509-0x000001F54CB90000-0x000001F54D38C000-memory.dmp

memory/2728-2510-0x00007FFFCF1D0000-0x00007FFFCF245000-memory.dmp

memory/2728-2507-0x00007FFFD3F30000-0x00007FFFD3F48000-memory.dmp

memory/2728-2506-0x00007FFFD4440000-0x00007FFFD445B000-memory.dmp

memory/2728-2505-0x00007FFFD4460000-0x00007FFFD4482000-memory.dmp

memory/2728-2504-0x00007FFFD4490000-0x00007FFFD44A4000-memory.dmp

memory/2728-2503-0x00007FFFD4A40000-0x00007FFFD4A50000-memory.dmp

memory/2728-2502-0x00007FFFD44B0000-0x00007FFFD44C4000-memory.dmp

memory/2728-2501-0x00007FFFD4AB0000-0x00007FFFD4AE7000-memory.dmp

memory/2728-2500-0x00007FFFD3F50000-0x00007FFFD4068000-memory.dmp

memory/2728-2499-0x00007FFFD4AF0000-0x00007FFFD4B17000-memory.dmp

memory/2728-2498-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp

memory/2728-2497-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp

memory/2728-2496-0x00007FFFD4B20000-0x00007FFFD4BD8000-memory.dmp

memory/2728-2495-0x00007FFFD4BE0000-0x00007FFFD4C0E000-memory.dmp

memory/2728-2494-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp

memory/2728-2493-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp

memory/2728-2491-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp

memory/2728-2490-0x00007FFFD51A0000-0x00007FFFD51CC000-memory.dmp

memory/2728-2489-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp

memory/2728-2488-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp

memory/2728-2487-0x00007FFFD51D0000-0x00007FFFD51F4000-memory.dmp

memory/2728-2486-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI12842\cryptography-44.0.1.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/5480-4916-0x00007FFFE50E0000-0x00007FFFE50EC000-memory.dmp

memory/5480-4936-0x00007FFFD39F0000-0x00007FFFD3A08000-memory.dmp

memory/5480-4935-0x00007FFFD3BD0000-0x00007FFFD3BEB000-memory.dmp

memory/5480-4934-0x00007FFFD3BF0000-0x00007FFFD3C12000-memory.dmp

memory/5480-4933-0x00007FFFD3E40000-0x00007FFFD3E54000-memory.dmp

memory/5480-4932-0x00007FFFD4450000-0x00007FFFD4460000-memory.dmp

memory/5480-4931-0x00007FFFD4460000-0x00007FFFD4474000-memory.dmp

memory/5480-4930-0x00007FFFD4480000-0x00007FFFD448C000-memory.dmp

memory/5480-4929-0x00007FFFD4490000-0x00007FFFD44A2000-memory.dmp

memory/5480-4928-0x00007FFFD44B0000-0x00007FFFD44BD000-memory.dmp

memory/5480-4927-0x00007FFFD44C0000-0x00007FFFD44CB000-memory.dmp

memory/5480-4926-0x00007FFFD4A40000-0x00007FFFD4A4C000-memory.dmp

memory/5480-4925-0x00007FFFDC900000-0x00007FFFDC90B000-memory.dmp

memory/5480-4924-0x00007FFFDC910000-0x00007FFFDC91B000-memory.dmp

memory/5480-4923-0x00007FFFDCE60000-0x00007FFFDCE6C000-memory.dmp

memory/5480-4922-0x00007FFFDCE70000-0x00007FFFDCE7E000-memory.dmp

memory/5480-4921-0x00007FFFDF640000-0x00007FFFDF64D000-memory.dmp

memory/5480-4920-0x00007FFFE1D50000-0x00007FFFE1D5C000-memory.dmp

memory/5480-4919-0x00007FFFE2240000-0x00007FFFE224B000-memory.dmp

memory/5480-4918-0x00007FFFE3BF0000-0x00007FFFE3BFC000-memory.dmp

memory/5480-4917-0x00007FFFE46A0000-0x00007FFFE46AB000-memory.dmp

memory/5480-4913-0x00007FFFD4A50000-0x00007FFFD4A87000-memory.dmp

memory/5480-4914-0x00007FFFE6140000-0x00007FFFE614B000-memory.dmp

memory/5480-4908-0x00007FFFD4AC0000-0x00007FFFD4B78000-memory.dmp

memory/5480-4912-0x00007FFFD3A10000-0x00007FFFD3B28000-memory.dmp

memory/5480-4911-0x00007FFFD4A90000-0x00007FFFD4AB7000-memory.dmp

memory/5480-4910-0x00007FFFE68E0000-0x00007FFFE68EB000-memory.dmp

memory/5480-4909-0x00007FFFE6950000-0x00007FFFE695D000-memory.dmp

memory/5480-4907-0x00007FFFD4B80000-0x00007FFFD4BAE000-memory.dmp

memory/5480-4905-0x00007FFFDD4B0000-0x00007FFFDD4C9000-memory.dmp

memory/5480-4902-0x00007FFFD4BB0000-0x00007FFFD4BDC000-memory.dmp

memory/5480-4901-0x00007FFFE4850000-0x00007FFFE4868000-memory.dmp

memory/5480-4898-0x00007FFFD2E50000-0x00007FFFD32B6000-memory.dmp

memory/5480-4899-0x00007FFFD4BE0000-0x00007FFFD4C04000-memory.dmp

memory/5480-4915-0x00007FFFE5260000-0x00007FFFE526B000-memory.dmp

memory/5480-4904-0x00007FFFD2AD0000-0x00007FFFD2E49000-memory.dmp

memory/5480-4906-0x00007FFFEA1E0000-0x00007FFFEA1ED000-memory.dmp

memory/5480-4903-0x00007FFFDDF50000-0x00007FFFDDF65000-memory.dmp

memory/5480-4900-0x00007FFFEA470000-0x00007FFFEA47F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI57362\_tcl_data\encoding\euc-cn.enc

MD5 c5aa0d11439e0f7682dae39445f5dab4
SHA1 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA256 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512 eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b47ffe20da84460d478fdfec047f43ab
SHA1 4e223b65b1e7eb4a9c101fcf3f53427ffa50946e
SHA256 c262230730c75b52b53777a3f863f04635ff6dc7bcb5c888dec293283d60703d
SHA512 9ff26178542ffb489a4a9c218cd419405cb8597acc4d0153ca2b607e2f31fe0e26f3d32013038be51afe5d8509afe9143eaea29a684a430520fd4eb0dd0a40ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ae2fe6ba1d696445789930adc7cf2b29
SHA1 073e4130ecea1b7f981cbe43a75cf813c76269d0
SHA256 df635a5cffb201b971938566e4fb78f944384a8bd4a6eccd1149e21c3af2e66c
SHA512 dcce8d3c9622bc1408bdc7c228b2a90eb940b4d2d41f711121ecc7d7bf7869e1b3415b369347d3abd9dfe19102f4631d021a2bab337d2f6c8c4fabe2be27e1c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5adffde8c752a862051180e603ca4e9e
SHA1 a6ac600632b7029ae956cc194558621224b19828
SHA256 2fb8f809a7957e61ddf50bded9af471466daece7ac5ed7c66d207554fad14f2b
SHA512 eb840bd89e9d40a9a85eb8d159a6a9e2d682e71f5d7c10c69996e2d8263ef227867e27b56b86ec8c717513da909dc853d75414fcc131993d3eb59e35f809b032

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5f4ba70d785cdbf1671932f1bdb5f633
SHA1 9cee09b82f167c573e86dfe4035abaf05cf2fa45
SHA256 75342c5ba8b4e6c94dfbf7ae865801313eff260d0f5ba9a6868805df5a833f42
SHA512 894f5ade49acb48e7ef91c24ea9a8426fdb85e5b2e5b69df7e3585094c4ea261d5a3b34a5d3a72c44eb964bd892e3308f41afbc79675a3f785bf325a3b282ebc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7ebb080c885844aa13a4a06b1067d46d
SHA1 c23e9d3fcdb0719d6c6729533e95d1898e7fa7b5
SHA256 88fcf63727fd30fe6ee3f230cc24867bc7e3e5ea6522508e3b9247ced5ba6460
SHA512 aa96a70a9cb035a3114b2e37a86b59b25358314c2736967dbd8e7aa49ea032d8e5aa819e3a1d0e5c6956f900926f070b534f7367f0a135bd9659769951955e3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 56a64fb026834f2e9c4306f41102203c
SHA1 6b1f1b81e35963769e0a48bdf944923e2ef69144
SHA256 0db72ee6be68f64a477179302013692538467420aab25b9fd6e6a5038e5fba55
SHA512 d55c013878acae18e36e6d9cad4396faf52941d85d0f17fd7d0e4647358eec79b3b3eaaadd6504aa96e628a518c164b575866baccfd9de0219aa1eb0dc46f5cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 56f735ada68fbd85cc8b546b009f9771
SHA1 4420f0c799d35866d231fb2a45f86c5549d6cd96
SHA256 a064190bf85f49bdb72582381d7bbc7f863dfdb69114b118722e936ee506c1a2
SHA512 588016614f02ccd9ca3610addba6beeda5ed1a7e1422e5795626c3971921aafafd31888d7c85c4fb08136b8dd60dc4d54278c23c25f8ac93c1791601d0efcebf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ffabeb5ac4076a81bc5f63b6100625f7
SHA1 6262b01606e6d720b55d734660ab5d0c73fe3b57
SHA256 162f8d2d82c3822629a764bc7cd1d63e364bfab6f4e44a398592c049d2c77517
SHA512 21cdf7b617048121cb7555486fdbc2ab3c0e9bf822bbd76636b180546f24b06498f0f311523018703ae006904de0bbc9b276d8dc21e23dd95aeb9a5e6eea28a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 61e8cae8fad86bd9161fdf1d174e7e67
SHA1 234987a331ab8ca220a2db4cd9f3b48882a5b881
SHA256 1341b38d54fcdd6ca6d77126ec6a6700083b4ff4af2e343d0162784a7ff884d4
SHA512 36413366e84a02fb37133b139647eaf43a79f9c23bafd9031a741fd9e5953ac1154e8f21c58ed5c8fbadd8a1afde39ca6b2a84d8b6ed5b3c4c758a7afc02a8e6

C:\Users\Admin\Downloads\Nicht bestÃĪtigt 130743.crdownload

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0ad8d3ae13c657f5e6e11f9734c59ba9
SHA1 f0ecff3c0b85d3cd462a57a7a930035aba58fc70
SHA256 a382123bcac576844ff4a9e12d97b62942dff539d0ebc51a4ebc630565b244a3
SHA512 8fb8d8363540435615b4091d7c0ba49e67151465fe937c45ef743ac356e635ba22b7f4e51c5bc0e5b26083aa8445c901e0d4f967bdcafe0633bc7fb0d2bd5d03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5836b219472db8eba6d2e0927a17f1da
SHA1 4a5a030ccddf94b9694912a4aa16de2cedb9802c
SHA256 6e98347d755b45db16b9f1f25e750ceb709d72102fd85b20875b13c2c46114c6
SHA512 92a71851afd8066535347afbce07c29f6e9c102899bf107d451ee767d07d5db20aad9cce75882fa057c5bb26a011a52aa67e3c5db1a1cc8d29eca28f864ac530

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-56974F64.[[email protected]].ncov

MD5 4f963da044a93a9ab6e8c6b2a1726234
SHA1 82933864db85328b30536b20b7d9f12a91dcf65c
SHA256 798e27cf62c8bf90d4cf64491932d65b3a5ca368e0efe5b32a129ee4d9e94658
SHA512 f3a9e8e5e8a60b241adf4129589698eac7e7a1e04c7a7715fdf2ea92f2d0e81e8b09d15c85915b0f19de524153bf6e4540c927c63e77f94d8db678839668a0ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ac33a1cfedbceb2c2a3bee5f60656b65
SHA1 b8dda94849e51b5f3167aa7f180abd1cb89a4fde
SHA256 a93d2876b33b3f3720447864182b1cabde783e5f14b5dfd3525cb607303ee9be
SHA512 3828d0c1c6fd34523c5048e4cc2453bd4bc8596be40d996fb365be55fa17fefefbce2052a3127df24465100db6616f0a9be49ef6c2d5c9a4601fe8a5cbd863f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe60f699.TMP

MD5 36af9ff57e1f62d29211d13e0837a874
SHA1 e930eb49a5f075dedf6b3c033c57fc05650963b3
SHA256 85480be0d62121b89e5cc114d6da1399ded490134d61b780d90d8166b04219a7
SHA512 aeebcd78bd66e9b32c173808fb9621d2f38c641646f1fbd10327ead9e5b0be5c8e04dc84c55da34a52ce44ff1fbb9bc8dd695e8d966bd46fc3abc21a5525352b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

MD5 f2b7074e1543720a9a98fda660e02688
SHA1 1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b7a8956651551a1cb59852727ee26427
SHA1 8d5920a05a4dc4b663436e461107e1b14da24481
SHA256 c20bf97f0d810fa8d60d43bab278f9d591613e0f4105f8af4c1a1b6b77441a0f
SHA512 d0b3fb414ccefc0e19875e7d913f5c814988447ea3548c2a1aea4255ae168e9da6a2ff25acc3b52106e1f4ef6d6f4381cc5a62ac20edd9e23a8e95f47e5e8363

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 38fdc39fa66898ef8be31a30d559a261
SHA1 55f1aaeff039c5dc4144aa9efbd8634b45d3a9e1
SHA256 5056a7cdd34bac64b045abd553f1e780685c5e43c16cd3515c4bdb54cea34994
SHA512 019c180126674543d2175156ea9e25d98065b0f1db8ab1ce0ef9516d416909ded69cec7e8724310ddbad6abc48db8f6c76db5bbf7516deb3cd348c71adf30eb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe615a45.TMP

MD5 9867d80e8457a642c105b9cee5255d2c
SHA1 9ca4983d7ec247b1b88a0bb6b1faa4a385a7a4b4
SHA256 a015f926049d1cc9771a59e254ecda259d1b0f1bf7b8c9265e17e06efb6c8dd4
SHA512 5cb373563b7ba18988b2a5694fea8c5117330cb4b8d1c736432eb349b3986fed77ba6242c1e4ba0c60bd849474fb4d67067dac3565a97bbefb3a405e4a3fdec1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e6ed99d98236ffa9106bb84cf70e2d1c
SHA1 aee32a06c9e4554b5564e567e04fabb5a2bd0dd8
SHA256 cab12f387337a7c9e5dab6d2094dec689713bad09581a705a165905eae3acfe8
SHA512 d8c5f5f64fe9bafdfbed0728f81bd0938f69a4d36a0fe7124cf6c5c0bcd07a50d6fa0dc4dd8b5b5c90e72231d7f9132e93675792fc5aef213070e0b02665b535

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 4ddd05bde00eb3ec20c2c85feea81fa2
SHA1 94eb4cc907215bb704d6c93a325ae5e6354d95fa
SHA256 b94644f1de4077247c127ad0f4d33e742fd1a2509a9909061eaf7ad71e66623f
SHA512 17b1ecc0aeab275f13b7ed78009de4e97bc428513935f568bebe66f06a30c4fb4857bb3ce2c19661eaf618020f53f1b6e6a9184971db39b31bdaa74fcee5c522