Analysis
-
max time kernel
368s -
max time network
365s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-02-2024 13:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://stableapp.online/AirServerConnect3
Resource
win11-20240221-en
General
-
Target
https://stableapp.online/AirServerConnect3
Malware Config
Extracted
stealc
http://147.45.47.72
-
url_path
/eb6f29c6a60b3865.php
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
7z2301-x64.exe7zG.exeSetup.exelic.exeTPJDGFMKOG.exepid process 3500 7z2301-x64.exe 4672 7zG.exe 928 Setup.exe 3620 lic.exe 3436 TPJDGFMKOG.exe -
Loads dropped DLL 3 IoCs
Processes:
7zG.exeRegAsm.exepid process 4672 7zG.exe 1192 RegAsm.exe 1192 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2301-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2301-x64.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TPJDGFMKOG.exedescription pid process target process PID 3436 set thread context of 1192 3436 TPJDGFMKOG.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2301-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2301-x64.exe File created C:\Program Files\7-Zip\7-zip.dll.tmp 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll.tmp 7z2301-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2301-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 22 IoCs
Processes:
7z2301-x64.exeMiniSearchHost.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2301-x64.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2301-x64.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2301-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2301-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2301-x64.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 445219.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\7z2301-x64.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeRegAsm.exepid process 3956 msedge.exe 3956 msedge.exe 4732 msedge.exe 4732 msedge.exe 3708 msedge.exe 3708 msedge.exe 4708 identity_helper.exe 4708 identity_helper.exe 356 msedge.exe 356 msedge.exe 3584 msedge.exe 3584 msedge.exe 3584 msedge.exe 3584 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 RegAsm.exe 1192 RegAsm.exe 1192 RegAsm.exe 1192 RegAsm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exepid process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zG.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 4672 7zG.exe Token: 35 4672 7zG.exe Token: SeSecurityPrivilege 4672 7zG.exe Token: SeSecurityPrivilege 4672 7zG.exe Token: 33 4996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4996 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
msedge.exepid process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
7z2301-x64.exeSetup.exelic.exeMiniSearchHost.exeOpenWith.exepid process 3500 7z2301-x64.exe 928 Setup.exe 3620 lic.exe 4656 MiniSearchHost.exe 2788 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4732 wrote to memory of 1200 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1200 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 4728 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 3956 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 3956 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe PID 4732 wrote to memory of 1592 4732 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://stableapp.online/AirServerConnect31⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb8ee3cb8,0x7ffcb8ee3cc8,0x7ffcb8ee3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3380 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6832 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\7z2301-x64.exe"C:\Users\Admin\Downloads\7z2301-x64.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1720 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5040 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11347853270976668836,13203173053085924996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\" -spe -an -ai#7zMap27615:150:7zEvent313381⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Setup.exe"C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\lickeyactivated\TPJDGFMKOG.exeC:\lickeyactivated\TPJDGFMKOG.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UZfBnXM8WuY2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcb8ee3cb8,0x7ffcb8ee3cc8,0x7ffcb8ee3cd83⤵
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\lic.exe"C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\lic.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Defender Settings.vbs"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\INSTRUCTION.html1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcb8ee3cb8,0x7ffcb8ee3cc8,0x7ffcb8ee3cd82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.dllFilesize
1.8MB
MD54e35a902ca8ed1c3d4551b1a470c4655
SHA1ad9a9b5dbe810a6d7ea2c8430c32417d87c5930c
SHA25677222e81cb7004e8c3e077aada02b555a3d38fb05b50c64afd36ca230a8fd5b9
SHA512c7966f892c1f81fbe6a2197bd229904d398a299c53c24586ca77f7f657529323e5a7260ed32da9701fce9989b0b9a2463cd45c5a5d77e56a1ea670e02e575a30
-
C:\Program Files\7-Zip\7zG.exeFilesize
684KB
MD550f289df0c19484e970849aac4e6f977
SHA13dc77c8830836ab844975eb002149b66da2e10be
SHA256b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\94c2c338-5187-48ef-9d19-ca8218fb1aae.tmpFilesize
7KB
MD57f94320d06769a7aee612ca1150cd720
SHA19ae2217e83f663a8666e35ce7eb23679b942a5ee
SHA25607d4d327f227bb387044a737526c0b6a04f11ccc28516934aa8a08ece8044ab2
SHA5125ff93957335cabbf603c6443828e63e581022c9836ba3ea3c8ef404cc96d2d3282129676cef8de0655b6d31ad8c7ea8fa866e0f7ba88796bfc842a38baa4df76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5b6b8ed1b38a398508ce169c3488ee5b9
SHA1250ac59114384d1b74a7e5f1e766851e8d963d0c
SHA256af37564052318d4144e57029da84442b204f5891cba56518016f475285e142cf
SHA51214ffd2c05862b77a1cf4dfe415151912c5dc9292761168d7a54bfc96260d23ffa33d9171618428b8213c038fd0b073eecb8089737489d9557a355bc9d54b9852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD51b671eaa1bf1bc170d8c0b0c7f6ed233
SHA11c96da162b78ad6bc006a904e66c641d939502d1
SHA256ce1a9d1f50925aa955899b8cd88885941a3d2ee7934ba4b0361c3cf8c8754951
SHA5121d383af8f91661d599d533ddbe600f49ef661daeb71837051eedeeecdfab6f55699eb34a81dd5a7455f81a52262ff61be9677909914715831f1c77822c6b3467
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD53e114e878beee3c4a2f420ea21b8124a
SHA164de3dd7e32f083831aa38f88db223bd12b28c52
SHA25690373849096a03d9bfad7da28b449e16e11215210ff6246dbe40a7987548a2cc
SHA51206fdcf62fab47d6cc8a5bf08b5de91889d142992ec0cf0c94d263c9d69e06899ed1196f5db85f290d365c2b1ce3399dc5c9f94d1f39e1673e65ee249c42d75e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
816B
MD5612ff441ecd33badebbffde0a937f6a7
SHA1d41dba8b28c9f152f6d1a5949ab59899c5a38c0d
SHA25694b470f09f222838c43e6042c1f48bb981fc2778da7f59dce16a48c19369a3e0
SHA5129ece75f5abadaced33aae6791696636f4031fa9addaa6a5f546e5ac24518bdda65306257862cc0e0d12b3a5d4dec4270ec0906d793935488353bd122650b791c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5039434bc8d9dbd0b488067afa08a80ab
SHA104a2f6681185d4808fe9255aacc37db2273e9ed7
SHA256b63f9a26221eb936f2982c2cf7211877da257ad35ced42411b00b227eb1f5d78
SHA512733689c9a2e2c2166ff318b21d0c2a0f114f1f1ba17a8e26adf36b1a8b7ac611c2653912684d0ee4f906911a9f101d920010c52d3c40ed1f4ce132c6e3ece400
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
116KB
MD5a171cae04f4186083c5fcc151ad63bee
SHA1d6c25cdbc35ecde8d26c9adb0c7cd66e5d7b9afe
SHA25640831f8a3f24313905463ba6f7134b3f69fe52f403f51a7a4a3653c6cefd1cd4
SHA512655849e4acd014fe2fd3ddb5730d4d3e9c4182b978615109a5a0f296c040733082f7431608de643411f2fc22060e453a9a6d8a7267a0391653f476abb8b18065
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
690B
MD56b51e13bf81833f0a7e29504395f3521
SHA1c9a4470ffcab404496a107bf7f7ce04d41208e7a
SHA256a4871df09fc3b27eca08060b86f48e835884a410e952023e489c7fb04a393f26
SHA512a20bab6d3d7ad9649b30b13700731498d7f561d526c196934bbf181f8546b1f333b2d8cf32403b0e2bc4d1403dc7f47e55f7427ce00b0b0a4834af04e86cbe2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5061f216ada5135315637d567d0d4ebf5
SHA1959950f9b05e49e7e1e9c5eab84888abd6b4076e
SHA256d8ae09663f2841aee5b4f28c8a9d90fee4d77fa047cd39f92fc334e5a3416c82
SHA512dc8ac0bb7b6dff95b7612db496428f67ce07cd814d3c1e904a2c962869f9fd3d6a8b25ff818ef8c01c238b1357661f9b424575daef9956112e3e6999352893da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD52b5d9c5b223a890ac510bd8614595236
SHA11b743b5869f770fc58d439ad54ad883ed7ea98cc
SHA2562ccde762efafdc06c0c31d1912865ad3c3e31ef478176a4d393e952cf296f52a
SHA512b7dc25ae475722723d764501c37eca71d1f11a37fe524575f3219b9e2ecc72a5cfae5561229b66dde82f956cd10a1c81bc89e95c72e8e9c2879ff1eeb67a5f91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD528c858b80118bfe5e7e095efe8eb0010
SHA1d610552ace1c52bb9e74048f352f28f2bf7d3f33
SHA256ba8dab6b7aa961ae5917bd8c934766f9e936e864a5d8af4891ab53f27f11983b
SHA5123c351b926e4c38815b1ed9f6e56cff1847f2975276d41986430608e6ed0983430178a0cee7ea1eed8b0ff6d4b686085809bf47b00abd7d6e4c7d3f41b6e922ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD531b5cce53c763a52bc3e4895288e1cb5
SHA1d72dae1838371d8245c576ff33230238607abe19
SHA25664009e2fbc1c51e8fd23db38b76ea3e8e2a213e63f06fba419280de20048d55b
SHA512487a32b96da682bf8c10c37e59f8aa18b3d6eab9522de176a24af456f47dbd999538cad264a4fadcb44a7ab76741636c88e76cd7898efc422675232100f83bc8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD50536c844ed05681c2182aa21e1f1eb27
SHA1042b59069fe25941194b82444dbf1c6c11fed7ad
SHA256b8090f230cb7c303262a5acaa2aac7a92eb27f2bf1a0f3eaccda2b41095bf14b
SHA51277976a9a7920a9db88efa4cdbbe34e65ba0060658ed3905e9b1c30a94b4fc9bb37f48e4e8508407072bb8dafe0f6be8287c8e1ce07dccf92cdea6f097ac2883d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5ec127e47b53789f2ac0eac2169b1d076
SHA1073a211508b20820cb18829d697f11cd102cc898
SHA2567e76edf97df75df14c4c35cfe183a8ad095c072d7c83d2ef9c0fd6153616e2c9
SHA512ec82962c64f03c803f76c30dc501939fb47f86410b1d7f1d4e6e080fb0207183519c08e9c9030ad6186aff5833794e853821753f23849b60e09a5a8ba5a8d85f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD562c80c6a4d32d63803a0db7cfa82b86a
SHA1151eda0750fc2dd83d4e460d8361263e453cad73
SHA256d321871063e231e0d4463f62522d942a87794fcdefb115c7215c6f6d6fe708ad
SHA512a7681630f24810a13e99866776e9e26973aac47a5fa8a87caf38706aa186c0015c307563dd940c0ace17aa61f277c63b97a806797247aa016e978cf4bbcea078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51ea8a14212c4fc30d2d8e4b2c1795acf
SHA1d99763a4d8255a17cc15cc5db39585ee762d597c
SHA2562061d12d53fb73e4eb66104f92776a1d192e4bd5ac5a5b30e61b1039e3b04f78
SHA51235a6b834cf174af52e740ff860a6bfbb839aa2ce5c8ba89a9fa48e4e03cc3edc33e485239c16c5a8f7a831b43a24828ebf4f815035d31877fa647c58c123eead
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD57d1acfc9692137667ec44a8cdd474bd6
SHA1bc95e8a558a2e99d512332113bd408165de8b85c
SHA25625d106f59386cc72f6cc2bcae77a681af70e9fb013673755a7dd5165ffc6ebd9
SHA5122c951dd326526036ae5b71043dcc65f0152fff03a61062d908f663ec074a12adafb82626d0dd8ed432c4a780da505f3c239bbd5f790d6ae434da16a012ff6bc0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
538B
MD525c92085b8870e27748e0aafc4a4314a
SHA1260f9b029d564663e0e9a709780e304248f5615f
SHA256cec7d823998520dace4d3b2272328cc18c56bd1ee9481cf3a79c469c121c8d38
SHA5127516a13f82101079a2754f2c9c366c92a65845247c75df6e8e11a892a84f401a6bc822daebcf4dace542bfe3a1c7f40f5da6be112fe88aa8a44f1da29fda74cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c48ea3aec9a838e94849d9868b97b8e1
SHA154fc40d9b2a443a1ae1d992d559b78f4be76e9ae
SHA256a9580b7778fe50fd5c4ce1ce8fde3b1c551c8feacbdf29cb9a1b3c760740fd2b
SHA5123089be3cd2b9b246e9804d03269bf60f946a5d7cdb4c871cfb5cf75ea07fadae953538b9219d0f969557989edb8056ff512df8fce12b33a4dde707729619b969
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58eba3.TMPFilesize
204B
MD5a083bfd7ea49b439d0a8c3643332a937
SHA12ef3a9e85be8dc6be5ce2a24a6cec3e34ea23aaa
SHA25659e0ade77cdedaf80c7fbda4d1d03b78321cd86736e07d3097ba770ef1cb08cc
SHA512e791cecefb7b9578523229a193a59d8ab998b9ac68e7bbd6761050ca03f94f5a49677d59bbe451b9116ebbf5d249bb20d0b8c0294dd8ad21d8b5d671649da302
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD597dbf8b271db6698678562d81f53e554
SHA19c3a652bf39e56f3839ee65fe73a401f1632e9c5
SHA256cb7ef24c8df057cafb61502c0eb037564fcc805e50283e7e8fb2522d363463ff
SHA512958aed863d8c559de17dbd92733ba4a9dfdf2746b868921eec664ddecf54c5b94649e340bcf44a77eff091aada18f06370fc5e81e6680037b63862f786e347db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5939acd4131182c2380467302dcfaa1ad
SHA1ca73299658c1a0aef13da86bf19c4c7e72daf907
SHA2560103672ae971ab0f50f4fb789a708de531a9890b226147b5a59c40f2edc7d2bb
SHA5122ee645a039ba6cbf6d46b2cc093526c0da47d4c990cbda8ec2b88884f027fae6b54aeeef94293183ae0d698005a84747e346883eefcb0a3114be457be3e4b7e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e481de59b95c167e14a7b2c41b15097c
SHA1d7ac974ed80def1bc4aea6102f0f4a968c76da9c
SHA256806b09c1da4e527d5161823024b4d4950312e750e95086c7609feecdc17ded78
SHA512169a7a899c4c74c0664229b64ba35e8e1037cba374833612d89e5f40fc677703cf782d214bc5ed8c2dec0fecba5c1cc0986561104d8dc6c2dd5944920ab29806
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58e69804aedce6aa1751081fdf44ff646
SHA1df9e1bfed8f2f426650c5788ed211ef953c3333b
SHA256c4744c3c882004132594f3d5622135bfa19e44e5792b204f1386dc90f95fa06a
SHA5121bb5e59f5553ee867e7ff7d64d88febd1f3d6e766444da0a2fafe78f886d4a54edc678abdb34664db87fed9f9f85ec4ae8720c7d3f14a432a68192ac5f893998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f3d0bd977ee83c3793714036c7240473
SHA12b32de38336dfa82ca3b40d79e3fe79b0bd2979b
SHA256a04eb640432e5023be5909122649504a327a475424fdfc2b4b4e92456fac73ae
SHA512182e146c9901ffa6d89f24e66d89df92382ff35476e028f0cfdc44e28610e96035bc991a8f4cd407857f5de70b120e6c074761f70a9e2ab0e02eeac07c99dfb3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
11KB
MD5f2de638a4259125fdc63c3e174803714
SHA1c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66
SHA256c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297
SHA512625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
11KB
MD531490a459c198da08ac2babda98140fe
SHA17d0ce403bc81bf92be58d7ad48763948920e8737
SHA256f1cbb3423476a4c6fac691d9dd20e577518781c4ca79874e74d52f2961a62276
SHA5121ff445b321634318fdca6fd7f946088a8309d283824205b5d1f9ac4d544d492bd608aa324e292ce99d332c747be3f49a59090b91e46e296335822d5d400fc715
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
14KB
MD57db2942b85740c49838d7372946c1492
SHA11ecd8e21f472295cdb50b6c20cfb83fe9c6ce204
SHA2561a417c7542f1911ae2d41fc5b205fdfd3cf36aa31543dc36b1399f4b2752bb47
SHA512dfb9b8ca7903857e613722ea65d2399518cab73dade5fa098c293c66088bce082a22415de4eb31fd34c8143ba179b6c864e85d84f1340c7e452dc80622d20426
-
C:\Users\Admin\Downloads\7z2301-x64.exe:Zone.IdentifierFilesize
58B
MD537da88b521d433509b41a4f658730dbe
SHA12ea39c5e0b87a0717eac738f9ae92be8771fd576
SHA25662ba564e8b8b6fba4ae004166cddac5e232f0b2d06dd97c0e4656571adfe7d84
SHA51298a00650022e0e36e748714b92b6beaebc3afa3c7a5baab8cecd155091d7acac94dbec0fb9c7c2c24c07e0ac7068058926de85bf10ed4e7a3b634d47119ea832
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb.zipFilesize
23.4MB
MD508b9ff116c048499fb0464d484efb397
SHA10b33665e1007b3f1e4e8211ac4160b0f98a417bc
SHA2567ff6d5d5fd37c8787c1c23b1b790c6c830801400507e092ffe20f0823ca210d5
SHA512c018b88fdab5f8882746a6108bd460480dd77e87b5ca70e7288e630d29b20dcbad18f39f0e14bb2f941f9f6ddcc85b272c913b213c80422a8af30e5d0c8d15ae
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Defender Settings.vbsFilesize
313B
MD5b0bf0a477bcca312021177572311e666
SHA1ea77332d7779938ae8e92ad35d6dea4f4be37a92
SHA256af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
SHA51209366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\INSTRUCTION.htmlFilesize
4KB
MD5b0e1a89f526686c61c41355a30092e13
SHA17fdca917d70a20c3e5d3cffe14c8d45be112e19d
SHA256eda941b8de3d4ea77ac0137d63b5c71aa0847a6eab170bf661cd19d71442212a
SHA512acb38e40eea7d052a8b2d3bbb4fbdd3a758255f03d4974d792eeedc881c4d7c3856d3fbc8b80baa490ccdb4ed8c91a719b1f3073e6db2e2e3cfe4315dce0b250
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Setup.exeFilesize
76.2MB
MD5a86ff6689278f3396ce8d9948d358d94
SHA1bcbf106e63ec89e0322c3afe1e17af3056fa153b
SHA2565d1859c1ac9dd0ea6731d7f07057669af2bd04ce066b33635a15159da2a3f726
SHA512d0272d2ac98463b55fd8fe9dddbe6131159dc609adb7f6f8f7eb98a2fb96ebf31e6b2aaa602372780a970babe07db99d986fc5fdf75fcc2018bb44a4b9cd299d
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\Setup.exeFilesize
164.4MB
MD51d6b278ed9bd7642cf6c75786fee82c0
SHA191da771e9cccbeb927166a343bc6a3c1ca07df2d
SHA2560062582fd6a9f0155348d70c74f5ac11612fc1b976c0d1d397818e16ad8ccb31
SHA5123152e303c9daff6397f73e09c60dbc945bda749f091472a3ddad8685cdf721534ca1d8f5c4b060ae87aff1d984059259d3c3c4a0370191d14ab672713cfe2164
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\data.datFilesize
1.2MB
MD5f2d3bcb9a38dfa4a90daccb9ca2a3b54
SHA17867f9902cd17d7af4e6a671a6e50c3dfd3ef9ad
SHA256f073ec203af3d6f8aeddcd8e0c2cc003009224fc3b3c5545eb3add89bcab0890
SHA512c3411d08305b6c46cfb1d1faa5e280e3a202859c54b2f4fa8383544085d8a13ec6ba2ff31bc8ba7719152ec5de9e03bc8170e73b04b9a76b54c9136ac8fe9186
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\1.pngFilesize
114KB
MD589a33d88e2aa6a46fa4f0b7b683241e1
SHA1b62c580644a42338302b34612e01090f0a45fa51
SHA256a493f8b980d4e09ce1cd4e3ce156ab20d40c2ef11fa497300b76fbec2aaa73f9
SHA51283848e65f6061b382906ba455d23054862a22d29204e5b106849537514b60d2f5222720efd8d4e7705dbf07125e1fc53cc7c3dc085414083404c546c355e4c49
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\2.pngFilesize
114KB
MD50870c1db5e925505aa2797b5ad07a6b5
SHA14c579d7a0fd635199211ffce53d2e20b3fb8c283
SHA2560f83d55e6867da94a7506ac3d2542cea30f96dc51647fe2d6639a6a1fe0dcfb4
SHA512df23bb4ac3f6f42a530d6dd177b5d98aebd8e882f0ec513660e8ff706774260d7619fc885861311eda28d8108a44139accd0c2ff598fded090a10830d0e91a96
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\3.pngFilesize
113KB
MD56a763d41c5992c965bf373204e61c133
SHA165dec8d0a7f966cb74a1b9a2c0cd774fa367cfea
SHA256ae5ce85a742481df2a84d94c1bdcc74046a9ca395ac2d01f905afff7843d6131
SHA5127a29d92cb621a5f9d71dd9167fff7a7610e62aa08b60d18e7f84799f05a7f3d386090f41abf6ca1ecc52ca1f4300ea348ac92aeb412e36c48063b93ad403aac9
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\4.pngFilesize
69KB
MD5bdc950c8611a6bc19ac75c5b1712f103
SHA13e23ca79264af842eb93253b6623b7f9d6b38c62
SHA256883e7ea2d1b2e1bb2436b198777854d4b060ada02965002ebd61a77c590d94a6
SHA51220636a91708a78ab37b5a47687863662fa7ebd411cf44d98a1780798d0b30e39cbf7953c4d18105579ede1bd4ce25774a13da08909500946bf7d9add8813d0ee
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\5.pngFilesize
1KB
MD58b20bd00fdebffb9e0adde12c7c73ded
SHA185b43dca0348c9fc29f13f93474ff7b65a8b32ac
SHA25624e9722b2e370cb11615aa1bc8d4576a2bb738442d5e9fb264e5a54b74ac292f
SHA512d2e9c499c19ffe610e78911cff84584b0df74b75ceb89b4ce4c6f8bdd1b5869d185ab5ffcf212cbe1f628f7ba3e83911776d9bbe35c36a12301b11766b131164
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\6.pngFilesize
27KB
MD57766360527c4e1dec139797a33e1e274
SHA1e89ce902ec3f24d30f041058abb149afb3ae607f
SHA256f681226c609dba73ec92e93b28109ab5b8417785c68b1cfddaa53f3e2915f358
SHA5120d05727f4341ef0e097fbdefb7bf812bda3820977784b308ecb7ec0800be191c5df449bf858a08dea33dfbbd1f8cfcdb3f8152927ccbfb9b7b5772e2ac6cfb11
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\img\7.pngFilesize
31KB
MD558bf9a342aef1fb74fc91d91b7334432
SHA11553492f93c54c63843cd79146b1dda587bb2612
SHA256d1d3c6254d8e0f2f23a167c26d72599c574216fa0439ccea2e3790939df4647a
SHA5127d855445fb3f4991c374970b61fc65a320e21fa216d3c966df98400f6a0a5999c413c78a8da5b5315f1697f4eff927369243d153202127bf05362171bf04716a
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\data\program.PNGFilesize
696KB
MD5a3d4494188555fd642820346806fd1d8
SHA153a37fb21d1fdc91cdea14721eeecac83cc2825c
SHA256ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca
SHA512a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4
-
C:\Users\Admin\Downloads\AirServerConnect3__Application_65db3cbe9aceb\lic.exeFilesize
3.9MB
MD51e2d2f3f618279ed722045f6342793f6
SHA14b80a65885b4eb69fd6e240db592a8da8d7ad334
SHA256400a80b5166f7ad96f834fecea54ba07244ef90a40a9878ecf843c3e140f304c
SHA512dcec0fc10ba64fa47ea005fd9edc4b0396d613daba5723054e960766a3fa87b4dab06c522b200ab13dc135006f3f7adbb44c43c93fa9f0b2564c6d034dd41143
-
C:\Users\Admin\Downloads\Unconfirmed 445219.crdownloadFilesize
1.5MB
MD5e5788b13546156281bf0a4b38bdd0901
SHA17df28d340d7084647921cc25a8c2068bb192bdbb
SHA25626cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd
SHA5121f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff
-
C:\lickeyactivated\TPJDGFMKOG.exeFilesize
245KB
MD56c665b4b83eeb786e9d8020b9e67b26d
SHA1285d5de7bfedcfdadf8f8d0202a3ef11ccacd852
SHA256c7a098672b01ceda0b7da3be9c1eca5814b63849e0f32f5cf64e80ee48886f13
SHA512746eb5101054a2cbba2974a1f2a59424368d3b11cd9e6b57c2cf786b00fb391527dc4fc0a1a927bb3c59c9a99f75ffd23a6397593c94eab06e0943e91018d4bb
-
\??\pipe\LOCAL\crashpad_4732_VDRIHTUDSEHCPWUIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/928-753-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-847-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-710-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/928-850-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-739-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-843-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-871-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-873-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-879-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-747-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/928-744-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/928-742-0x00000000004E0000-0x0000000002479000-memory.dmpFilesize
31.6MB
-
memory/1192-766-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/1192-757-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/1192-767-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1192-842-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/1192-761-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/3436-764-0x0000000002F30000-0x0000000004F30000-memory.dmpFilesize
32.0MB
-
memory/3436-754-0x0000000000A10000-0x0000000000A4E000-memory.dmpFilesize
248KB
-
memory/3436-760-0x00000000727A0000-0x0000000072F51000-memory.dmpFilesize
7.7MB
-
memory/3436-763-0x00000000727A0000-0x0000000072F51000-memory.dmpFilesize
7.7MB
-
memory/3436-849-0x0000000002F30000-0x0000000004F30000-memory.dmpFilesize
32.0MB
-
memory/3620-748-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/3620-765-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/3620-846-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB