Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-pf8glavqx2
Target https://github.com/Da2dalus/The-MALWARE-Repo
Tags
defense_evasion discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence trojan

Modifies WinLogon for persistence

UAC bypass

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 12:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 12:17

Reported

2025-05-15 12:18

Platform

win10v2004-20250502-en

Max time kernel

49s

Max time network

51s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\7ev3n.exe N/A
N/A N/A C:\Users\Admin\Downloads\7ev3n.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\system.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\7ev3n.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\7ev3n.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133917850573289134" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-186956858-2143653872-2609589082-1000\{56EE996B-4B2C-4C1A-A76B-6DC8063771A6} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ffd8017f208,0x7ffd8017f214,0x7ffd8017f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2296,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4240,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4296,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3672,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5300,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6068,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6184,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6604,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5292,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=120 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6416,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6592,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:8

C:\Users\Admin\Downloads\7ev3n.exe

"C:\Users\Admin\Downloads\7ev3n.exe"

C:\Users\Admin\Downloads\7ev3n.exe

"C:\Users\Admin\Downloads\7ev3n.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat

C:\Windows\SysWOW64\SCHTASKS.exe

C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Users\Admin\AppData\Local\system.exe

"C:\Users\Admin\AppData\Local\system.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat

C:\Windows\SysWOW64\SCHTASKS.exe

C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\system.exe

C:\Users\Admin\AppData\Local\system.exe

C:\Users\Admin\AppData\Local\system.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 10 -f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 10 -f

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
FR 142.250.203.238:443 clients2.google.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 150.171.27.11:80 edge.microsoft.com tcp
FR 142.250.203.238:443 clients2.google.com tcp
FR 142.250.203.238:443 clients2.google.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
GB 2.18.27.68:443 copilot.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
FR 142.250.201.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
GB 2.20.12.74:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 140.82.114.21:443 collector.github.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 13.107.253.64:443 edgeassetservice.azureedge.net tcp
US 150.171.27.11:443 edge.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 blockchain.info udp
US 104.16.117.55:443 blockchain.info tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.17.172.30:443 www.blockchain.com tcp
US 8.8.8.8:53 jaster.in udp
US 104.16.117.55:443 blockchain.info tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 jaster.in udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6eac9d05429a9358b608d44d94784e10
SHA1 73395ed98fee0a7a2f8585c37a8811bd8837585d
SHA256 0bf0ae5a65a11d2714b2ac12a424cd38ed0a8b7e7530ec59362786b1a832eb60
SHA512 235731c2c6a85f6ada201f4e4c061ce7db201a2e82c04334a5bfcbfdba60f9ac1b99a06e9ac1e9bbea1651b16747fa4e44f68f6882a960671b6b613f51213c18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 335b5f0a113217fe3a3239ed5dda4074
SHA1 23822e61321ef8db2779fae56e60e5352d2de171
SHA256 a49f2757c1e5555b00072f9e4d0cae98a7ecc3d5536169754e630c246b4301be
SHA512 9057b96c6893e958622324feeb03902b71c7541521a6a5a9ecd89d6602f3e48185eac69c1a423d40f25ca5b82a6a47149523b1901746f305c3e692c6ca916b91

\??\pipe\crashpad_4852_REVSQXXWHXUQEHNA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3c30feffbcbe8ee124ab3b99c760e656
SHA1 91d02559047694caf0144ed99f17d96aab6941aa
SHA256 5324790121264f471321603d73d3bd4a1156e1336b3d941d9cfa9bb02a75e16e
SHA512 b33f6d658b7a93f493587ee60799a80c49774295a0e1230b419bef1c321cf0168cc2ad90229c830472e9df816520edb862eb323d130eafa6b8a7f4f4c7b919e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3913928d36a204b8c7a09f9664615308
SHA1 6f5a2afcf7d4f9ba5d201c4575ee7ea5cbc904bc
SHA256 5cd63a20006de4c006a47a6b3a922a53b15bda4fbfd14e77b8a5416583c8f9b9
SHA512 25f2410c171fb2c64bd4a3706a3a3b5de6f694cbebe555cc223996fd3a16d346737594d4cc09a737484d8a5e3a0ea33e0705ac60481b51857bdb3127a7996145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 0f3c30bfda72b02923762fc21990399d
SHA1 71d38559bb04627872797a501c5fb2fa34325116
SHA256 53401ad0f9facbc860bbc6636059e51e21a918a679b001cce8bf3998af0e5d2c
SHA512 89adbd09ee861a282efb10695acd85964c688b8fc44bb7cdb469f4d4f9a559951f9d2af7d03b8f4f74014e5f68815a2765a95866bdf184f0dc2700b94dd0bb40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 e0552c8f875cc8efd7141d8037a9bb0f
SHA1 623fba08922caa5bdcd411c150d512d549d734df
SHA256 2986a8b58eb0b3a77f61b9829025902fbc9ed5ea18677bad94724baffd20f49e
SHA512 c01897f2cc926d5b955dadd61420f824750da50ee40e92e6034baa40f6142751f804e237150908ac1a8ad5bd57ebac0fffb907752216186ffb0b3c83eeb46341

C:\Users\Admin\AppData\Local\Temp\scoped_dir4852_1946365388\4f6e1ef7-ca6e-4e58-83a2-8a617ebe9315.tmp

MD5 b0917d8e6c5b6be358bff67f84eb8336
SHA1 a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d
SHA256 dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60
SHA512 cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451

C:\Users\Admin\AppData\Local\Temp\18f7a337-4f4d-4e1c-a54d-26f322cdf84a.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\d6728042-a2a0-4d1e-a757-f224b9d7c0bc.tmp

MD5 78e47dda17341bed7be45dccfd89ac87
SHA1 1afde30e46997452d11e4a2adbbf35cce7a1404f
SHA256 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA512 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 981ec649d9b8e4c704413c33d01296d4
SHA1 9f58138ea4ff24b0766dcaeb5f235a24073357d7
SHA256 9cfbdb14ce0bef9c3e8cfdcbe9b7df7124b2fa2ce477a1dc42ef1b9f7e334410
SHA512 041bf0a16929d7906cfeb044a2cabfd53115c59d2d79c5fd93fb813498e3397f43ada10de95404758806c71f978f7824bb5757c70fdbe64cf1af9186e4b56e85

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

MD5 0f7dffbf03b1593316932f7b699ef98f
SHA1 6fb213aca5dc6e4f4290c1237c6b2a6bd55ec687
SHA256 a68654909d1a137d469d0e92182cdb546171cd10dd454934f34dad32c43a6719
SHA512 27dcf44b063cef3099c9ef88c6b29effc264d5a3418f1a957f2738b6dc447f813f524cdde0b04de754ea99a4b78ec07724359a91fdfe487acc55c34bdae82bd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

MD5 3d20584f7f6c8eac79e17cca4207fb79
SHA1 3c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA256 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 992a6d018842b732b56408d48be21f73
SHA1 96731bbf8d0fcbbbc4ce01a1fc41b624f749425a
SHA256 bc528406d0fd02bad94a0c0ea16e290cd9b9e7f65874ef9c860b70ca3c17c788
SHA512 d445431b9b80b417900ea403393835c9ddac9cfba1eae40c0b8a00d28ab82dd918f8163a2f7d4864f86a91249a33db62ef1ea4fd110a86a15df7a21c6d2a1537

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fecba82b60020ec832a7a957868be42d
SHA1 65ccacc0266438e80d97c0d62f74141d2043331e
SHA256 bac90596627d041137fa7f448482834b8f9c3cbbe0f71bc67a0814b6d002b7c6
SHA512 c06de43ddc9f36375ec5d428b301705fd0093b8d187f08661e4f884a7544f2a8c972ce5d6eb52bb3280c843b2384edeec90ecd91a059f5ad7d61f6e16c002c1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 33569d537b72060771829de4c42878d6
SHA1 4488605cf44996e0f857c26a7874ae78195c1734
SHA256 66d5d175ce30c225b597ed5bbb817b1e809cfec1d6c7fae33ab767e6a6270dc0
SHA512 80d015921d4cf778e583d1f97022fb47b6150f78eaf362fd4fdbb70403213ce1a62ec73321edb19d45d125570686a3c002b2eaea645162a92ff763a1446bb0d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\Downloads\7ev3n.exe

MD5 9f8bc96c96d43ecb69f883388d228754
SHA1 61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256 7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512 550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19897975fe723784fffa1e23c74f72b2
SHA1 595f9a3f5f802ce6ba534d8dfe5033d24c1c8acf
SHA256 0ae64d3885576c2b4bd131f3dad61aeffa4358e52b448d00cef9f9c022959d6d
SHA512 0c58428e907c63c127d71d356b1913bd57b69fe93c8ffad10f26a590b994b0a9fb95afa7b0d1ba081feed8b515638f67b620b846cb64961c5def62842dd538eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0800ebb538dcb3ec8d9d2517ff5ad687
SHA1 4ca4a2699caf0f5ef67ff4ce5c090e9cf3b7fb64
SHA256 52cb76d1174521f7ba46a75073f96983d7f4c2c1c44606ccfa3d152f7ac450d0
SHA512 e38573222396e3dc46f46c362a6daf05affdac8e5b437bc30e1a2695332dc59c75dcbe60fbfc8167f9d7b4e1089fb5eecce703881699ab8b2cfd05604351c9ed

C:\Users\Admin\AppData\Local\del.bat

MD5 f62904abb27a3574e2e6121349ab4955
SHA1 35b3504f1d6bc88638a0721cf3d898eb0f95092a
SHA256 d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6
SHA512 e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e

C:\Users\Admin\AppData\Local\system.exe

MD5 664951ba540b089747bc369e23b94b35
SHA1 56e4d0cadeed041afb420e474cfb801302ca6657
SHA256 075f66245f173858a6a79cd123fce181719be00e4223faff9c7f42ef2ebb8cf6
SHA512 3c36e3e2ec3571346406d7d8bfa1de098ff81960eb21269e6d2c6695fb5fe935add476384bf17b111efafb69a6529aa31e209879ad7006cad25dc2ee0d377cc6

C:\Users\Admin\AppData\Local\bcd.bat

MD5 d20a8a43094ea0dbd522bbcd49532502
SHA1 a14fda6177bb86e7623e5c42d9c50473edcc8bd2
SHA256 1acd8fa1bb77825270abb801b6fef7cfb02598e4eb77911722cc1d389b4cf318
SHA512 84a1a5c21a69e6d090cc0cdf4731fd4bed52781a8ec17322f35ef085bbd38a516c1d9c0cef81b6ad154efb396e8d3f4700e496e1e2b24b238dac397c0b72b662

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C

MD5 4bb46684744cb50f1ea8dcab9bcd57a8
SHA1 dca72af767f41850a2829d11e45337d04adaf156
SHA256 343aeea64fd0e63634d72b4973d489f652d5ff0c9df4caae2b1b03e5c298ec1d
SHA512 56672cc0069829428f6cc96fbfea6152b29622124080ac890d8b36f3a37356eb35d50eb6ef6d4908e02c663786749c56235a0cc75fe63a0acf6d9eeb6111d696

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C

MD5 8a00e6137d0061dd25fc1fbc9a0a7f71
SHA1 8790ef6916d27577410fb2a1733b894712de2970
SHA256 1edca1890998f378540524596f1385066977a017e2543d881284baaa7671b5ea
SHA512 efc024bf039d4bf0ff9953533ea2a8dde377896e2c63214d68f1c57c9cf797f2692f628e9544da55c6f855fca7ee690015c797810cf2644d136443603608cc70

C:\Users\Admin\Desktop\GetConvertTo.docx

MD5 5d65759737acb63b5e5245aa6b5545c8
SHA1 902c2d147c9cf9088d832c4a08555fc84d8f66ce
SHA256 fd2f8244ab6007ee3a56478696ae03ab29a2cdd71ebb4b0cb1ef985cff984751
SHA512 74f9d9258117c7d25599b126687555633bcb2426793364f58f7d7f0e00dd0b23581fb938da393c3c2c69efd5df218c130fa74d92a9f61e2c3e6dcd3d1abc2d5c

C:\Users\Admin\Desktop\3.R5A

MD5 43dad3bc2dc454ce0f14fb43223e2c79
SHA1 723cfe09815c89ebef6cb7099cde5aabaa10663c
SHA256 a2cb77e490218d0e13131ce1c10a2ff7385b0d2d61d55a3c9bf46d4e2f2f6b93
SHA512 9843c6771676c08885ac6b2e8c5caf456c1f93406dc6c7b51111cf9eb659c33c6734b77126021a572671e1c57858bac261d86fbb88feb22dedde48762b0b93fb

C:\Users\Admin\Desktop\InitializeRestore.docm

MD5 bd90ebed0def067cf3e7a7a1d7bc1235
SHA1 ce4f601d938fe712c09d84441acbab0a8cf3dc3c
SHA256 db4f8be104df43ac66816058f5f9f5d8b0ef6915ce120685931da86a5c7452a4
SHA512 15c3eae0947fabe8ebac3409fe9942c474df76c09c80d79d05113f036bfe8883609a639569e3e1ab8ead551f9bd53d7e496d7e7cb580c7995631330f9fa56358

C:\Users\Admin\Desktop\InvokeUnlock.xlsx

MD5 679aff293c7de1c5e11707ae8c4a0828
SHA1 49d33f0b34c8e44105e3c45920b41a2a1e4df260
SHA256 6540caca27f73a4c3e7f451249a1f5514fd294e6a9df5c6b44b81e2cd375f241
SHA512 d38748963c788e42bc05ffacddb77d8e1c4219010b71c033d236fdf76bb24929595f6092eaec9a4a19c81b8795d8a84abf466a7c4ffa4deff971ef01356cbaa2

C:\Users\Admin\Desktop\InvokeUnlock.xlsx

MD5 cdacff188e1a06c9f4dac3b0d6d5ef32
SHA1 468f782f86883a820f2e2fcfefb4cb76c4d579bd
SHA256 3b4f0fafe180e7503ad1f49b686ec0565bbae0b79c00ea2075226224b23dad87
SHA512 d0cff54fe2ecad69f5b679f7b4a7ab0bff28354438f85a638dbc25abe438b690f4a776167b1af5ceb267ede76ebedc51a35b3160a81663434c5bbd503219a852

C:\Users\Admin\Desktop\PublishEnable.zip

MD5 47f80b1a84a5ee3651b6d9e1f71d3ac0
SHA1 7e23c0d35453b9a58faaa21ceb42c85c7b183aaa
SHA256 49c814c0bb8a721e511cc8e563d0e46a9180e3a43043327a964b534f76d29ae8
SHA512 744d3220971d6ccdf6bdd3afc257e118911cd847d3267f331b2c1c9bd95559e49b90225fe9ee6cbd8011cb7597f9d8a8cff4008ab4419d53401772b4919bd230

C:\Users\Admin\Desktop\RemoveResume.xlsx

MD5 3b7d794e357abb4b18c170dd6c0c7212
SHA1 e7c4bae6d57daef181053f480ad88a8b10298ed1
SHA256 0de5ac3d136384bc254013057972bc38c23ae5618058293bef2960ee1315410b
SHA512 a213494a163e0637bc97dc6611fb87e6a1a9dfc197e72e08d4942cd63f0007de83abb49085bae88d7e529337b4182385661d95bd2a5d5e2cffa6efc5f6978345

C:\Users\Admin\Documents\FormatMeasure.docm

MD5 a45d277d96580e6eda9a1bd160256d10
SHA1 569e6241b8754e0289bf38fb2ee774cffbc591da
SHA256 1cc5c41e3f82842afa4a33e8f7737a5cf0668b734a87211f79dffa43b2b0c73f
SHA512 3e40dedfd5b4c54ec90c187c6be211aa3f030d97461ca7509f24773556b9cd6d4d27a91e23473e48b0deca56a72ae056fd445d021df19cc4f60a7e42c78d0098

C:\Users\Admin\Documents\JoinRestore.xlsm

MD5 9d7f22e8295639e1488f816cecd8a156
SHA1 1f0701f0f37b824c1754f5c96f471f9735e70a16
SHA256 9d56d159956d81616a4e5bfd7d658ea09c2d672bb7b0b72ffd5de385c63617c0
SHA512 4922bf640a4e29fce1bdfba0ed46593f9db340b3de10a7e87d73ace6237a77d0ac4a578457db525f06c644a7c19e10375d92626ba54c08c8760906bbb6632e2a

C:\Users\Admin\Documents\SendCompress.xlsx

MD5 09ab66a07fe711fda0db7b30f25f2eeb
SHA1 5eaea0372804b3838afb16b4f0612c88b9847f7d
SHA256 c17af3b3ef613673ea9279bb0cec487fb1b859371e57b8456c32208a5da6c4b8
SHA512 9dd37e98250dcd04ae6fb225b3d4cbcb6358f951b7e2f82fc2be6733c9730d61b58ac29564f19b8a5351563c3b6a09df038a55b81a38178b263902683a48ab24

C:\Users\Admin\Documents\StepDisconnect.xlsm

MD5 6d7e80c784b2fb2a799f651dea654a52
SHA1 d64f92429f768ce17cc7831a92dec2f9db7e8eb7
SHA256 97473355e3a94548a3a29bde1312fcdc817cd863e9abd2102b6e8290ccc465cd
SHA512 3d67cf337ebc54a7541aab62f5956aed9a909cdf24bcb6550d0e69c382c90e101f745d23ccaceaf95d9b74630d0f372286b01b2d1aca83b91188006d25a9d067

C:\Users\Admin\Music\AddInstall.jpeg

MD5 2d2bf698f20585bbf9f491f12b4fbc1e
SHA1 3fbe4d594a5b5c0bc168de16750900ea8ca6fa34
SHA256 dc3196ee640ca5c25ac9c39227b8c35fdbd247fd24693da37a9032ca8e94132a
SHA512 569cbc2008bf7a67f7c6f9ea1ca847de61bb1de9c374b105629a1f39649965c9f13c55a6d94e2c1eb51086721bc42b265715af993a9d97ba4c808fdf936392be

C:\Users\Admin\Music\AddSync.txt

MD5 6afcb88e4eff1f2951ec8b7f81f2abee
SHA1 35d17e144a302c0350cbda008d2c66186fed809a
SHA256 84ec4893741527915329d8a6542ce1c5205f84a565aacd983d35a7e47857e811
SHA512 f54160ab01fe1eeb6711afd36fbfb21f538705de19068b7efece964c16af0b6d35c8cd22911b8a8296664433562fd7f3d7f7780510cd4e92d079321a8c95f77b

C:\users\Admin\desktop\FILES_BACK.txt

MD5 414a6626aa5c9ad7ed01f47911dbbe67
SHA1 52c11224c6c5e3c9564a2a7760fb81a18f409a6f
SHA256 78e8a93a233bca93ead02d7554ea47625d576d57ad6cddc3d2953218db01502f
SHA512 f677b8e6c6aca9232111ee4455443a64d7807d2fec6feba3cbb22e1f2418b3e32f3784e446eb6ec7c9f00829683d6473d4f35e18800386f020e11f912f7f209d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584011.TMP

MD5 c4f3862f9d9f357b4a1e7ebd0c320203
SHA1 132b9642ca092f6a9bed64e09d1a3c2c83104b6f
SHA256 25bf9f4f090ddd54b863ecd25c0396c5679a553557a1a56b093bb69cdd31801e
SHA512 73ec3e6462304fc05c7bb7dd7e7ce244607454a7851cefd402048a16667599072e0b706fa2671b4e31dc7c0139635ddfe7071ea3ffe4f38fcd7965a747d446e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 72f9919a0f89756aedda8b586df3ea46
SHA1 db50fd96758df4413fe91011421cf4cb3295a284
SHA256 35f9f874be8ee89044941e5615d93ec583067c94f61f6b7ca1b073097fecef10
SHA512 d3a179542db576a647178068ff42086706912dc1e50c37b40ad28d65468bf6b52d5d32575a5cf5eaec171d66704b1b4edacb17b07cfa0684c6c8336fdaccbd03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f374c0586db4e012ca6aec36e83a6d4a
SHA1 b040b017d8e3c79bcbfa7fd80390ac5d46596be1
SHA256 fd249ed8272ba02537f5195726ee8a9477801c136dd6c61588725f2624a47699
SHA512 85f1f3f668a021425725fae2f21bf355336092f3f4e16603a1b1e0e57ca1f48628136ace4312d9da33b53987bf4286d3b509c0248507fa30e314bd5240904e90