Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1221624037218979871/1233171393697419264/XSpammer_Setup.rar?ex=662c1fdb&is=662ace5b&hm=3c540bfb55da626be833e4e95546e3f675c5c7f630c08bb04c5cfffa0db0c08b& was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
Drops file in Drivers directory
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Enumerates physical storage devices
Detects videocard installed
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-25 21:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 21:57
Reported
2024-04-25 22:17
Platform
win10v2004-20240412-en
Max time kernel
1199s
Max time network
1176s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\XSpammer Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XSpammer Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0" | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0" | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1221624037218979871/1233171393697419264/XSpammer_Setup.rar?ex=662c1fdb&is=662ace5b&hm=3c540bfb55da626be833e4e95546e3f675c5c7f630c08bb04c5cfffa0db0c08b&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9675246f8,0x7ff967524708,0x7ff967524718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2590:90:7zEvent24868
C:\Users\Admin\Downloads\XSpammer Setup.exe
"C:\Users\Admin\Downloads\XSpammer Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe
"C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe"
C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe
"C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1572 /prefetch:2
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2088 /prefetch:8
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1584 /prefetch:2
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2124 /prefetch:8
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2464 /prefetch:2
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc629a750e345390344524fe0ea7dcd7 |
| SHA1 | 5f9f00a358caaef0321707c4f6f38d52bd7e0399 |
| SHA256 | 38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a |
| SHA512 | 2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cff358b013d6f9f633bc1587f6f54ffa |
| SHA1 | 6cb7852e096be24695ff1bc213abde42d35bb376 |
| SHA256 | 39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9 |
| SHA512 | 8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259 |
\??\pipe\LOCAL\crashpad_4656_PFUNXHAPAKJHQOTD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 77a8a732d13a057bb9e7a7926f09cc22 |
| SHA1 | 330d60e7310ccb93fd682f0f53c8db3cc7bbf6a6 |
| SHA256 | 655d851cb5eb6250ffffa40900c24c2884465afde645dedb710015efa93b6690 |
| SHA512 | 5160745581a2d37cca9f290f44d57bd26252c2baeacaf0f12f49964e5be09a9d270f097403e7de2c598caf2eca33e1b092873d963ba2586f34da89966f0bd7b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 77344895bf506de8b593ee039cde56c7 |
| SHA1 | cd3b8541186eabef0c9c4264fd79373e09a28293 |
| SHA256 | 04bbc636c971ee601dc8b1e343aa41ebce0dc1f77238e2d755e5b4211dd6e319 |
| SHA512 | a2d1f5db8a1ced99a67aecf105850dfec96cb59686e1420d6c7584020e2e23d844e5884a8df8ec5df5a33f396b45bc6cc92f7bdc90798369007dc7efebeda1a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d709c78db1d031a01342eb042848a64d |
| SHA1 | f4bdc84630742029e24456c040603503909ace12 |
| SHA256 | 8fc3be4941d862b6e70275faca0703597ee2964cc6cb4688cf8f4fd164de7153 |
| SHA512 | 7fe682308b73bd60845c18230416ff07019ac636b2a681dea806995705a1b87ff3ddcf3e1ae29d90bff47738bcd44ac91a70152e407e4af72cc63c55c68b4aee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\Downloads\XSpammer_Setup.rar
| MD5 | 110f0d173577010887d2d90384ddc276 |
| SHA1 | 9985779d3aa72a4e4d98403a23da2913c21b1c74 |
| SHA256 | e5d12c2ca6a65fa32a83c47d919e7cbaafb6b560c1f0abf397eeb52ace7fa86d |
| SHA512 | 198be097f5f7bdbd910a232a246f669453a6d1e5bff4ee3cf1923000e427eaa43fcd1b043a9013def960bbaa2a45e40f8099542c37447f4b29aa8b4b84580313 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 25baa9a3a71f9c18632619247f19500c |
| SHA1 | 945b0ac6b2c83d158da9c12bfdea5073e63ea79b |
| SHA256 | 5718432f11e27860b306b66360afab6629554e3a0439f79d09d3bf4dfeffe07c |
| SHA512 | ae9cfa5e5ab553045e4e891119d91d0a19d7aa028e894effa40f91c3f2c27ecb8fac8596439820c0614193304f418d8d92072c1ebc6fc39fb84ded6786810497 |
C:\Users\Admin\Downloads\OptimizeCompress.vbs
| MD5 | 46f1e4e6cbe7e554798598874a776b64 |
| SHA1 | 37b4185860cb571ccf66d164dbc78a11b10634d7 |
| SHA256 | 1b8fecb0776666350d4fa160fe9fda10f9d88016e36528d1b54f4b956f639801 |
| SHA512 | 72ade5a8a1b77f2f2137024492449d5eae9df8af2e898e730c3ae1f97db398857d38e08c5547e2af26ec72e2dd43d99d0216e6261a597116cbfa2a5f75034290 |
C:\Users\Admin\Downloads\ShowResume.search-ms
| MD5 | b525a31118888d268b095b46b513fcaf |
| SHA1 | 5e19903fa46f49688ced39a5542897f12e858a33 |
| SHA256 | ec1be146b8bdfb21a9187c069a7e56b4e83a848f8aac88fe595e88bde088d3f4 |
| SHA512 | 282afc731d4652b9ba1d185ec30bd1801966cf2a0abd9b93bfffc769a0c76d220d09f81bdc6d68ab89297c61801bdbd7b9020b37aa3aa11b2a8a60696f40dd0b |
C:\Users\Admin\Downloads\PushRedo.ttc
| MD5 | 07db0dabe906741a71ba518e5414b2e1 |
| SHA1 | 0f860053f5caeb7a2c8a828754e0531efec46b98 |
| SHA256 | f4beb15d96610cdf7a371a51abb7bbf68c4cf7d9d1b1ee9259ee763579cfae1f |
| SHA512 | 878e0af56db24fe10a241041d0f1d497f897aadf17532c33fb5f1a54d876375a70b9f06ed7cb2a4ce041d169032149b1552435191adffcac3f7763e0cd0c0fa2 |
C:\Users\Admin\Downloads\GetSync.xps
| MD5 | 7ee45a8b035be3d13d94809b408dcd51 |
| SHA1 | 7aff209c30a523ee67e8b469424365b4b9884fae |
| SHA256 | 6def76b6be285143562eeba4f4f1f4525b8b04d920a74cf48b2fe236597ac3ff |
| SHA512 | b5bae7fc535a455d08545c47277840c4c6784936ee503101e31a0ab03d18fe136b491d6c7b89bc95f97cd5bf930bd8a47a5e49a0e0c1857fb1f34910ea01b81c |
C:\Users\Admin\Downloads\LimitMount.pot
| MD5 | eea1381c760d2063c7a7f485af7e1b2d |
| SHA1 | dbf650cd915e9773bbafe50051691b05ba67fae3 |
| SHA256 | 843994d0c145d9b6d37fde2c295b5bb6a28b0022c78adceae2200be59a819be1 |
| SHA512 | d77bf5bb395656a7f87a4c7b012b06cde2f125955b72dac17bab60e30e3476df4533adb394ffe8a3a9a71ce511e98abff1f8f946fcb456fa076a930968bf1e48 |
C:\Users\Admin\Downloads\UnregisterRequest.asx
| MD5 | bda76260b0e12cab7cbba8f06ece8f78 |
| SHA1 | 558b57d4cc569c5383fb3dee0be78e840634b824 |
| SHA256 | e46e54469fd7ceac0afd5f3772d9286dbd3c082e31e48715666b408215a85469 |
| SHA512 | 0858b3033ec6434d8956615604a6e91438c49cd37fb5fbd2d5bfd0904eafca45c39b1baf105daec85bc2b7d083ded706b47d60573bc45cb90864f236bfb6e01c |
C:\Users\Admin\Downloads\ConvertFromInitialize.jpg
| MD5 | 42c3b14450ca5b9262be9dccde1e7f77 |
| SHA1 | 56bf2594270e2328a9d5bed8913a070c151ec8bb |
| SHA256 | 537d6cabe04d807cb3b4ff395aa5cb9cd0688ef198193be781a7374e2661b69b |
| SHA512 | 8979047dcc1d446585126aba0e974fdf5bbd9a8df9102fe0b35efa3a54604ebae7670a33ed4efd0df7eb5c3c33e2c23bc1dc3f65f7069c1ebf48d1e8104a4baa |
C:\Users\Admin\Downloads\SubmitOut.rm
| MD5 | 8271eecc52856d52cd9a0e3e621f7db1 |
| SHA1 | 751735ebd150051ff37779cc4ba578c60845e49c |
| SHA256 | 975b95dc117e15c3f94188ebeae25b671b786cba0702366930fda88bb1fec551 |
| SHA512 | 9006ba8e6d47b752f29044acdb041aa405acc73052197965ff0257a2599d91e7bd63a9ed28ff3596e845272b4cb97c51882134606833ebdebd19cd65b61bfa3b |
C:\Users\Admin\Downloads\EditDismount.txt
| MD5 | a074ede4a6068090eacc06056c26da58 |
| SHA1 | b5bb9952e8bcc321956c89b972def862fe6ee466 |
| SHA256 | d710be79abd25ba876bf9aa5275c9c1c9012bdff4b930f777c1ee68bbb7281c7 |
| SHA512 | 906896fb7888c84e63d8b84eeb858d6e36a97b9ddb48095ad6ae71af0cc95125b39b73494211fb6813d94eda8407f2ff5b89b50145cb157199f99885b56c2921 |
C:\Users\Admin\Downloads\AssertSet.7z
| MD5 | 08aef826369640d193698c3759a3000a |
| SHA1 | 3057cb83f7dde8c5ada26edde2b359b81d39de20 |
| SHA256 | 0fc561bc60b705304804c8b15f2ed029bc22c224dd76d75ff9c366818284c34f |
| SHA512 | 6048c0b83c9ed5365b10633fb4d347171abe5af5e1a463c32b04a43a8677e76c409a4f10314e8e5649e6f41f9b4eeb541356061d6ab281d461ebd0233790a43c |
C:\Users\Admin\Downloads\RedoUnlock.vst
| MD5 | d79d0f4adad41f5962de3d08b2c435b5 |
| SHA1 | d5fcfee7925e6c961d02b861fa238f97090acdce |
| SHA256 | 807793e1f7b9438b4a4d88e45e390bb9ada900652ceeb26fb8c3362349c8c220 |
| SHA512 | f14cd79d493195906260857e4c44fefa82e1a3131bbac1bdae39b9585fc2c46a5abf158569f9a78c1a53f99366da6a245e473ed49076663ac7843207f4c03d6d |
C:\Users\Admin\Downloads\DisableCheckpoint.mp2
| MD5 | 05a3651787d9d946b05ce5d90177565e |
| SHA1 | c03db62442c80916b2b9fe8db4d2e8ffd2672a18 |
| SHA256 | f6a46796c07671607ae11f19e6c868fa30fca5045aa44f3361d383bcaf1d60ee |
| SHA512 | 589f01c86f7c7f4f413b3c5b580430f66f477669d48205d527f2078968e02b4fd66b0e56f50a7abf10d5a834a34c8e0d021d1dd6247ea15aaf93f58249f06933 |
C:\Users\Admin\Downloads\RemoveMove.wps
| MD5 | 6457a7bef382fe7ad11339b984354abf |
| SHA1 | 6a1f4dc0b8b00e91f29d1f60e6bb10b20b87bed3 |
| SHA256 | 65b56a3c491129c7dc6c560a2e694b4d8cb831df9caacd3e5cb789a057cea35b |
| SHA512 | ffc788c8cbcf529d62f2c3cffc4410e32123e18df5a3d90d83936ecbbaa5db52d9509805482606f2b7995d5b485dbf9dc71f7e326cb598f32c289c9f119c2567 |
C:\Users\Admin\Downloads\ImportPublish.tiff
| MD5 | f12157b8fd9d8e4a6866774ba1c915ed |
| SHA1 | 3888aceffed04274b862e3f49168f7c2609f7380 |
| SHA256 | 63d20eaf972d47c9e5d1aebbacaee75d5bac041e9b11fe51e0e22f64a2836ed8 |
| SHA512 | 4b612ab87b698f1b12cfc878c642464846ca722aa201895f35c05767517f15668105e0513f8edbc2e47513fa9dda9ac96264c0991ff232c868941c70a4ca9774 |
C:\Users\Admin\Downloads\CheckpointSync.html
| MD5 | 00acb36a152eef44a8ae9f6e6b72d8bf |
| SHA1 | 56ddeabc20c3fd957552f781da54d30f0c32494a |
| SHA256 | c33dc09152f8de8c4ad37b5be38aad3414b92f078948978b6d8c8632e9247d14 |
| SHA512 | 6507959b6cfdb24ad0b20e6f921feb72a42a8cf059c96c48d93ceed953183300a0ed4203f6bb57f4ae20d431e4ed85f5ad4295473ae9a302d46751cf69e08259 |
C:\Users\Admin\Downloads\ExportGroup.mp3
| MD5 | 30b3c4c9b1731f81f8712c2637d2a564 |
| SHA1 | 602a176e4eac1a34f74eca82c6b344e3251d7527 |
| SHA256 | 5377ffd4ed6e14618047c3059b60bfe8178e0af45df5249e3938dc5560310a04 |
| SHA512 | 5ca08493bfb2f1c606c7734401eed25bc7cadc104c180ed2b735fb3456973966edd95baf1cde7c6a638924168a60ca72a7e58764e3bfc7756ea49f913c55e495 |
C:\Users\Admin\Downloads\TracePop.3g2
| MD5 | 3517f2e58e86267577cbcb8c099a6d11 |
| SHA1 | a3d933eed8a073dafa8c2e0db7183e3908072ac7 |
| SHA256 | 7e73541c52fa83fc006b4d9725dcec4fa13fe91a7ee2d9442ea14f86e920afa4 |
| SHA512 | d2f11d8c7e93a9f51aa13cac7e9d5b177a7b4f31196ea468c13ac490a030008aad4fd843cd6a14021604157fef5b93ba3db2bae0f00c1f43410b98e754415cb8 |
C:\Users\Admin\Downloads\SelectReset.tif
| MD5 | 8789a1c4095482befc4bb48919e132c8 |
| SHA1 | 9a59a9613d1880fda58502e04c0811b8743481bd |
| SHA256 | 1cbc4dd20657c98e66c4e0a8d4cd8a7d75b0fb1c974eb473d82e42f372ba2a6e |
| SHA512 | 8420a4ff497753ee8424e84740b6fbf94871ff04fd961251de95db6f6bb3a0780890141f22b0fdcd2f2704b203dd0aa5bee8aceb5d5ff22155e0f4d91a64d638 |
C:\Users\Admin\Downloads\CloseCheckpoint.png
| MD5 | 3a80cfce2b9f0076e98fe57d44de1ba9 |
| SHA1 | 407de06b68c02d08883e4c68bf03ead64446311b |
| SHA256 | df98a5606636a37caa0ba93ef0310fb2560c02e3ff987fa77306acd6c25966c9 |
| SHA512 | 6a14a27a6f95c1c3c29a42eef042c747bb7dc2c668603deb47c5757ebb800df4f5f4fd6fb9f7465e03b7d49fdf2d908cd379970d2c19d040ccba2beea117268a |
C:\Users\Admin\Downloads\SearchHide.gif
| MD5 | 4e43eb6ef0483590ce19facae18fc941 |
| SHA1 | e6b7ed2105c89b46eb8a3db3e4d4e8f1aa24a353 |
| SHA256 | 0544845e835964bf5e80ee49d783f0a34fbfe94d0658e97fd376cc67d7eaa6d6 |
| SHA512 | da00ee57232f7c57c2ffb8afc5973e805b3f974e706aad68aea09c2e43be56fc80f8e68ef6b5df01e33f72a0aa1ed0b13e331f333c3add0894b7267d9c69b6fa |
C:\Users\Admin\Downloads\MoveRepair.snd
| MD5 | ecd5a628279717725221a6218a8ab011 |
| SHA1 | 636f89246a6b273e6dfa2bb7b2c1f2407abf07fd |
| SHA256 | 5055c7de17c4de191a2742b05c4856d0b90532b2e59d0a9c28e043692c26a996 |
| SHA512 | e6ef79de12dfdc0aa69d75102de907b48f3acd6e09aed4433c1606a7d6ca66d7de06d1a126e3499026681b160c048f6a0a9b987ec21ff537a5f2358a43c5a264 |
C:\Users\Admin\Downloads\StartUnpublish.jpeg
| MD5 | 7215cf50375a3c0364235862836387b6 |
| SHA1 | 8938088c3961dba3fb64a2a9e8b276ec4093b9a5 |
| SHA256 | 67e9daf31c4cd6e51df20865c977bb8beda546666c99b4ec9798ac297441a688 |
| SHA512 | 3c814101f0a62c1b9a127f9ca8473560d947c00263bc307221693250f626e9d4f8aa6c0313f7134b9597be92fc810a0df36a40128e18ca1f2d9744b8dfb8d432 |
C:\Users\Admin\Downloads\TraceUnblock.rm
| MD5 | e4468bb72359f68d208521ba831c086d |
| SHA1 | a19e6d12388cd5ead35f418a033a56cba35c334d |
| SHA256 | f32851cac414fbf164b9a2ddea68de2e56d0565b22d564498f620740d44a85cb |
| SHA512 | 218f9920c9ff8f3f0e286f204bbfd433ccac0a9424696dbb2b918388922192df3025edc737a43a22aa18b84203761ada772936333959713858160f673622a299 |
C:\Users\Admin\Downloads\SyncWatch.3gp
| MD5 | 2fb11a418c824a33a6fd2011db96c554 |
| SHA1 | 2913732513b63bdf14a36fa5d0de47ca250e9e7a |
| SHA256 | 20486d1ffa7fbbef235ca2507aa0fc4dc27ef4c297d50d33283a26fdb7c5ea39 |
| SHA512 | 0d495a23a30f5d3c06e5965bbe0a2df32ef87a94e3ff79415f3d260e1a6b46d71da66cf4fb6f81ffa8bde8650e459f93e1bfdc40b736d850c1cb2d12c332047a |
C:\Users\Admin\Downloads\DisableShow.M2TS
| MD5 | a2495728d62a525b20211fb0c3eb0216 |
| SHA1 | bd8adf96d7a151ed25f63541ca4783fb485b4605 |
| SHA256 | 71b8f1ef350b2e1ad04aa710fea5997870b391867fd6e69667dd1a23d94320a7 |
| SHA512 | 1aa1821808a44731018153d486a6c833982a1631456318628881cdfe23d52835b791e44afa01c5638e71470e1d5b5385fc340ed67d1fa7342c64f43bfee0b325 |
C:\Users\Admin\Downloads\SaveReset.vb
| MD5 | 2e84fabd445d76bc76a34f1220193c20 |
| SHA1 | 72e3d8769475190876e3d2ad5c675d6cbde21377 |
| SHA256 | 493c80eb97406c1b36984ff941d6b02a0e65e00118b248977a855fffeef57303 |
| SHA512 | 22426c041ca8f1d585e934f2c635224674473e79688d688131259a234154d2a3d5d9177a2143e53d053fd7946b6f2c38ae3465e33bdd50d9c739428085f484c3 |
C:\Users\Admin\Downloads\LockConfirm.jfif
| MD5 | 8f0e852d5de424514bf59f6dfc8a6239 |
| SHA1 | f640e93626fd740283bc726f1c86938109c9329e |
| SHA256 | ba401088a0fa01746319a9a583c4810f952c6b059f4f709c81e41391a85a6533 |
| SHA512 | 410bb2db49316aa7bded596e4f56a26671d185960a7bbe2cce821f9406afeb8a2717642ce05eedf79df6bdbf9d64e47edbff54af849f8e0670d1fadedf05d6ac |
C:\Users\Admin\Downloads\AssertCopy.reg
| MD5 | cd61a6ab2202f490cb245f366522f3e9 |
| SHA1 | cb14acf3d8dc403dac5bbcdf21372548bdc104d6 |
| SHA256 | 320a773880002c8ebdf5a677f91eb1c8fd7cc738f4f8941de5f4babbbb6a387d |
| SHA512 | d9c618035090fa1fc57e6aade06a483620afa858e68fa29d0e25d7cced78dd332e91fc567cf8a7b2738dd52a7e9cb7da050c39524052d132650801ce97ef1d56 |
C:\Users\Admin\Downloads\ProtectDismount.mpa
| MD5 | 4aaa3e857a976e394d9a65de823c1857 |
| SHA1 | 42b04d7b0cb64fda4a7552ed1ce52c1d4a0db684 |
| SHA256 | d7d4601b00dd342443fc76acecb3c77d2cc4b1f1ffe92191e6799caac88c13f5 |
| SHA512 | a455f1962cdb8d9658b2d64a3ab1bbf2c480015525b55b626bdc44dc03331498a38d477425569584a53a32f74c54e81971ac212b6d1d581a58438adbb806d095 |
C:\Users\Admin\Downloads\ConvertWait.xltx
| MD5 | 7b3172b313d7f63988476a7c9d397c59 |
| SHA1 | bcddeae8458826be2c3558d666b77a56a11ae6e4 |
| SHA256 | 6042dd83158369248d97c3ffb55ec9b3b164873aa628f6f1561e881b3a8c7715 |
| SHA512 | 5ab616d18671ed3faad5dcb2d853a182d573621b6995234b9a13a60af3eced0e10df20964569213d7339cb31ea7dda2603fa66a35b76e908c485903522dd3102 |
C:\Users\Admin\Downloads\GrantRename.xht
| MD5 | f045767a6313317ddfeffba0c20828af |
| SHA1 | 5e7e8b6482a115f7fb6f73bdd4ebf9e6370e3184 |
| SHA256 | a5e87f2a1bd3900560182d2792765efcf7738b84d0014f558db2d4893670fbd2 |
| SHA512 | 3c8c7249b2b9efbe386cac0cfbf779dd62f382113c18d1cc1fa94f4dcc6c76004adecdc06197440d395fa7be68b0875462b0e4f75dd4673af785b41ab1c48cc4 |
C:\Users\Admin\Downloads\LimitConvertTo.ppsx
| MD5 | d1000373107e22be60b8f0f986e8bc65 |
| SHA1 | dfe3f2bdc7cfc635d01a760cefd3f20f04a32fce |
| SHA256 | 3944806c1cba6f053552107493da65f267cf90e201eb6ecae570bc99ee4ec290 |
| SHA512 | 9cb5ef94eeb38d1577f7b7536f6a41e8d7406aa884c9158d6bf03935d20bc577d245b207e0863364d8d085453f20479a179db2eee47b5793828159701e92676b |
C:\Users\Admin\Downloads\PopGet.wvx
| MD5 | 7d4cda0bef6607cbbac4d71ad47189a9 |
| SHA1 | 9637e30b68dfd4b43b5868a2124ef5d250ae8002 |
| SHA256 | 24e87eef6e9d30267fc87581e215ff10413356959e3744c0d61c26872507ef03 |
| SHA512 | 64c416c225ac1e0202c949988e00d7f36c74ffede3e31e6837082f78ace5d19b850399967fa5dae1e672517af5a402aa2527f255f6ddaaa083fabfcb748f7410 |
C:\Users\Admin\Downloads\MoveUnpublish.reg
| MD5 | 281a8c91d628368f44bdb7de72e798d5 |
| SHA1 | 5fa78831529ec489b678daa48b826b2295aa9842 |
| SHA256 | 84884dffade6e75cd4474b23f69793a1ae0fe01ea3a1dac4b4672d35ef082bad |
| SHA512 | ba5ad03e176399327a01550e654bb4d3338b43871892746d08ca35a56987aeff6eab1b518a7baa9e5a59abcb2b64debac2fa01a41971c8a06ae7a045c859c211 |
C:\Users\Admin\Downloads\RepairSuspend.bmp
| MD5 | cff8f663f6fd1a3b0e8f6e22454c9d1d |
| SHA1 | 935639257451e06ac9bcae4d5b6a252395f1e08d |
| SHA256 | 2818022caf7ebfbb73b9cb21964542f877de5812147ce2b2b9d833a9053b4a86 |
| SHA512 | 6fecdb95755bbcd96e4803745853459b17284f8baaedcbadab4541bc17b642e694647d6337284042759a00291920575812f0828062b1900072e08423ce6dccb8 |
C:\Users\Admin\Downloads\EnterExport.otf
| MD5 | 248c4938ae89157c2b9e84fd430d9b03 |
| SHA1 | 3422b8536b4dfa066909f84b724315e9b8bc223f |
| SHA256 | c4f03871406f25b7ca678a87801c6b132e587cfbf055ad6c421ff9dfcf6abe99 |
| SHA512 | b2f2817217ad2506c679cc8d1ac2d81651b0546891133ec9d5cc73d9605f40ae75b0a306bfdd9bc64f4eeda4efa915de7fb5727fa24751e914b2cca5830b04c7 |
C:\Users\Admin\Downloads\MergeConvertTo.dwfx
| MD5 | ba82a85e2eed3de6e5decced579041c2 |
| SHA1 | c4bb81bcc2eb46787305c5eba089cc33c07d5cbb |
| SHA256 | 39237555c8ef5b64f272589391ec764e65ff0acea08952d5c227f5dc80babecc |
| SHA512 | 93cff025a8776cdeb13f64cc3658992330a1f4ddcb8d99c0f57ebe283f1cfdcdc93af202508b1f8c6dbc2037f1f31f932087e9b4f89e086c86825a0706f9e86e |
C:\Users\Admin\Downloads\UnregisterCompare.wmv
| MD5 | bf6fd24312981325c51d5e335229300c |
| SHA1 | eac666c58667137f97fd7659b2ec2087246ed53a |
| SHA256 | 1179c36a8af8774f65335736d50c6467bf234e116736e2e58bb6b6207aa5ae5d |
| SHA512 | 853cdaacc2022be04e03a2f257168bde082f02fde138ebeeb32a091710a1fd5713bd79bf312c9347697dc51775b5cb8b7f78cf94540eaf101458a66d2d1baf35 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b25e402460b74d2c1a449da0491399a |
| SHA1 | 22a9e29a635edeffca70d9e1785ad059d8c5ec12 |
| SHA256 | 587ed5008a0edfc878c4e72ddc9d4455fae28151db5dcf6833bf38f0a41caf6b |
| SHA512 | 2c377e8cd9154788e51a23872ceac6bdbbc5ed7ba4bb9ce81874242ccd3bbf23c62e8ab949b3065fe5eb49b977c94a598baa277de07ea62170da3259cc4e9ab1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8b714462ef56fe98e00dee46902845f5 |
| SHA1 | 1238dd89e4f3945b8467c83a9ee3bd6166ee362a |
| SHA256 | bff57e47f51597037b9e20d69a32ae523b5c3727cba19c844cb6bb52f22f6ccf |
| SHA512 | 81a9b3d6cb8e99ce90be8c33126c8a256af4f3b9dd31eb9dd167711ffd197b1c54a57f7985ec3672dfbea901254eeb79c08f915c53a658cc46d029cd0db540c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 859cf9cd77c9a6bd5b0af56f08fb5128 |
| SHA1 | d62387a78e8a1643ba3117187479da14bce1b65c |
| SHA256 | d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05 |
| SHA512 | e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 12fb6ccae6cd8f7004f32f6d08481cb6 |
| SHA1 | c0fa6e374c8e2542110aa2977d70f96a50efdbec |
| SHA256 | d10bc630d41f54f0067123636b9e5ad437981ad8f1f34a5328bd8509f5efeeed |
| SHA512 | 6042480b28d0666e5043e2d898d33c6e73022b8e2f46119e60374a056daf7b95394bc64588d68f7edae8a58327d72d6c6afbe761d28b54274a44606e44014d5b |
C:\Users\Admin\Desktop\CheckpointEdit.rar
| MD5 | 5b3bae338d4a83ccb3e5c3e9b6bce13a |
| SHA1 | b8bddcd1357fb07249f9694d758365056777338e |
| SHA256 | 1ad8127022e6a8baaa7407258b574e6104b64462d3567755ddc520b4c2e3357b |
| SHA512 | fb5787df5d2f942f5f49a6b20966fb48052e7305c6988a101eb5b460df83346efe8986bf372fc000e7dd65e76f06dc92fac380e1e7f6ae9f8b3a34d642423751 |
C:\Users\Admin\Desktop\ClearSelect.mpv2
| MD5 | 360bda749e23712b2bfdf18b7faf5535 |
| SHA1 | bc2e38ddfcb3fdd0d4e8c964cb5706471cac652e |
| SHA256 | f5a70d378874860a5599cdd38d233332fe84a4b5b69e6bf5b5746ad75de3c4ea |
| SHA512 | 7fe7e2fba07e69f7d99dfeda06366664d4e3de66507430b1f887d62851f137ddc7feb0c8359d7358f6367e815513e2ed3f6c3191f920d82f4d7cd7cd27d4820f |
C:\Users\Admin\Desktop\ConfirmRename.xls
| MD5 | 5b7f8c60a8474d4140ba70165c4e8c4d |
| SHA1 | 8db92327397bd062bc6946404922f13751ec9461 |
| SHA256 | 3381fe5f5ed8e1e17273bc4486d8d3dd2805cbc8d0ab9bbe195b801bfeda0ef7 |
| SHA512 | 9b09e2a4d7fd6c28b7e03aad12db9a272f078c466d7d94871f9214224dd0f8701312c6926d5375dc6e70da207aba49ac6e4249543f385b6722ab9d44bcaf5aba |
C:\Users\Admin\Desktop\ConnectRegister.jfif
| MD5 | c001f85aeeea5ab778ec9c868d3e6cc0 |
| SHA1 | 342e2da93ce39cb561ebb4bd4a83f725eb60ac07 |
| SHA256 | 5c422a5882207580ab17db4355355a8f03fb181c4949c9e4e65d0b6be4d4c7a1 |
| SHA512 | a6afba6d2cd75f8c1c1aa4c362e71d3335d0a44e0cbfaeb0be56f38add985815defeb05844700d3fbe8ac5851f9e0306fb64ffa6dcd76c31809df90734292b6e |
C:\Users\Admin\Desktop\DismountRead.dotx
| MD5 | a9eb769d0588db36d6b6bd77b2fc9e78 |
| SHA1 | 60853fef0c747a4cd8ecdbb420d26a29e724b741 |
| SHA256 | fa9a4d4e6002cf59987d605b602edda328f635b1c9adb590daf164e9892a1475 |
| SHA512 | 7297e5592412d9002b2994c82b33ca78f83a51e4ea1ecad204d4d81ea9cd934dde2ef6cbae22e860e63e3850a8b06ae6e35e5d9607efdc67c49971079d314546 |
C:\Users\Admin\Desktop\DisableStep.ex_
| MD5 | 46143b71fb387deb20b5d96fa515004a |
| SHA1 | a96a53c8461f49e6b58396beff9111a2dd5738f7 |
| SHA256 | 6999c1a48dc970a82f07c852abe928a030fe9e43c4922185e7a8c6330d07b2f3 |
| SHA512 | 20e047849f5e25abde00785bb0327d8730be212236da3feed8e714c9e7e3e43ca67f23560c86c22a3f44794bf8af0ee75b4168f3d91b2e8b4116e302f9c26ad3 |
C:\Users\Admin\Desktop\DisableLimit.mpg
| MD5 | 3db99252112b110ecef12bd197104b6c |
| SHA1 | a37435e55f336b9fb8b4d0636801f08546367f19 |
| SHA256 | 338e11d989bba2fa2cbe889a074fa1f7a5c348b006a24a2f7fed56d2f1c6aff6 |
| SHA512 | dffd6881962debb59c0fd60491d12446886e66e9625b6024b6203613336563e1a70bf2c7c9965c2a4657484eae9e01fb8c915fc2cc42a5f3f0376cb204341970 |
C:\Users\Admin\Desktop\CopyResume.hta
| MD5 | 0dd2d31cb199295d13243340128f9d61 |
| SHA1 | d6f46110eff370e11d0a545780613f025cfaabef |
| SHA256 | aa67e4826a2cecd8a721986dcbde8e26e064b58659e9b9f9d2b44425945cdc38 |
| SHA512 | 2f4f09a58536bcd141cb69cd7e2e30a9dd08ca57b1d4f3327b913268ca69f376cacf847a7dd373643ba9e7bc4ebe3d2922141b53a6aa87074b1afc8c32e61b6e |
C:\Users\Admin\Desktop\ExportOptimize.ttf
| MD5 | 9f988cebc5d1c16de06aee05f72db11d |
| SHA1 | c007c53e3648dbb3f68ded577bfe2b8c029d2196 |
| SHA256 | 442aa0cce0767b66af11a2edf2c7acffeafe9464823c963f575f3f0a849435d6 |
| SHA512 | eea4b3c29e7df77747087e7aab61030331842fab8f3e01162bb5ed42a7e0e41528b98b3a449e5b3b265951b1dbc7c20b80d0ee7862ae8a10c126ae127eca86ba |
C:\Users\Admin\Desktop\HideResume.css
| MD5 | 3aef96c7825dac50fca8168f2a775f82 |
| SHA1 | de40b24a4de1005466c51659cfce00c072dda6e2 |
| SHA256 | bb01481304aaedc4ff34136dba73d3dbfdbe2f92eae61749f6cf911544c88570 |
| SHA512 | c027b15e98a96b97f09b8bbf1b15127e0c266b3025075b460073444c658248eb9cc92bd19d56a2532182cfb4b1d001cbf7f57f21d1450b79b9db3aebb15403f7 |
C:\Users\Admin\Desktop\JoinMerge.7z
| MD5 | 808e191e8f78b2c2dfdccff6e33361fc |
| SHA1 | bc9d7449c1412d8bf7910b9ea3461078b8899819 |
| SHA256 | 01a3df30cbae7a7172b4634245b9dcee193ba87e6e8ea09d20c278ef772e1f3c |
| SHA512 | 245827130196b6629c81ea14ed25fa33c30c14c67a5e666b5de039130ae9a54a23c000be80554b8cc45e368c6248de2d30d73609ef53541893c17f3473e7d904 |
memory/3064-235-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/3064-236-0x0000000000400000-0x0000000004C88000-memory.dmp
memory/3064-237-0x000000001FA50000-0x000000001FA60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe
| MD5 | 1945cc6063dc247fd43d24eabe1b7533 |
| SHA1 | d756893bc819e88de256f21bea88b8b752a275af |
| SHA256 | ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552 |
| SHA512 | 0631faf6474a96f30926784f21b9ad476ae67928028c1c68d36453e11460330b293f33280d8af117e05dda0b39f742d74a68f6d6d2dd1cee5d15f93e23201e78 |
C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe
| MD5 | 7b24133fac1c0f8fa176750179ca79e6 |
| SHA1 | ea7395ac0495825e6b716ad5e47185a5dc216b06 |
| SHA256 | 789c7efc5d77506b6b6fd385eef6908b31254df042d922fda4302c72ff72b3f6 |
| SHA512 | 337ebe224eabda1b4b4597628addf6810cd450bd795666a5642856943fc2588f6ed69d91323969a9eb3827859e99a981c54f3c0ce5eb2c7d6b2fdbd3fb26b060 |
memory/5312-256-0x0000025ABE7E0000-0x0000025ABE820000-memory.dmp
memory/5312-258-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/3064-259-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5312-260-0x0000025AD8F50000-0x0000025AD8F60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
| MD5 | 123d82725f2fe084f2df4c7c12265777 |
| SHA1 | 94bd38f170fe619777b5eb8cb2e1978ccc6efecf |
| SHA256 | 333c92f0ef14c88610341187b4f5ab54f9afe91c767d383e1578d6bc5706b32e |
| SHA512 | 10781fd04263d314b7d357e2d756656f643c2416a2de45e413b28dcd3781bd72d9fdf2ce253b4471c4679c314c4cee8f7ee63e7007418b24de96f765b9e143b5 |
memory/2860-481-0x0000027454CF0000-0x0000027454CF1000-memory.dmp
memory/2860-483-0x0000027454CF0000-0x0000027454CF1000-memory.dmp
memory/2860-482-0x0000027454CF0000-0x0000027454CF1000-memory.dmp
memory/2860-487-0x0000027454CF0000-0x0000027454CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvwel0ta.tam.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5992-493-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5992-498-0x000001DEEA2D0000-0x000001DEEA2E0000-memory.dmp
memory/5992-499-0x000001DEEA550000-0x000001DEEA572000-memory.dmp
memory/5992-500-0x000001DEEA2D0000-0x000001DEEA2E0000-memory.dmp
memory/5992-503-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5980-504-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5980-514-0x000002DA42A90000-0x000002DA42AA0000-memory.dmp
memory/5980-515-0x000002DA42A90000-0x000002DA42AA0000-memory.dmp
memory/5980-517-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5312-520-0x0000025AD8EB0000-0x0000025AD8F26000-memory.dmp
memory/5312-521-0x0000025AC0650000-0x0000025AC06A0000-memory.dmp
memory/5312-522-0x0000025AC0600000-0x0000025AC061E000-memory.dmp
memory/5236-523-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5236-524-0x000001F843F80000-0x000001F843F90000-memory.dmp
memory/5236-525-0x000001F843F80000-0x000001F843F90000-memory.dmp
memory/5236-547-0x000001F843F80000-0x000001F843F90000-memory.dmp
memory/5236-549-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/2108-550-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/2108-551-0x000001A012AA0000-0x000001A012AB0000-memory.dmp
memory/5312-562-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/2108-563-0x000001A012AA0000-0x000001A012AB0000-memory.dmp
memory/3092-565-0x00007FF974200000-0x00007FF974201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsDialogs.dll
| MD5 | 466179e1c8ee8a1ff5e4427dbb6c4a01 |
| SHA1 | eb607467009074278e4bd50c7eab400e95ae48f7 |
| SHA256 | 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172 |
| SHA512 | 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817 |
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
memory/2108-593-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5312-607-0x0000025AC05C0000-0x0000025AC05D2000-memory.dmp
memory/5312-606-0x0000025ABECB0000-0x0000025ABECBA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3088-645-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/3088-646-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/3088-647-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/3088-648-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/3088-649-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/3088-650-0x00000215DA880000-0x00000215DA881000-memory.dmp
memory/5312-651-0x0000025AD8F50000-0x0000025AD8F60000-memory.dmp
memory/2876-652-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/2876-653-0x000002344F870000-0x000002344F880000-memory.dmp
memory/2876-664-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/5312-670-0x00007FF957690000-0x00007FF958151000-memory.dmp
memory/3092-673-0x0000027018740000-0x0000027018770000-memory.dmp
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State
| MD5 | c5aaf170523a6627a889bb1e69137e67 |
| SHA1 | 6b2fc79d37ee85634b00c52ecd795e9d1ee2bdf3 |
| SHA256 | 32db68227150f833e41cd5907195c1f05637cac33fdfbf3fd8f9acbfb94dfe5a |
| SHA512 | 3712cdd5ba18a101810b6e6b24a300b0c13400315cfead2569660f4bfc977d2e8be9db6a6109ef9812043b549ff06c3f4aadfd71e5d65d21819ad7e05590fdc3 |
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State~RFe591ae1.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Roaming\XSpammer\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
memory/4452-723-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-724-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-725-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-727-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-729-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-728-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-731-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-730-0x0000023151F10000-0x0000023151F11000-memory.dmp
memory/4452-732-0x0000023151F10000-0x0000023151F11000-memory.dmp
C:\Users\Admin\AppData\Roaming\XSpammer\9d365eae-e50d-438e-a8bc-a77f0eef5eac.tmp
| MD5 | d11dedf80b85d8d9be3fec6bb292f64b |
| SHA1 | aab8783454819cd66ddf7871e887abdba138aef3 |
| SHA256 | 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67 |
| SHA512 | 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0 |
memory/4948-768-0x0000022E9AEC0000-0x0000022E9AEF0000-memory.dmp
memory/4948-769-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp
memory/4948-771-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp
memory/4948-773-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp
memory/4948-777-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp
memory/4948-781-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp
memory/2480-796-0x000002A3C3740000-0x000002A3C3750000-memory.dmp