Analysis
-
max time kernel
1100s -
max time network
1091s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 08:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.onlinedown.net/soft/10025163.htm
Resource
win10v2004-20230220-en
General
-
Target
https://www.onlinedown.net/soft/10025163.htm
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
口袋妖怪珍珠钻石_2_10025163.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 口袋妖怪珍珠钻石_2_10025163.exe -
Executes dropped EXE 7 IoCs
Processes:
口袋妖怪珍珠钻石_2_10025163.exe口袋妖怪珍珠钻石_2_10025163.exeFLMgrTray.exeFLServer.exeFLMgrUpdate.exeFLMgrTray.exe7zG.exepid process 4344 口袋妖怪珍珠钻石_2_10025163.exe 4996 口袋妖怪珍珠钻石_2_10025163.exe 5944 FLMgrTray.exe 860 FLServer.exe 2084 FLMgrUpdate.exe 5536 FLMgrTray.exe 5824 7zG.exe -
Loads dropped DLL 37 IoCs
Processes:
FLMgrTray.exeFLServer.exeFLMgrUpdate.exeFLMgrTray.exeexplorer.exe7zG.exepid process 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 860 FLServer.exe 860 FLServer.exe 860 FLServer.exe 860 FLServer.exe 860 FLServer.exe 860 FLServer.exe 860 FLServer.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 2084 FLMgrUpdate.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5536 FLMgrTray.exe 5880 explorer.exe 5824 7zG.exe 2372 -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 85062.crdownload upx C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe upx C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe upx C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe upx behavioral1/memory/4344-534-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4996-537-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4996-538-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-552-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-586-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-590-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-851-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-874-0x0000000000400000-0x00000000019D2000-memory.dmp upx behavioral1/memory/4344-887-0x0000000000400000-0x00000000019D2000-memory.dmp upx -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
FLMgrTray.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Launcher FLMgrTray.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Launcher FLMgrTray.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 FLMgrTray.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AhnLab\V3IS80 FLMgrTray.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
FLMgrTray.exedescription ioc process File opened for modification \??\PhysicalDrive0 FLMgrTray.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
FLMgrTray.exepid process 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exemsiexec.exemsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230331102507.pma setup.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\en.ttt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7z.exe msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ko.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\id.txt msiexec.exe File created C:\Program Files\7-Zip\7z.dll msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7z.sfx msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\is.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt msiexec.exe File created C:\Program Files\7-Zip\7-zip.dll msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\zh-cn.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\descript.ion msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\History.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\it.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\zh-tw.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7zG.exe msiexec.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7z.sfx msiexec.exe File created C:\Program Files\7-Zip\Lang\uk.txt msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000} msiexec.exe File opened for modification C:\Windows\Installer\MSIEA5B.tmp msiexec.exe File created C:\Windows\Installer\e58e6f9.msi msiexec.exe File created C:\Windows\Installer\e58e6d1.msi msiexec.exe File opened for modification C:\Windows\Installer\e58e6d1.msi msiexec.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 5648 sc.exe 5656 sc.exe 2828 sc.exe 3708 sc.exe 5948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5704 taskkill.exe 5688 taskkill.exe 5664 taskkill.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
msiexec.exeFLServer.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ FLServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" FLServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" FLServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" FLServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" FLServer.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exemsiexec.exe口袋妖怪珍珠钻石_2_10025163.exemsedge.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 6c003100000000007f56725310004b4f554441497e310000540009000400efbe7f5672537f5672532e0000008627020000000400000000000000000000000000000053051b016b006f007500640061006900790061006f0067007500610069007a007a007a007300000018000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg 口袋妖怪珍珠钻石_2_10025163.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000005456e2951100557365727300640009000400efbe874f77487f560f532e000000c70500000000010000000000000000003a0000000000e04c4e0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000007f563c5311004465736b746f7000680009000400efbe5456e2957f563c532e0000008ee101000000010000000000000000003e0000000000b56a20004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwf\ = "FL.EXT.8" 口袋妖怪珍珠钻石_2_10025163.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FL.EXT.8\shell\open 口袋妖怪珍珠钻石_2_10025163.exe Key created \REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "3" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\ = "FL.EXT.8" 口袋妖怪珍珠钻石_2_10025163.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000007f563453100041646d696e003c0009000400efbe5456e2957f5636532e00000084e1010000000100000000000000000000000000000082e51600410064006d0069006e00000014000000 explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FL.EXT.8\shell\open\command 口袋妖怪珍珠钻石_2_10025163.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\ = "FL.EXT.8" 口袋妖怪珍珠钻石_2_10025163.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf 口袋妖怪珍珠钻石_2_10025163.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 85062.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 66032.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 937892.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 5880 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe口袋妖怪珍珠钻石_2_10025163.exepowershell.exeFLMgrTray.exepid process 5056 powershell.exe 5056 powershell.exe 3328 msedge.exe 3328 msedge.exe 1376 msedge.exe 1376 msedge.exe 1180 identity_helper.exe 1180 identity_helper.exe 2552 msedge.exe 2552 msedge.exe 4344 口袋妖怪珍珠钻石_2_10025163.exe 4344 口袋妖怪珍珠钻石_2_10025163.exe 5316 powershell.exe 5316 powershell.exe 5316 powershell.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe 5944 FLMgrTray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 5880 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exeAUDIODG.EXEmsiexec.exemsiexec.exevssvc.exedescription pid process Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 5316 powershell.exe Token: SeDebugPrivilege 5688 taskkill.exe Token: SeDebugPrivilege 5664 taskkill.exe Token: SeDebugPrivilege 5704 taskkill.exe Token: 33 2136 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2136 AUDIODG.EXE Token: SeShutdownPrivilege 3696 msiexec.exe Token: SeIncreaseQuotaPrivilege 3696 msiexec.exe Token: SeSecurityPrivilege 4500 msiexec.exe Token: SeCreateTokenPrivilege 3696 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3696 msiexec.exe Token: SeLockMemoryPrivilege 3696 msiexec.exe Token: SeIncreaseQuotaPrivilege 3696 msiexec.exe Token: SeMachineAccountPrivilege 3696 msiexec.exe Token: SeTcbPrivilege 3696 msiexec.exe Token: SeSecurityPrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeLoadDriverPrivilege 3696 msiexec.exe Token: SeSystemProfilePrivilege 3696 msiexec.exe Token: SeSystemtimePrivilege 3696 msiexec.exe Token: SeProfSingleProcessPrivilege 3696 msiexec.exe Token: SeIncBasePriorityPrivilege 3696 msiexec.exe Token: SeCreatePagefilePrivilege 3696 msiexec.exe Token: SeCreatePermanentPrivilege 3696 msiexec.exe Token: SeBackupPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeShutdownPrivilege 3696 msiexec.exe Token: SeDebugPrivilege 3696 msiexec.exe Token: SeAuditPrivilege 3696 msiexec.exe Token: SeSystemEnvironmentPrivilege 3696 msiexec.exe Token: SeChangeNotifyPrivilege 3696 msiexec.exe Token: SeRemoteShutdownPrivilege 3696 msiexec.exe Token: SeUndockPrivilege 3696 msiexec.exe Token: SeSyncAgentPrivilege 3696 msiexec.exe Token: SeEnableDelegationPrivilege 3696 msiexec.exe Token: SeManageVolumePrivilege 3696 msiexec.exe Token: SeImpersonatePrivilege 3696 msiexec.exe Token: SeCreateGlobalPrivilege 3696 msiexec.exe Token: SeBackupPrivilege 2000 vssvc.exe Token: SeRestorePrivilege 2000 vssvc.exe Token: SeAuditPrivilege 2000 vssvc.exe Token: SeBackupPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
msedge.exe口袋妖怪珍珠钻石_2_10025163.exemsiexec.exe7zG.exepid process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 4344 口袋妖怪珍珠钻石_2_10025163.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 3696 msiexec.exe 3696 msiexec.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 3696 msiexec.exe 1376 msedge.exe 1376 msedge.exe 5824 7zG.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
口袋妖怪珍珠钻石_2_10025163.exe口袋妖怪珍珠钻石_2_10025163.exeexplorer.exeFLMgrTray.exepid process 4344 口袋妖怪珍珠钻石_2_10025163.exe 4996 口袋妖怪珍珠钻石_2_10025163.exe 5880 explorer.exe 5880 explorer.exe 5944 FLMgrTray.exe 5880 explorer.exe 5880 explorer.exe 5880 explorer.exe 5880 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1376 wrote to memory of 2812 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2812 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 816 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 3328 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 3328 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 4560 1376 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://www.onlinedown.net/soft/10025163.htm1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://www.onlinedown.net/soft/10025163.htm1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb99e046f8,0x7ffb99e04708,0x7ffb99e047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7448 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70da55460,0x7ff70da55470,0x7ff70da554803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3776 /prefetch:82⤵
-
C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe"C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sc.exesc stop SoftUpdateSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SoftUpdateSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winManager.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im FLMgrTray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im FLMgrUpdate.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc description SoftUpdateSrv "为软件提供基础更新服务"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc CREATE SoftUpdateSrv type= own start= auto DisplayName= "Software Update Event Notification Service" binPath= "C:\Users\Admin\AppData\Local\winManager\FLServer.exe"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /select,"C:\Users\Admin\Desktop\koudaiyaoguaizzzs.rar"3⤵
-
C:\Users\Admin\AppData\Local\winManager\FLMgrTray.exeC:\Users\Admin\AppData\Local\winManager\FLMgrTray.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sc.exesc start SoftUpdateSrv3⤵
- Launches sc.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe"C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7612 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5996 /prefetch:22⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4392 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9736409991775195659,3143771411594633975,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\koudaiyaoguaizzzs\" -spe -an -ai#7zMap10744:92:7zEvent160392⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\winManager\FLServer.exeC:\Users\Admin\AppData\Local\winManager\FLServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\winManager\FLMgrUpdate.exe"C:\Users\Admin\AppData\Local\winManager\FLMgrUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\winManager\FLMgrTray.exe"C:\Users\Admin\AppData\Local\winManager\FLMgrTray.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58e6d2.rbsFilesize
22KB
MD567ec226d632d009beb74680df224f308
SHA18af66a692199f99990b2b58f526ef240fa287b76
SHA2561aa8bd0cade2b7949e95e6bedb4d2f288369e72bd93116fb299f15cf2458ffcb
SHA512d4ce97c786e1e32583ce463cac3e10e99f06189509271dd1c646edfa26ecc3dac3ab16382b317855da2488ba8c01b59c5c57340a320b73018757ea0859639eb4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aaeb1f5e097ab38083674077b84b8ed6
SHA17d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2
SHA2561654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef
SHA512130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\17b53cb0-0882-487f-b865-560391e90af5.tmpFilesize
7KB
MD57e3bd3b987222c3fbe31a615230e3a56
SHA1093b3ede5c70e9a57bf542a9762c709de4579011
SHA256424690bed85c51f09774cfe636f7c4372797e23f259b8786677eb4c711226c1d
SHA512a733d937586b890d04a67b79cc1f9bb2b9bc5ee59f044ea6dee4da6ccecd0cbf7095f53fef36bededc7b87ad02fa393d4333af287b3fb4597b9be294de3314cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9a5cc51b-8f98-414f-8daf-11c3cd336cb2.tmpFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5f6857f94ed981407427673c2b5796e98
SHA1251d37a6c6d639f85210d1727090c7364cc6b1a8
SHA25686d475e2587d6cd6cccd5874f3273a3c759ddedc90452d76f47d7d98b8c319af
SHA5128a506c04fb74d0a8d39c3ee0b4b2e25ed688f35d89b1bccd17d6c7473be25f0ce78b205a32bad6c05463419db9e0b3d7886f376ac5617b45c9c83c39cc644b26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5f4ea422ed130849c194ff215807cfc4a
SHA18e638a4d47c2d11eedf641103426970600792167
SHA256896b01029a6d8a015cfeebbe13bf124a7797a247496196f33e974669ba3a12a0
SHA512e2e8c22154a3b01f04f548348c9ba2a48af19e991a9633680361b3a8b38d045840715f4ba34ab4e7532bafa3c0691e8b06007a07436216a78ba4ea8aaa1cbbb2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
576B
MD552ece5bd49a5007deb0e53de850eb734
SHA12aac92d4990e15ba4b8baf533a5ed08b3d98dfcf
SHA256016fe2ca535f717f7b00039e78273f4f084ff79d917d50605aa3691695e551c9
SHA51268a37852a0badac21f278a78df82085867c07d3b30fa97f21c8d4a3a5497982c7b04c74b316fddfac1a15f01597c5194b0da7dbf8135bfe48103f179f5b95ca2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD51a90febd76215fffbcdb4095403bcbf8
SHA19030f71d7a54a9bb1495e63cc7b78f42ef478492
SHA2568181a81c7df22b440f0ff96e04be4999935e7db584d3552bf400e96a67a0cecc
SHA5121ddda7756c59f32f7e8e547dde2de9c6102d9d50cf2aa73b127038a461497f6e311ffb9e5aeb4b57e282a6f0ee151bab87fbc6d16b680b6c6ded8448c8451fb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5d9d4bf8a9d9d911ddc4018cf6fa5b0eb
SHA19821ecd2face373e3dd75986fe18a3be90e26cf7
SHA256f5488b932b11f1570bd998a45a2a29c19e14f6c1d008dd16e3626edc22f5985e
SHA512d6c2c875997fac770e89724584d95c11a4a6487a4edf50ac4abc02bb95e8d64495a7315ac4938949fcb5114b634df748b1752b9f9e91ba0a09db0657495e4537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD565c86dfbe3318a321adadf66dfc4849c
SHA174e33755e9f0adf694036df99ad2ea5714be89f7
SHA256abbaa4af0405479d9242ebaae32ecc12a740f21ad328c2151bfcd6f287a8f14a
SHA5120d7a27bde88e86263b948b7da775fe3726ef30674fa6c0a9dd1dcc2ed2886c7bcba32f3284a01500cb0b44607f78c661eaa737396202e85ebfc1f0ad516824e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50181a84c8c03a8675180b9475406660e
SHA104a42fee6931aae9adbaba9da93652d299c0f3b8
SHA2560830c4637d2d61eab1b5e6cfdd7b35dd5cbc34c899f53101c9e4f0844a06dda4
SHA5122fa7f7b14f8e00fc2c8ffa3a477dc670084f6818d50a65ed123725a038d8d0ba20209f58ca90b340b15a22a27cc9d8224eaf0d1dcecce27a7fd64721dce037e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD563bc8b544526ea9272736ca30c436305
SHA17160f5f006a244c5316f24fc144942750a9c81fa
SHA256dee078466fdc9273286694e5cdfc51ce428f1d1aa9e51ed6294ddd34ac48ac0e
SHA512f617b1798ac30cc064238eefdaa239582ae734b04e3bdd56d207fb59433b23978a7133f3fa23034e8fc38e7900dafbfb68d1a74855ae7ed4bda48afbebe7652f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d8895e628ff32b3e1ee7b7e2e2751df2
SHA196a88f8b0f6e3c06c1d119d7af70a31f6a90aba6
SHA256096ae1544b5af7470e84ef6d06e734bac841d443800f45bf57fa14a0c953fcca
SHA512e4a0fd09dfcaf2b64d5f5a81f44690f4e587ddc267ca87be4b4bc23956610b749fb8108626f2c4e8c350295a968ac73e6acbbe2b969c27c713423f549ab1f4b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5529d564c6d2104e409c937ee5a566120
SHA12a329851da94f757b9b01fad87b902b360f3ee00
SHA256609654721b7a5ea2b35d9e23a42d9c7b00e9fbd1b61b4398046d8d56728c96fb
SHA5125d4fd6e96c4968fbf97db75a0602e39675c184e9648635213f08314ad887b648fd9f2f2aad24bb4eaae395d4ae975fa9105295c8ea412e16a80583e1f84d6d5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f4b97f33cb06e44685df10101c873684
SHA1a505ff4443b0e715bcf64ccecdb168b50ef8a64a
SHA2562b45cc02f727812c4c750827446e7bf38cb41307a26bdda88456d9c9dce8c483
SHA51230477cec3c6f0170fe130a458047775a3e0654e262e49f1e34e3a761a0df9c52eccec1277f50da8474d46e8bcf602eaea6031e6e8f784e4dc8c43cc717d37aa0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD553f7a0b3a427d35494bf0924dbac3218
SHA1cfc85997d3980cdf4e88e4747060c13ed27f7e40
SHA256bb1627e2d19725b0fb225713d7189e8d91e03502d57e421e98f55836cda540c7
SHA5124b9eedfadce1ecba07775230488939e6cba0a39bcd7de44503ad8824cf2632e8b03bb77fa9908a35d5da8d2c9d52b72ed8835d49ce54dcce95ee5f5af8bdd68c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD547e94a96372e6f095b8a3fd7edc48ec0
SHA1377b68f34e5964ca8be1b1b0c1507dd7f0e5f005
SHA25615c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e
SHA5125bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5240fef9540a4c1c2ae9f7047215fb779
SHA11c2392e56792f2780f9ad49500fcb77c53d3ed60
SHA25668eda2c980fdb04a585f5ce170b7c04ae9f6b56c60eaacfe2886f07e156993ea
SHA5129beeb4864b193c922817b2e8fee552e5ac6138a0dfe28a7b6260291d6827de19724dd91ac6b6838288a04be10fdfc1bc3c11a5059b87f263169c901d24f2bd59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582b12.TMPFilesize
538B
MD5b78e331ae76ff8949f8e1a2638ada63b
SHA1756a9b86a063192a78ac7f3c924ab72eb799c52c
SHA256ab46f4b37a49afe91b745db427cc2011924ba77677569631f610ac7e21ace9f0
SHA51247d6fe97d2e4d7158f691a01db3fdf58e6795daca3831d48dfc4083f85a52029f91a9cfc4d4e1c77049d9cf3c2195fde8f8e3604f6c123c968d306195d3e594f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD513ed3de92cf398d0b6b25479bb259a72
SHA17a0930b5086cc4a726a77fde24198bbb673949fd
SHA2568fa17181205948446bb2ddcc04330c220b1a22a3cc16b11b22a362ef213282cd
SHA512a2f9582524291eb656c0186de23f853bd00f72f2dd8dddeb922264753776bb77261f50665b1994a64114e685bb6dc2581bf28f645bf302f5f3709f13b9652b7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5daef0088c8533d12c7440e52fdf5a990
SHA177653e4acf3f339b0793b496e2ed2002ef4bea7c
SHA2569771c47079c559961faa9332edacb0e8319e572b6f30713b5cbcd34432926e80
SHA51276d93c7df81942d3c018476a1220b813f83ab168521bc9e7186e23f85aa9f2634dba7675dc07a770acd80700161ad517b6320a411ea3b10e220797d7464853ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5c9495d05b23c7542c8a47643ff0687d0
SHA162e689f06f746e8f6ec1e78a19337ce8b7c47d5c
SHA256e8c73baba5f5c2feb31f8104acb79fa47d690f8ef09299fd5273ace59add16b8
SHA512361006e4ff2e67f5a6c4b80a6391c656ea3ed6436c7016d2a9c62f91c7bd6135b7a41a094233b6ad2ce6abad086d442766d3c01e69f2e17e854195d4930d8698
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59d747b09e31516ce34f6bb29d384fd3b
SHA16fc25e13ee0e9e2efbc447199c1ab58e36c3c375
SHA2566f7cf051b77d7ae9feda60741e8e35f446d39e8562cf1e67b446806e106dfc02
SHA5124e9a503c17a642ddd8e1a802b0a0a0f5e0a772fc5d461c1a0f5781a5cb205a2476dd4f716d841e45b238c06dbfce52792fdfdaaf2177e9b33962fe114a8ffb53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5d3d111e76335d2e86a01daac1370ff03
SHA1dfe4a3c7fee925ef3a3dc9e1480cca69180bf1ba
SHA256677a773f3a509ca998ce0847829c92859a0513fb746f8f4da4f6776868ff6be9
SHA512eef69e4f415c3dd927efa4d357ac98c0518b15451fd7fa05e8c4bf1a1e55ae5792e7ffccbc324c72f32cced404c53d05b1a7dab264ce04242f719f6df50875bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD59367809b863511fd4cc0d6c842ea83c8
SHA12be1dffaabbb6d65ed26deef141742b734631b93
SHA256acb30c4b2480876170cbcdb4cd8ade4c4ef623aeefb9d181faf0468335214317
SHA5120be1b9d49bbb0e2fc021f0c0711fc51d135083f31e3a303c2646cdb51e11e05861ab313353eae1161d238b46992f0755a63a8d3bf02c7e625cd719f6c5b5b1e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5da1bb33ddd0f96ee66a86b8d214c1c35
SHA1752e83671d24860bfb44b2ebbcd9ac69bef63955
SHA2565456d640cc0c3423e9b796e6d4d4497f90583ec437802ac8788972863da548c4
SHA51207cb17b1eda86e6d7bdbbe27fe0f8ffeea6b772cc4b50cced2af3b8273b7561ca65a11f300f3b35fce9bc5d5eb65d60c6466313a44a79d96cdf8c017dc4bd755
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\da8e9530-2307-4fbd-bf86-ec62df7bf0f6.tmpFilesize
11KB
MD563127f0cfc22279b6c3226d8da8d50d3
SHA1cccb4cee3c7e79ee8aadb3d92cafac72ddc801d1
SHA256c42ef7afc327c6f364b5aa4778497d2ce3ad2c19a4e1a8a1791de84ca56dec8c
SHA512ca2e25f3233644804562159478360c1196b17a6c3f9a6abf17cdaf16496df0c29560f8f724bc9e1708fc721cf967f4e8ea59d353c673dbecd8ffe5f496db2839
-
C:\Users\Admin\AppData\Local\Temp\KitTipConf.iniFilesize
8KB
MD5900909cc0253fbaced2815931edb0741
SHA13c2b3f95b6bf101242a8c57ec37302db1caf14b0
SHA256ae131430d6adc37e7431dcfb7c211aedf4d4ce491e51e98cdd9b800dc3239027
SHA51273462b262fc831201e8ff9986bb97cc887c166866b232d667f01af8eb47ba01ee936120043d6b1e9729e2fb224b17bc642a974852edf0e7025beb06fc1e80abc
-
C:\Users\Admin\AppData\Local\Temp\KitTip\KitTip.dllFilesize
800KB
MD55ed59ac24c1047a8b533c6c06ecbc40f
SHA159819a80324e0f0f10ef43b5a43d5b102ec81f0d
SHA256dcef7e57ac84f852e37c7411f0726172b02e3286e1a4ab4246506e3a488ea310
SHA512c16559a140efdf0feadb49ba720b83d644240314e6329fb93352b3192ca3340bd00da78308c18ed476273333b4b2bbcabefe43578fb23159bf6cc0223d809808
-
C:\Users\Admin\AppData\Local\Temp\KitTip\KitTip.dll.old0Filesize
800KB
MD55ed59ac24c1047a8b533c6c06ecbc40f
SHA159819a80324e0f0f10ef43b5a43d5b102ec81f0d
SHA256dcef7e57ac84f852e37c7411f0726172b02e3286e1a4ab4246506e3a488ea310
SHA512c16559a140efdf0feadb49ba720b83d644240314e6329fb93352b3192ca3340bd00da78308c18ed476273333b4b2bbcabefe43578fb23159bf6cc0223d809808
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uz1xplep.ssn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\vOzPcIyJrCrNgIjW\bkg.pngFilesize
6KB
MD52d9719dad96e7e02aaae1f59602bc173
SHA114c3aa14740bf2e3b8a2c78ea2b91f086deb06d0
SHA2563f358e7314f8b250a77272795a833989ad9b90fb67a5dd9c9f903ac8d8749712
SHA512f633d017a86f95b8ef55464a503323c0347d2647334e8c15942b323fd19e433dc59715b571f0d24fc10651c22d47dbda423e62456c1fda7f5e4590414402a2a1
-
C:\Users\Admin\AppData\Local\Temp\vOzPcIyJrCrNgIjW\cls.pngFilesize
14KB
MD5f1d09991a75ed3cca2f972e1fe376dd8
SHA1e7947011d22cfd72cbb515b5ef6b5ce1a7590e23
SHA256defe6fde7c039bbc2eeeb406d5968b32dd75935596b38d76e24d764cea0b19ad
SHA5123c9dce12a0a0b2a85f51d6a4d80595c62563af86d75da336cd7c8572869d9bd413dafe7862ab68aec9fb0580549431e3bb4928c41f35f568a29bf622620c3de5
-
C:\Users\Admin\AppData\Local\Temp\vOzPcIyJrCrNgIjW\conf.iniFilesize
239B
MD56598c986f7fcccb8d35e23b052a49aed
SHA19042c45ce9f030f807f91a3890fe16dd43899f8d
SHA256fd15b65076e84eaba30337d8000dc5bad61e1298dc055f5f8787ffa4532943d7
SHA512daa2f11f06784204684a961580f7287802e532660f86c9f3f95c3ce18f0535978a3c4ef7538d74322b40bcb10badbe2cb0997147b6218964bb385c89566d716d
-
C:\Users\Admin\AppData\Local\Temp\vOzPcIyJrCrNgIjW\drop.pngFilesize
14KB
MD57835d87b8bac8a5622daef1e9864d8d2
SHA181ff21b2308cbec5efcd3ee1203921467c4400e6
SHA25608612bbd2a4cde17007afde7371bbc83a739c0418b4d54da7dab0bd01035f6fd
SHA51234f52b9eebcd4cfe4c04b18c2fdfd46a988d79986bb499a96e178c89d8f0dd5f5a2ce259d07c3cb5110deb0a9370914862ebb2109c4518bff6a19bcba6cf3109
-
C:\Users\Admin\AppData\Local\Temp\vOzPcIyJrCrNgIjW\ok.pngFilesize
2KB
MD594626af9263d0105a2e01e5f4c87d9be
SHA19c8fbb512335a946214ee4c68dbfe693c84d7680
SHA25638b10d36ce8b9ceb72e3843ffbc8f0c87f5bce1e7e4ff074484d2900e8572021
SHA5121aa455c96ff72b20a7f85e0a2ac8aeecd84310866cd0af7f0785d2f4ee0f73a64c1a1299dd2581fab632fa4c5defac33de223251a8ba1b63d28490ae0553d44b
-
C:\Users\Admin\AppData\Local\Temp\xUeNfAcVrQcChDzM\InternetKitTip.dllFilesize
877KB
MD5002cf8598f6ac83fc8d40181fee0bb3e
SHA1baa085a05d45eb33d1bbe6450663b9af1eb91e5b
SHA25614fb96fe69c59f62125b3a768f592a828c73354a50f6d84b61589fe14fd0c5d5
SHA512b1a5c455b6975bb01c8252f884dfaf83d7de1153a3915bd97429015736fbf38bde9c812104bbbe2c3e02943e3aef993e8a02e3b6e444b918af742307f250435d
-
C:\Users\Admin\AppData\Local\Temp\xUeNfAcVrQcChDzM\InternetKitTip.dllFilesize
877KB
MD5002cf8598f6ac83fc8d40181fee0bb3e
SHA1baa085a05d45eb33d1bbe6450663b9af1eb91e5b
SHA25614fb96fe69c59f62125b3a768f592a828c73354a50f6d84b61589fe14fd0c5d5
SHA512b1a5c455b6975bb01c8252f884dfaf83d7de1153a3915bd97429015736fbf38bde9c812104bbbe2c3e02943e3aef993e8a02e3b6e444b918af742307f250435d
-
C:\Users\Admin\AppData\Local\winManager\DuiLib.dllFilesize
781KB
MD55423e2bdd74d9288a76ce7d0e3843219
SHA16887444e0c29233832118a8ef3405fa1ae64fabf
SHA2563153144989be26bbb68a0b67c2bddb9472363d98c523b8cd44f547cfa1688bcc
SHA512c727ddeb579c0f8c3c5888a59c39ed949bf1192a783af83ecf99c9b11323c8d6f212578f57016e9e344ce2e73ceca94a042234788ceb8a1fc8bf697853386608
-
C:\Users\Admin\AppData\Local\winManager\DuiLib.dllFilesize
781KB
MD55423e2bdd74d9288a76ce7d0e3843219
SHA16887444e0c29233832118a8ef3405fa1ae64fabf
SHA2563153144989be26bbb68a0b67c2bddb9472363d98c523b8cd44f547cfa1688bcc
SHA512c727ddeb579c0f8c3c5888a59c39ed949bf1192a783af83ecf99c9b11323c8d6f212578f57016e9e344ce2e73ceca94a042234788ceb8a1fc8bf697853386608
-
C:\Users\Admin\AppData\Local\winManager\FLMgrTray.exeFilesize
285KB
MD5bc57bd93a994843da6eade358e7891d2
SHA16c1a52c6b669e2f769d709a6e49bbb0b79cdee14
SHA2566fea29e82f244af7a4e14819b1ce9e29772a1618ad23fd769a73b2640b7aa82b
SHA512986141cdb315caf1819da3d777ff69b0a3e73ef7f3877b01f1554c568c386a1e3b9ac01d823994499be413191ec56990159b8340019ed8a3335a5ce9c1c40ff0
-
C:\Users\Admin\AppData\Local\winManager\FLMgrTray.exeFilesize
285KB
MD5bc57bd93a994843da6eade358e7891d2
SHA16c1a52c6b669e2f769d709a6e49bbb0b79cdee14
SHA2566fea29e82f244af7a4e14819b1ce9e29772a1618ad23fd769a73b2640b7aa82b
SHA512986141cdb315caf1819da3d777ff69b0a3e73ef7f3877b01f1554c568c386a1e3b9ac01d823994499be413191ec56990159b8340019ed8a3335a5ce9c1c40ff0
-
C:\Users\Admin\AppData\Local\winManager\FLServer.exeFilesize
196KB
MD5ee3821d1bd158b3b5ad0551845164d91
SHA14b26847b45271abeede8f16ed32c2557b78368af
SHA25624b6e13334101a06202ade601095efb7a6d48b13c5fbe813ce04f8999754f607
SHA5125cc9d464f5ee03c47364944ee6deb2c449a2b34d6a39cddd843d74dc63a151835fdf1f363d762f461134f8f7ab739cefd86b37f2838dc323716b226bb5e74fe2
-
C:\Users\Admin\AppData\Local\winManager\FLServer.exeFilesize
196KB
MD5ee3821d1bd158b3b5ad0551845164d91
SHA14b26847b45271abeede8f16ed32c2557b78368af
SHA25624b6e13334101a06202ade601095efb7a6d48b13c5fbe813ce04f8999754f607
SHA5125cc9d464f5ee03c47364944ee6deb2c449a2b34d6a39cddd843d74dc63a151835fdf1f363d762f461134f8f7ab739cefd86b37f2838dc323716b226bb5e74fe2
-
C:\Users\Admin\AppData\Local\winManager\MSVCP140.dllFilesize
438KB
MD51fb93933fd087215a3c7b0800e6bb703
SHA1a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA2562db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA51279cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
-
C:\Users\Admin\AppData\Local\winManager\VCRUNTIME140.dllFilesize
78KB
MD51b171f9a428c44acf85f89989007c328
SHA16f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA2569d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA51299a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1
-
C:\Users\Admin\AppData\Local\winManager\jsoncpp.dllFilesize
188KB
MD5040923a27101263f400e2fc3d034f464
SHA16b10d630dbecf949ae8ad0458b9ae4a1bd429b1e
SHA256d4d0236c1322071b0260505585d84ef3508cdd2311795beb32d4f40414a68b6e
SHA512b01e9ce06e7d47d69fb8cedfa681d7e697204109cb994c1e6f806f482ae566569fcb4413fc64c904035e661242378bd5e843581fd27bb08c5141a9182892900f
-
C:\Users\Admin\AppData\Local\winManager\jsoncpp.dllFilesize
188KB
MD5040923a27101263f400e2fc3d034f464
SHA16b10d630dbecf949ae8ad0458b9ae4a1bd429b1e
SHA256d4d0236c1322071b0260505585d84ef3508cdd2311795beb32d4f40414a68b6e
SHA512b01e9ce06e7d47d69fb8cedfa681d7e697204109cb994c1e6f806f482ae566569fcb4413fc64c904035e661242378bd5e843581fd27bb08c5141a9182892900f
-
C:\Users\Admin\AppData\Local\winManager\jsoncpp.dllFilesize
188KB
MD5040923a27101263f400e2fc3d034f464
SHA16b10d630dbecf949ae8ad0458b9ae4a1bd429b1e
SHA256d4d0236c1322071b0260505585d84ef3508cdd2311795beb32d4f40414a68b6e
SHA512b01e9ce06e7d47d69fb8cedfa681d7e697204109cb994c1e6f806f482ae566569fcb4413fc64c904035e661242378bd5e843581fd27bb08c5141a9182892900f
-
C:\Users\Admin\AppData\Local\winManager\libcrypto-1_1.dllFilesize
2.2MB
MD57d69bab5e94676a0128f49347d27ee5b
SHA1ac13a33e9e2cd77ad8bfef46997555e3882ea4d3
SHA256b5fe9499748ab5ba0c5af7ca6f29ab8b2e8dc736eb885078b5f3ff52d1ecee1c
SHA51220fbfe7a1fdd9115010e501c7582cb178b343f482ad77f12f4025b9c1ad093e2378ce38a107dcef69d0d892d4507ac882b0aff9ee542acadb1d67e9f36403c11
-
C:\Users\Admin\AppData\Local\winManager\libcrypto-1_1.dllFilesize
2.2MB
MD57d69bab5e94676a0128f49347d27ee5b
SHA1ac13a33e9e2cd77ad8bfef46997555e3882ea4d3
SHA256b5fe9499748ab5ba0c5af7ca6f29ab8b2e8dc736eb885078b5f3ff52d1ecee1c
SHA51220fbfe7a1fdd9115010e501c7582cb178b343f482ad77f12f4025b9c1ad093e2378ce38a107dcef69d0d892d4507ac882b0aff9ee542acadb1d67e9f36403c11
-
C:\Users\Admin\AppData\Local\winManager\libcrypto-1_1.dllFilesize
2.2MB
MD57d69bab5e94676a0128f49347d27ee5b
SHA1ac13a33e9e2cd77ad8bfef46997555e3882ea4d3
SHA256b5fe9499748ab5ba0c5af7ca6f29ab8b2e8dc736eb885078b5f3ff52d1ecee1c
SHA51220fbfe7a1fdd9115010e501c7582cb178b343f482ad77f12f4025b9c1ad093e2378ce38a107dcef69d0d892d4507ac882b0aff9ee542acadb1d67e9f36403c11
-
C:\Users\Admin\AppData\Local\winManager\libcurl.dllFilesize
433KB
MD56d28acd594575fb10145e68b0173b58c
SHA1598cea15b6cd4eca4222a2ad05420e551e1c6055
SHA25603a7df20f0de8b2151298bf7e8499eadd440955cd80cd580f83284b3a5fe8efc
SHA5123083bbb92066ce6c7a11b4c40c73c61c241ccd75adc0854beb822e96665449b8c14a7fb99bfb481ba84a7eebd8d2156658c610f549f2712c2aa149954ab51ee3
-
C:\Users\Admin\AppData\Local\winManager\libcurl.dllFilesize
433KB
MD56d28acd594575fb10145e68b0173b58c
SHA1598cea15b6cd4eca4222a2ad05420e551e1c6055
SHA25603a7df20f0de8b2151298bf7e8499eadd440955cd80cd580f83284b3a5fe8efc
SHA5123083bbb92066ce6c7a11b4c40c73c61c241ccd75adc0854beb822e96665449b8c14a7fb99bfb481ba84a7eebd8d2156658c610f549f2712c2aa149954ab51ee3
-
C:\Users\Admin\AppData\Local\winManager\libcurl.dllFilesize
433KB
MD56d28acd594575fb10145e68b0173b58c
SHA1598cea15b6cd4eca4222a2ad05420e551e1c6055
SHA25603a7df20f0de8b2151298bf7e8499eadd440955cd80cd580f83284b3a5fe8efc
SHA5123083bbb92066ce6c7a11b4c40c73c61c241ccd75adc0854beb822e96665449b8c14a7fb99bfb481ba84a7eebd8d2156658c610f549f2712c2aa149954ab51ee3
-
C:\Users\Admin\AppData\Local\winManager\libssl-1_1.dllFilesize
537KB
MD525fe0543cb1872082565928295d7ca75
SHA1868d731c0a05142d72f6f4334639a8879a1edf46
SHA2569c0d35dae2e3532223058636611b9bd02e8cca06842d0d3fc469f4a3ab353917
SHA5120d6d92bd0c6014374fac91c6bd8694a40f0ec942ed0604e76761bbceeb627acd27f8440205acc9b8078f35b26b6c426362d5bdca4f9380059d101d9d419e52c8
-
C:\Users\Admin\AppData\Local\winManager\libssl-1_1.dllFilesize
537KB
MD525fe0543cb1872082565928295d7ca75
SHA1868d731c0a05142d72f6f4334639a8879a1edf46
SHA2569c0d35dae2e3532223058636611b9bd02e8cca06842d0d3fc469f4a3ab353917
SHA5120d6d92bd0c6014374fac91c6bd8694a40f0ec942ed0604e76761bbceeb627acd27f8440205acc9b8078f35b26b6c426362d5bdca4f9380059d101d9d419e52c8
-
C:\Users\Admin\AppData\Local\winManager\libssl-1_1.dllFilesize
537KB
MD525fe0543cb1872082565928295d7ca75
SHA1868d731c0a05142d72f6f4334639a8879a1edf46
SHA2569c0d35dae2e3532223058636611b9bd02e8cca06842d0d3fc469f4a3ab353917
SHA5120d6d92bd0c6014374fac91c6bd8694a40f0ec942ed0604e76761bbceeb627acd27f8440205acc9b8078f35b26b6c426362d5bdca4f9380059d101d9d419e52c8
-
C:\Users\Admin\AppData\Local\winManager\msvcp140.dllFilesize
438KB
MD51fb93933fd087215a3c7b0800e6bb703
SHA1a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA2562db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA51279cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
-
C:\Users\Admin\AppData\Local\winManager\msvcp140.dllFilesize
438KB
MD51fb93933fd087215a3c7b0800e6bb703
SHA1a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA2562db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA51279cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
-
C:\Users\Admin\AppData\Local\winManager\vcruntime140.dllFilesize
78KB
MD51b171f9a428c44acf85f89989007c328
SHA16f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA2569d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA51299a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1
-
C:\Users\Admin\AppData\Local\winManager\vcruntime140.dllFilesize
78KB
MD51b171f9a428c44acf85f89989007c328
SHA16f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA2569d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA51299a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1
-
C:\Users\Admin\AppData\Local\winManager\winManager.exeFilesize
862KB
MD54f8380e1e63697102818100a51ce5c36
SHA122d6b86c2caef6a8f4d865bc4744ed8fa15cce33
SHA25610023c1bd2d828223ca6899cc2d6e796a28da0e280efc4069c66700fa224526d
SHA512489e58efcd2fb2c039bb9a1d5ff326c63505dfa7e2d4ba0b4c9b9eff8f03e4fad4330a77a76977c728fdb06b41aeb27683875a735a079b989c44fdae843b6631
-
C:\Users\Admin\AppData\Local\winManager\zlib1.dllFilesize
83KB
MD58502fc9f36aa3d54dee5a9b11398ca4b
SHA1eb723c9bb8554ff73c2b411746cf3913902e3c5c
SHA256021a6c89040fb2644c59a55837d0967df8fc9a880e29d9d409fbbdaa017ea5d8
SHA5126ccebbfc75c74182dfee79d81b4dd64e54954a9b9b1f13ff8841f01d0e02911edc71233edd01ab8f99e28e4219f84f11b3493e651bf273ad49fcb3863932aced
-
C:\Users\Admin\AppData\Local\winManager\zlib1.dllFilesize
83KB
MD58502fc9f36aa3d54dee5a9b11398ca4b
SHA1eb723c9bb8554ff73c2b411746cf3913902e3c5c
SHA256021a6c89040fb2644c59a55837d0967df8fc9a880e29d9d409fbbdaa017ea5d8
SHA5126ccebbfc75c74182dfee79d81b4dd64e54954a9b9b1f13ff8841f01d0e02911edc71233edd01ab8f99e28e4219f84f11b3493e651bf273ad49fcb3863932aced
-
C:\Users\Admin\AppData\Local\winManager\zlib1.dllFilesize
83KB
MD58502fc9f36aa3d54dee5a9b11398ca4b
SHA1eb723c9bb8554ff73c2b411746cf3913902e3c5c
SHA256021a6c89040fb2644c59a55837d0967df8fc9a880e29d9d409fbbdaa017ea5d8
SHA5126ccebbfc75c74182dfee79d81b4dd64e54954a9b9b1f13ff8841f01d0e02911edc71233edd01ab8f99e28e4219f84f11b3493e651bf273ad49fcb3863932aced
-
C:\Users\Admin\AppData\Roaming\CoreLog\urlproc.dllFilesize
707KB
MD5c2eae44c9c891f8882ac529218a3381b
SHA1d68a35ba3467a99bacc721fa7d2c627d56285db3
SHA25646be63404064f5be981b723ae541bbaef577c8b709a95a05cd964d9e600c02f4
SHA512d71cee7f5af8ff025890231a7dea59cd3b3be61d792ec57553c84f31041cc2cc426eedf5cfc4c083cb8529ab1b68ea5a20dc4cdba69df36ff8137e75dc7d15a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
5KB
MD5f4b90c454b1a44e35579d5f181dcea2f
SHA17066ed3f32233d85f10cbf641722cb09ed342042
SHA25672d280a8776e0c920997607b6e0b452050bb59ce7df1134a732c19dc3592a705
SHA512c8fbab78313413390d55ea1c7dd49ef95d0a947c32a4e4a381312ef0d52b0654fc202ad635b9cf79cc819a895a89e77dabc6c8baf1a0823db814e2f41bd5bf45
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5ef66d3390c068446e927a422fb9b28dc
SHA1647a2e9576043b01e91c8ce441a528893c5e8913
SHA2569f518f6cc319e4168fadf8100d720b1e652e209aec97daab31abf3dcf3b429b6
SHA51281f2e36c3028a412271d00de84ab1851f600b4169370787412a2adf633fd87c92a3c83b13fa1272dfa0cde63caa6d898e05beab3ade8dc19441efbbe5779d661
-
C:\Users\Admin\Desktop\WindSoul软件管家.lnkFilesize
1KB
MD5eacc28a3a666476fe5aa548f618e43a2
SHA173eb0c92d2e2092dbb7ce35b86b685fbcb70933f
SHA2563d32ab03958b83af38367fe509d39ff7195466ca0794c8b6e57c5c01952820cf
SHA5122afb856040da476603cdf142840b81d349919eb09a2c67f0f89bed458a83de2afe8196598b0a2e080a432cb7d3c7eb90c7226593ba6f8bedce09fb6029782f73
-
C:\Users\Admin\Downloads\Unconfirmed 66032.crdownloadFilesize
1.8MB
MD550515f156ae516461e28dd453230d448
SHA13209574e09ec235b2613570e6d7d8d5058a64971
SHA256f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca
SHA51214593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5
-
C:\Users\Admin\Downloads\Unconfirmed 85062.crdownloadFilesize
18.7MB
MD55a6ebb0e2ff27e4592fcae4ffc4e4890
SHA1c4f7eb70ad3a29879c4aafc48112cc31ea94189f
SHA25668905108a1f1cfc543ec1ed321089bc7556adc057b7d7df042fda68d2464d5bf
SHA512c058d61f8b857148abcd60c805aff51b660ab0d8b5587c7f7c1126c6a1ce8057a7bf91d9c1ec7e67b11d2aaa37382d70605a9ddc463b63d58ca90650c8b792fd
-
C:\Users\Admin\Downloads\Unconfirmed 937892.crdownloadFilesize
1.5MB
MD5a6a0f7c173094f8dafef996157751ecf
SHA1c0dcae7c4c80be25661d22400466b4ea074fc580
SHA256b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4
SHA512965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94
-
C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exeFilesize
18.7MB
MD55a6ebb0e2ff27e4592fcae4ffc4e4890
SHA1c4f7eb70ad3a29879c4aafc48112cc31ea94189f
SHA25668905108a1f1cfc543ec1ed321089bc7556adc057b7d7df042fda68d2464d5bf
SHA512c058d61f8b857148abcd60c805aff51b660ab0d8b5587c7f7c1126c6a1ce8057a7bf91d9c1ec7e67b11d2aaa37382d70605a9ddc463b63d58ca90650c8b792fd
-
C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exeFilesize
18.7MB
MD55a6ebb0e2ff27e4592fcae4ffc4e4890
SHA1c4f7eb70ad3a29879c4aafc48112cc31ea94189f
SHA25668905108a1f1cfc543ec1ed321089bc7556adc057b7d7df042fda68d2464d5bf
SHA512c058d61f8b857148abcd60c805aff51b660ab0d8b5587c7f7c1126c6a1ce8057a7bf91d9c1ec7e67b11d2aaa37382d70605a9ddc463b63d58ca90650c8b792fd
-
C:\Users\Admin\Downloads\口袋妖怪珍珠钻石_2_10025163.exeFilesize
18.7MB
MD55a6ebb0e2ff27e4592fcae4ffc4e4890
SHA1c4f7eb70ad3a29879c4aafc48112cc31ea94189f
SHA25668905108a1f1cfc543ec1ed321089bc7556adc057b7d7df042fda68d2464d5bf
SHA512c058d61f8b857148abcd60c805aff51b660ab0d8b5587c7f7c1126c6a1ce8057a7bf91d9c1ec7e67b11d2aaa37382d70605a9ddc463b63d58ca90650c8b792fd
-
\??\pipe\LOCAL\crashpad_1376_ZSYOXCREMDZJNPFVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1792-1395-0x000001C330B00000-0x000001C3315C1000-memory.dmpFilesize
10.8MB
-
memory/1792-1390-0x000001C34B0A0000-0x000001C34B0B0000-memory.dmpFilesize
64KB
-
memory/1792-1391-0x000001C34B0A0000-0x000001C34B0B0000-memory.dmpFilesize
64KB
-
memory/1792-1393-0x000001C34B0A0000-0x000001C34B0B0000-memory.dmpFilesize
64KB
-
memory/4344-590-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-887-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-586-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-851-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-874-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-534-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4344-552-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4500-1243-0x0000015F31BD0000-0x0000015F32691000-memory.dmpFilesize
10.8MB
-
memory/4996-538-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/4996-537-0x0000000000400000-0x00000000019D2000-memory.dmpFilesize
21.8MB
-
memory/5056-145-0x0000025930F30000-0x0000025930F40000-memory.dmpFilesize
64KB
-
memory/5056-143-0x0000025930F30000-0x0000025930F40000-memory.dmpFilesize
64KB
-
memory/5056-144-0x0000025930F30000-0x0000025930F40000-memory.dmpFilesize
64KB
-
memory/5056-133-0x0000025918A70000-0x0000025918A92000-memory.dmpFilesize
136KB
-
memory/5316-583-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-785-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-1458-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-584-0x000001F7A2190000-0x000001F7A21D4000-memory.dmpFilesize
272KB
-
memory/5316-1452-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-585-0x000001F7A2260000-0x000001F7A22D6000-memory.dmpFilesize
472KB
-
memory/5316-1446-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-1232-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-854-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-587-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-974-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-893-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-1182-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-747-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-784-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-1413-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-1392-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-801-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-582-0x000001F7A1C70000-0x000001F7A1C80000-memory.dmpFilesize
64KB
-
memory/5316-1396-0x000001F7A21E0000-0x000001F7A21FE000-memory.dmpFilesize
120KB
-
memory/5316-1399-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-1403-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5316-1407-0x000001F7878A0000-0x000001F788361000-memory.dmpFilesize
10.8MB
-
memory/5944-1207-0x0000000072270000-0x000000007233E000-memory.dmpFilesize
824KB
-
memory/5944-1203-0x0000000072270000-0x000000007233E000-memory.dmpFilesize
824KB
-
memory/5944-1225-0x0000000010000000-0x0000000010278000-memory.dmpFilesize
2.5MB
-
memory/5944-1041-0x0000000072270000-0x000000007233E000-memory.dmpFilesize
824KB
-
memory/5944-1130-0x0000000072270000-0x000000007233E000-memory.dmpFilesize
824KB
-
memory/5944-1181-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB