Malware Analysis Report

2025-03-15 06:25

Sample ID 240126-w8yw7acaa2
Target start.bat
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
Tags
hacked njrat evasion trojan remcos host bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf

Threat Level: Known bad

The file start.bat was found to be: Known bad.

Malicious Activity Summary

hacked njrat evasion trojan remcos host bootkit persistence rat

Modifies WinLogon for persistence

njRAT/Bladabindi

Remcos

Njrat family

UAC bypass

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds policy Run key to start application

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Modifies WinLogon

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Runs ping.exe

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 18:36

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 18:36

Reported

2024-01-26 18:39

Platform

win7-20231215-en

Max time kernel

151s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\start.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\start.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\start.exe

"C:\Users\Admin\AppData\Local\Temp\start.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 dead-reviewer.gl.at.ply.gg udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp

Files

memory/2216-0-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2216-2-0x0000000000670000-0x00000000006B0000-memory.dmp

memory/2216-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 937286297fbc003e6a69fdc0f02ce8b0
SHA1 2ebd595bbb357264649f17f8b066941f05befefb
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA512 9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

memory/2216-14-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2692-15-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2692-16-0x00000000002C0000-0x0000000000300000-memory.dmp

memory/2692-17-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

memory/2692-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2692-57-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2692-56-0x00000000002C0000-0x0000000000300000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 18:36

Reported

2024-01-26 18:42

Platform

win10v2004-20231215-en

Max time kernel

278s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\start.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Windows\SysWOW64\jdk683623\jeava.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Windows\SysWOW64\jdk683623\jeava.exe N/A

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

njRAT/Bladabindi

trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\jdk683623\jeava.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\jdk683623\jeava.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Windows\SysWOW64\jdk683623\jeava.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\start.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Windows\SysWOW64\jdk683623\jeava.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Windows\\SysWOW64\\jdk683623\\jeava.exe\"" C:\Windows\SysWOW64\jdk683623\jeava.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Windows\SysWOW64\jdk683623\jeava.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\jdk683623 C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe N/A
File created C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe N/A
File opened for modification C:\Windows\System32\devmgmt.msc C:\Windows\system32\mmc.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3672 set thread context of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\c_fscontentscreener.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsactivitymonitor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_netdriver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_barcodescanner.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fshsm.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\rdcameradriver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_receiptprinter.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssecurityenhancer.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_magneticstripereader.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\oposdrv.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\digitalmediadevice.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\ts_generic.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsvirtualization.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_media.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_linedisplay.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_extension.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_diskdrive.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_display.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_holographic.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_computeaccelerator.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\dc1-controller.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_smrdisk.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_scmdisk.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_apo.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\xusb22.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsinfrastructure.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_ucm.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_processor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_swcomponent.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscontinuousbackup.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscopyprotection.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscfsmetadataserver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_mcx.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\PerceptionSimulationSixDof.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_volume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\wsdprint.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssystemrecovery.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssystem.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_cashdrawer.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\miradisp.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsreplication.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_smrvolume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\rawsilo.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsopenfilebackup.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_camera.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscompression.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\remoteposdrv.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_sslaccel.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_scmvolume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_proximity.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsundelete.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_monitor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsquotamgmt.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsencryption.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsantivirus.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_firmware.PNF C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\mmc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1360 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1360 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2212 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe
PID 2212 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe
PID 2212 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe
PID 4108 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3496 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3496 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3496 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3496 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\jdk683623\jeava.exe
PID 3496 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\jdk683623\jeava.exe
PID 3496 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\jdk683623\jeava.exe
PID 3672 wrote to memory of 2696 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2696 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2696 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3672 wrote to memory of 2372 N/A C:\Windows\SysWOW64\jdk683623\jeava.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe
PID 2212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe
PID 2212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe
PID 5096 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5096 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4592 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4592 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4592 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2212 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2212 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe
PID 2336 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\start.exe

"C:\Users\Admin\AppData\Local\Temp\start.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Windows\SysWOW64\jdk683623\jeava.exe

"C:\Windows\SysWOW64\jdk683623\jeava.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"

C:\Windows\system32\mmc.exe

"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa22e146f8,0x7ffa22e14708,0x7ffa22e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa22e146f8,0x7ffa22e14708,0x7ffa22e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa22e146f8,0x7ffa22e14708,0x7ffa22e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x30c 0x504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa22e146f8,0x7ffa22e14708,0x7ffa22e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6037786368698871841,5064353921473653501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+download+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa22e146f8,0x7ffa22e14708,0x7ffa22e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17815417684168725933,16706437862315339543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dead-reviewer.gl.at.ply.gg udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.180.4:80 google.co.ck tcp
GB 142.250.180.4:80 google.co.ck tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:80 www.google.com tcp
US 8.8.8.8:53 support.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
N/A 224.0.0.251:5353 udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
GB 142.250.180.4:80 google.co.ck tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 dead-reviewer.gl.at.ply.gg udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
GB 142.250.180.4:80 google.co.ck tcp
GB 142.250.180.4:80 google.co.ck tcp
GB 216.58.204.68:80 www.google.com tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com udp

Files

memory/1360-0-0x00000000751E0000-0x0000000075791000-memory.dmp

memory/1360-1-0x00000000751E0000-0x0000000075791000-memory.dmp

memory/1360-2-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 937286297fbc003e6a69fdc0f02ce8b0
SHA1 2ebd595bbb357264649f17f8b066941f05befefb
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA512 9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

memory/2212-13-0x00000000751E0000-0x0000000075791000-memory.dmp

memory/1360-14-0x00000000751E0000-0x0000000075791000-memory.dmp

memory/2212-15-0x00000000751E0000-0x0000000075791000-memory.dmp

memory/2212-16-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

memory/2212-54-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/2212-55-0x00000000751E0000-0x0000000075791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp.exe

MD5 644f18453d3e3874b8cd64374dcebc9e
SHA1 0118997f0114b4a1f090f35d6321d43fe036951a
SHA256 42013a222c8b3840f8242c0664f46fa3776b9e1cddae157fd208d15ba2c49055
SHA512 81bb87a9295587999d9b2661a92615a235084d44dedbf726f7fffc3db693d42847e85ca9cf4420297214120703e291bef29be9f3b057f9851acaf45f0e32b31e

memory/4108-64-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4108-70-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 d261161d84c1119ba526b75df8123299
SHA1 8e11e70f6d31c781f389f892c8330b61bd1ff370
SHA256 a3e8bb0a185943fd76d014d2ed0d2dcc33153fbb87bb952304674feaeaeb22a5
SHA512 ff9b8b5d21460a245574425d95d9e9a6b2c2350b313e8108bf5c8f66519eca5f2160e52ee49b6460a69b6fdccc9f926c2cd9e967ba0a40f490a9aed69cc5d351

memory/3672-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2212-77-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5059.tmp.exe

MD5 d770ef5c229566c69a7f33b64e68f1b7
SHA1 f168e26487118ca79362d95724018f7d762f7fee
SHA256 5d6e3f738e42e8e9eed8fcef41c1d7c3b5684c5c55b80d3296784d89d4f6cce9
SHA512 e5a3dbbcf530b51ee7e47ee3e58a8f3b0e1ba45bba0ba7ec9c733346ac7e6b116acbd01c0dea962e58be842f540d10c538d9e12dc2fe3acc9a03f179fdcbc593

memory/5096-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5096-88-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDBF1.tmp.exe

MD5 1d5ad9c8d3fee874d0feb8bfac220a11
SHA1 ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256 3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512 c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 efc9c7501d0a6db520763baad1e05ce8
SHA1 60b5e190124b54ff7234bb2e36071d9c8db8545f
SHA256 7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512 bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

\??\pipe\LOCAL\crashpad_4856_XLHSVOXDRRAMDXEO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00aef0d5d1687ebad9d26d728a23354c
SHA1 4b4f1a084a264b0284dd66b1dac980ab515c2d80
SHA256 76d19ad8b3e19040ceaec131b49ee5f1d7f26adac590ed6b50db7020a9410969
SHA512 1918f387d799a945dfd640d041cd86e3b7671990ee06d7de501fcf0fc8935737fc67125a0ab8a866da3cccc3b67fc9482297d5281642175a0037a3983339b13e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 5036f7c363373f5d9cc2b6519806feae
SHA1 3caf2148a2eb7c82f9aff0f3a2f4594ee70327bf
SHA256 715c5d3e3839c1b47c3008e8a89f929e60858ee379724a20775003c692e9fd6c
SHA512 4661cd6fb02dccc48a42fe127b1e88f7e794cd4eb1d8a5a8f5075f772dad63211efa349bab579c5bb81bfb2c4b1be201c6725a56f617f8913a2235e3565fe645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 08031d88ea8cbcb602122860d0d5d4ff
SHA1 273e489a84721dbbfba62246b35b5facf4ed80cc
SHA256 74fcc11402d640997baefb2235b65af0637fb91fe6a6483ff1881d8ec53081cd
SHA512 78d27a518b8f5c1c995105ce7d6631028ed369e1427def99326e041b2e8e47b68114640b34033c8d38f7fc98d07f5e1476f8b1879cf29a5aa02a29b9adc89343

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8962e1b3b042ad9db01aa75e95f9b7ab
SHA1 82d73684236ce0185deba1f9fc6b63525d80481b
SHA256 fa533cbaac802ea5a52d4bf494b7dcf68c2cf2d5029b717bb45dff647dbdd2b0
SHA512 0fc5c8f2e5dc103b246511716d6dc93996df7cb3a956e9a9b6dc42e1221cec87886bc437874c93b16182c35bfe86ba71b6769b27eb57dc33513dc2ef862dbccd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a56fbf5f-c048-4dff-9b9e-84ceb077f79a.tmp

MD5 121510c1483c9de9fdb590c20526ec0a
SHA1 96443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256 cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512 b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 389ec1058f24f51b7d1c149e39b5dce8
SHA1 3832b5d23302701104feb5808446a10b0c305f02
SHA256 4e68fdd242c041ae521903d2a1ed99ce18708dae5aaa403fcb415a38e4041a25
SHA512 9474953b808e70f31bcf116e41989f8924591fb9a7d2b7c3d0a74afa6dd44547bc83f6201b22e1950cc97ac57992a180be42421569f765ec8fecf3c85da04181

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f2b7c7964d8724397f6d527b9de89f8c
SHA1 f8fb7930c952615ad7de6edc30ad8b504daedcf0
SHA256 7052aac171cae1278820c9f626b4690ef00a9f8e11a6f2e10bc25fe0b1aae718
SHA512 9c08b2a8b46cf731d3e0139a3c3ccbfdfe914bcf538f9e4ce5b2a0344fdaa7d2efcdd530e9e633375a9893b051a31ddf024e92f1014e03ac8ae8f80364ef7721

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93cc405f2379fb673f44d5c9dd18711b
SHA1 2bbca81b1feb416cee985f52933e6045db05da96
SHA256 a868b548c901e2f1ecc155df6994886e042f55985ee83d07b947c6c8627a3d5a
SHA512 5124429760cf630947ea27eda2ef5131f7aea8bcd80bc7217f256000ba262ae372de4b6433821711c982186428bdfd4296826802895c6de7e572f7126654a437

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fdb8a35e571cfef062c9a43ce5e2f646
SHA1 2331b953b8a3ef2cbb3e74b1c1486111d07873a3
SHA256 14150fca2032b0dc421f91c0fdfe64c5f29116f668dabc6e839227d35b1d9862
SHA512 87317d1390f12dbd69c9583a996cc41650fd44251428b023cc43db6c120f1b0d759847e73c8c7e15fd8bc627657ba8962f418cef1c78895451f1c740741f464c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a4200a9ad4bdf332762c41952986349e
SHA1 76afb7fb7d1c7be0ad5708533bccf11da5931f18
SHA256 1c671271b65b1b91a93d19b67c328f3cff477e6bad9429e378d0a362f68a01fb
SHA512 22102dc0c90160a467b11d91d07ce651464cd059eaf1424083441681009c7e9c109b5a0ba82e0b7c2e36b3e05ed156a75a40831ed1da6ed45890d1d0f49bd3ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d9cbd856a5819cb8d7e2026d71e60dc4
SHA1 adccce82fdbf156689c2e5bcf28207b44aef8fa0
SHA256 ce0e937a8dd0a28ccc273ff374af363e5c2478cf069dcdc217037afbe23fee01
SHA512 165ab185f640df1c21b0bb930b376b425fc5df181f6ea70219441220ebd0c0b82c84ce6d67393a3320144210d60b1ab984ebd59037322a7afe14724af9103558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 585924c6b2382e6657bf878705b9495f
SHA1 0ac90a857f05d818ec531b1173797aa17e0a76e0
SHA256 f01ff1e7a43da80041300dabc49c9dcd0d418587fec04b0b538d864ec2cc2f4f
SHA512 e5132fe143b58b079093474f6e415a50cc438dbf32826baf1113b9522fdde63f025440d4694f833082ebc88fcf22efebf031f64d41356d2989b62c89b6fe993a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6bdbad95270e5fe7ab1efcb2a7eaf845
SHA1 083ff808c3e92f1e77e8f6ea81980955bb5ccee7
SHA256 3f708bb1d8e3148c6e3532568931e0679d754698fc87283ad41065a54031caf0
SHA512 840ee1d2979decab9290f1a7655f655eb46787a01a6afd462088143ea763659de54ba543a399d42e7f589e93f48cfeabdfda53ce94804b7f5b7bbcc9e6044ce2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4dfd8c4130d92f269ddfc116b7a4d1a0
SHA1 a6f4f64450a16da6cd422ee4fcd27387d4fad511
SHA256 2aa32d5c50de931eb977f9283e8be26c14a389f81b312f74753a9ca7dc52632a
SHA512 7de216bde951bb4dbbf8de70435d2a7c3c5f5c80a7898637ebcd2e7eeb8afc377d95067b981671ece843186d6a08795cebed4671566238ee5ef7f9241245b921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fcf6ca576a14fd9d675c8cd6c115e759
SHA1 5e196b60666889dbdab9ade1b7b4dca4a2987f86
SHA256 0550eb32a2dea88d48f52409495450990ce38bc26055310f8ed3577706154d1d
SHA512 6db107d44261a1688635ddc70c12b9a343bca3194c157c9b4c3973f6d23c3ea774e5e23028bd6282e847f2588f75a2f7d8a39ffd4f078ac237ff14f499d94fd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 803adc47afb8fae33350cc03d67f4991
SHA1 c8f84d617853e7f6b3a71214314db271e82771fa
SHA256 3ecb9780cbbcb99ec344ef2d717334b0dbfddb49c7a1d6c292cf2523134f9659
SHA512 b3014237d4e5e5ac4e1af4f03183e598faeb2ace0bea08a8f53459f2311654d331ee31c56b0854410df2279d1d13e5b398a4d4d4a23f056aedb83f635f9acbfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a04d2b9f8b66690f79eb267c049d22c
SHA1 fef6bed6a0138de041f56137636db6054f2b6423
SHA256 8905c13a516e17e050e17430f5b8765326b9224b4b24fff142bd5d5522149f1e
SHA512 cf1a54477db9e448fc0e89074fe9ec9ae2df316b5c6913d1eea7f6715717dc0244eed5720c353003572dc7b923a3f6896c257b772975dde891f1f27bbf42df37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c79de919ea84fa987db21a12fbf4b74a
SHA1 be4e785414968677c561094e44c41cbbc13f1dc9
SHA256 80f4ebaed34745d87de17931ba229f7723d3b651bfd273754457a37e3c84c3ed
SHA512 ea90febe1b3c443e7289de79f2e55abaa2fbbeea65b74a240fa3a76469fd7c1de8e01d2f70f56fb9dc01cbf68bbdc6cbe1bda3815d81e55ef69cb7465d855fe5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1d8b6876019abddf539e33c54dec4e99
SHA1 5cd5bccf0307a608a325e94e6cf7b72d79c46086
SHA256 07985725ce2b039d8ca905ccf31132535b2f0d958529ee7f0239c83914d59bbf
SHA512 47ec2662059d9b296b0514c44369875aa03f8959881f529a96b2aeb2fcc135018f6e1216e16e98d49f3ab4502115276e2fd2a660bc40f6589821b21baba5a73e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 78197e335ee45b39c4609ca058eff336
SHA1 040bfb4a8e7ea3f08f681f6b9a40d73d0c2f4197
SHA256 eafea0cc03d5ead29b856d473e3598d1223123aa67f601c146c0d57bf111aceb
SHA512 393bb32ef5c7ac338e8616101be4a0749cb955b6ceb88c1404ac01c468a26f2fb2b2ca0275c005ffd424f37bbf8ec1074658964f6ea212a1a7b0d15ecee7d2c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 71e48c07d3a597b832b1bcce3f646af2
SHA1 e9dad486892dae5cb716140fea005d575c2d9789
SHA256 1c432a66366dfb726f6e96577fa98ba11958c3f85c92ddfe35b32e5d950b0d7d
SHA512 6a5aea1dabeca884ec1e4902ad612bf72d12acdde9b356ac0ce768a8c80bf810e6da8047aef8cd8b84b973a62e2194b36d1933922760bfd02c3e01732960a251

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e029efe70912cf57d40d04c01776d41d
SHA1 94eba5604a8e4523d23565ac3ebcdcda4005e4eb
SHA256 57cd696aea3594a27f18b3636da302823ca687c6a326ff9ed2b578a23a96ac37
SHA512 3c380b2c1530a103030562135f9b71eb36a15c49ea96082f64f717e7045ea578ecbec2d1f53cd569d720f7e37a3c091f9bc6ff3dfecde6775658c1c51a03f01b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 10ba0edb9b3a26124ac95d1ca80f845e
SHA1 bc728bb9392c926ac4ac6ad927c5f65fa4efaadc
SHA256 155018630f1542b0883cb2caf12d5d7d4d72625a3845cf38cae305c50872c75c
SHA512 01e9cc95cd13bc6dee35cbdf2661464e83dffec96516e6fc47a7110e1c87033c502f81dd4dd7925d6c781a64ea638299d4cb00017fdec74b260c0c8d10349c59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 a8180b4239a00993054fffd98a793e92
SHA1 ff0b9c7e7e692ce4c4a66ee75e7ee878ab36015e
SHA256 3145c0fd1577436549dc118a223270d48f6b77a1560d9f4aae433b86a2d4a63c
SHA512 d9d639928f933d6a44302d90a9b3569a1bdc7ab61169caed6adf07f85b8cf16ee12dd0f05450e6e2e1b30745075a6727f912c92b009ff252a5e9c0cb307560d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 973dc0dc28674bc44e214a934b2c3d8f
SHA1 d19486238f2de595ca121ba59285a68d12258af2
SHA256 c87656dc547c9a110b585131c89e6c1ebd4cedac006f80d695c850b6d0c9d647
SHA512 8c17e919b47e63c7398661a385ebd0867e5372a74bfcfa37c3b8a7c3b1e18c9bf8722a4cde2c9be0f206e9ac6328423e6d5734f02ce3f11bb75953f37f207deb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 6516e5d2953bdda00442cbed5486dc3e
SHA1 27c600dc527f9709b2c8ab6197abfcbde42eb215
SHA256 ef821bc70f105a61fd9a04bd0c292f60cd6aa842711e7e7059d1a3fba1f0bb3b
SHA512 c84d2152293bdb9975e303b6a71fde92e988b02c740ef488eb358f75a5d3a3ef7df180bb2f2898f738c84ce58bd85975a9bf88132342a87eab3d113188dbe08e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 a77ebfa4d319355f3579b5bd23247917
SHA1 f26d49b5664f9939de8a4719b48538a387c07024
SHA256 473ba10209a0bc945200c0fef0ebe06d0f7e77cd615aa0f1cca20f44e65cbf18
SHA512 902d3558eb4972bcf039bd8fd595295606ac021cad689d5748eec492f6a946b66294448ebb40270f71405ea4206cffa15e13fffee7171aa78a4778f4a70d53f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 a9541063676ac1c978e9b384af78f837
SHA1 28d5a68fc8c968310105f605a1a62998eee7f9d7
SHA256 59189bb9eaa932c0a9f7d7bca98280668715f904544b06b017b2b6fa1fcfcaee
SHA512 58beaafa3ba6c004e5476ee17492c1b5496b2e941afe3a39144b7440986dca25bef32bd1a7ebec786bc788bd9a3c435b3d950cec034563657073893467261c94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 a9851aa4c3c8af2d1bd8834201b2ba51
SHA1 fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256 e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA512 41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13350768016201512

MD5 2bf649bd47a5f5f1197278b75ef8a277
SHA1 1430df987d7525f98e95d22bb160ec8008c3ebb4
SHA256 e314856e1419863f5280930f65f575d22b2012f282dd42d2b4bd3c47a38c06bb
SHA512 2d53c9ea32c0e946a3f443ecbeeb0db156fe762aceb918c6abe20bb71cdb2a5f56c421e3879daf35d418734f5a8adacaca590a146d15611d1c9c139fb011a628

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 299999f17ce35806d9bb1a5bfb91f4e0
SHA1 72c76c68f49c31059e5c444014c2197d673695cd
SHA256 16e4255650a4e7dbd562245dd87d78d1e725e4042b703ee9102723e1cd11035e
SHA512 d2da8a17edb59eace68311ddac6904e133954d9464c8139ce54dc858c01662fd24f8a02314f82be9e4359eb2c6a9255120f0e7d0e6550bd23b7a815c1143ffb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 614d2216e1c51f4203fab12c060b5651
SHA1 279cf59ae366f9144750d2d2dd95b6b5caa3c076
SHA256 5fefa6a6188033fb90ca38c8446eeeef3e19fd7a5820012918ea003e13727209
SHA512 0dcd9020405acb4ef5333aea543a9bad00b310741b80be7ac55c01daba7154d883153fe4c753705f71682c762ec953bf8dc9adca88d00f417a68d588217e6e5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 25c8365bb2b4ad7ec28b1189c8383c94
SHA1 54b8ceda42ae3265fffdabd13a4b9cc76376a1e7
SHA256 5789a8814b1e30087c6fa2a657cc3ffeca9a5a93df45bce19219ab99f36f42a1
SHA512 1163d857479b37a2605ebc8ab21892c56370585c1141525bda90a5dc1399317b870ebb593a3994f5d662bdf59068ca6b322122c87a896b7edce67c3afce552b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 0a9395eb2a88ca3b56f31a9e5afda790
SHA1 6da794d7d0ac878adb52b78a7aad2c6dba6ab4bd
SHA256 8ce79edd46ed5b56477240ab2947b03ff92bdf45b8c4d33b4ad544a03fb69a91
SHA512 83690694d91c39f276375f6940977c24dcc189e7154f43168c541f8e36ae7e9e52bc9539a4a22b9c1d057a9b817ad32a0d6cbcba70699d554696c9ebc82be82d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 54103633727df0e6a07b9fafb4f26d78
SHA1 e21fbcf2fc8ba3866eb49f410113dbd21884d0eb
SHA256 1b188332c2166f4f65ab7c4c173d7ad6927f3d16ad189e0a877821a01ac716d5
SHA512 bfa85c9f16f060c04fbc44cb0897026bc8d2d01ad3ac2a1cf0b13cfa5c289bc44ba5bb5a6741b251986b58654a050a32e4c31167f55f4cbbce9ec2de2562f9ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 0679c04a0d7590a6a58257b3d6c6c314
SHA1 6d7a071f1208b58fbea8d7be82f992f6efa1d742
SHA256 8bde7e5ee69ec6ae7f03de416ec7c5037a266c83f48bf851dcfe92107b9976d1
SHA512 fd15813f6019949a409b385c9c424fea48d3e517f82858f6f55cd454d6a8731e7e31ba92ab4f21a799d8ff54e85c22cd7e9b98c6379b5abfd974ae7fd6499c21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 05492969b15e9885577716c4ca47c5fa
SHA1 d50e57c7a5cbf8cacd3f574e68b09bb70738740f
SHA256 7df795df9f286bcc023b5387fdfd7dbc7c1301922612e06f48a305c18621335c
SHA512 7e03e6f70bc854cd0f4112102b57ccbfcf8794f8896ea24b27557f8f16b96974f9068540f6b20137b5e88b81f8ab5b82edf2d038e9fc5e94454a8ad15c934545

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 3b3498e235fdf541ac71ead2f9d3f3b1
SHA1 ad9e49bc4f4e5c210c2d9d308f534aa3c4c3c5b4
SHA256 33c598816e7e25d59dca1cdf6f198773ede36a662b7787c030b9a6f49f7f345a
SHA512 75358c0b7c084492d087e9a0fbf4b185483b5008cdb67ee2a28a06acaea3837f908926cb255f1065ed548082045bbb74446856f0282fd99919907e93cbdb935d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7e64a3ac3d2edb1dba895f334bb51312
SHA1 d98c7eae81591e59eca3122a4b0655ee32330d16
SHA256 fe2d0324014f877cb02c1bcb627c0bc408d280f270b0999f0bda3263924eaa14
SHA512 9fefaa4dfa0e66da930572e5ee0d4b5208073ddb8c89cddc3ecbd3c72d5a4722c7a48400fafee9dceb1048b46b0579a6b80b64a379ab4820d1e447cb69b42b69